summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2016-07-23 19:31:36 +0000
committercvs2svn <admin@example.com>2016-07-23 19:31:36 +0000
commit86c49b31af735796dfde37aa29473a30d36367db (patch)
treee9a354a92a348338fe2b361e2eda703cae23cfab /src/lib/libcrypto/rsa
parent19d5fe348e8926bac4521c5807aa64c45b8f7a41 (diff)
downloadopenbsd-OPENBSD_6_0_BASE.tar.gz
openbsd-OPENBSD_6_0_BASE.tar.bz2
openbsd-OPENBSD_6_0_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_6_0_BASE'.OPENBSD_6_0_BASE
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h548
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c675
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c308
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c213
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c214
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c888
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c210
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c229
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c258
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c236
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c224
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c616
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c93
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c289
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c149
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c255
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c151
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c167
21 files changed, 0 insertions, 5926 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
deleted file mode 100644
index d240294809..0000000000
--- a/src/lib/libcrypto/rsa/rsa.h
+++ /dev/null
@@ -1,548 +0,0 @@
1/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/asn1.h>
65
66#ifndef OPENSSL_NO_BIO
67#include <openssl/bio.h>
68#endif
69#include <openssl/crypto.h>
70#include <openssl/ossl_typ.h>
71#ifndef OPENSSL_NO_DEPRECATED
72#include <openssl/bn.h>
73#endif
74
75#ifdef OPENSSL_NO_RSA
76#error RSA is disabled.
77#endif
78
79#ifdef __cplusplus
80extern "C" {
81#endif
82
83/* Declared already in ossl_typ.h */
84/* typedef struct rsa_st RSA; */
85/* typedef struct rsa_meth_st RSA_METHOD; */
86
87struct rsa_meth_st {
88 const char *name;
89 int (*rsa_pub_enc)(int flen, const unsigned char *from,
90 unsigned char *to, RSA *rsa, int padding);
91 int (*rsa_pub_dec)(int flen, const unsigned char *from,
92 unsigned char *to, RSA *rsa, int padding);
93 int (*rsa_priv_enc)(int flen, const unsigned char *from,
94 unsigned char *to, RSA *rsa, int padding);
95 int (*rsa_priv_dec)(int flen, const unsigned char *from,
96 unsigned char *to, RSA *rsa, int padding);
97 int (*rsa_mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
98 BN_CTX *ctx); /* Can be null */
99 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
100 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
101 int (*init)(RSA *rsa); /* called at new */
102 int (*finish)(RSA *rsa); /* called at free */
103 int flags; /* RSA_METHOD_FLAG_* things */
104 char *app_data; /* may be needed! */
105/* New sign and verify functions: some libraries don't allow arbitrary data
106 * to be signed/verified: this allows them to be used. Note: for this to work
107 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
108 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
109 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
110 * option is set in 'flags'.
111 */
112 int (*rsa_sign)(int type, const unsigned char *m, unsigned int m_length,
113 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
114 int (*rsa_verify)(int dtype, const unsigned char *m,
115 unsigned int m_length, const unsigned char *sigbuf,
116 unsigned int siglen, const RSA *rsa);
117/* If this callback is NULL, the builtin software RSA key-gen will be used. This
118 * is for behavioural compatibility whilst the code gets rewired, but one day
119 * it would be nice to assume there are no such things as "builtin software"
120 * implementations. */
121 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
122};
123
124struct rsa_st {
125 /* The first parameter is used to pickup errors where
126 * this is passed instead of aEVP_PKEY, it is set to 0 */
127 int pad;
128 long version;
129 const RSA_METHOD *meth;
130 /* functional reference if 'meth' is ENGINE-provided */
131 ENGINE *engine;
132 BIGNUM *n;
133 BIGNUM *e;
134 BIGNUM *d;
135 BIGNUM *p;
136 BIGNUM *q;
137 BIGNUM *dmp1;
138 BIGNUM *dmq1;
139 BIGNUM *iqmp;
140 /* be careful using this if the RSA structure is shared */
141 CRYPTO_EX_DATA ex_data;
142 int references;
143 int flags;
144
145 /* Used to cache montgomery values */
146 BN_MONT_CTX *_method_mod_n;
147 BN_MONT_CTX *_method_mod_p;
148 BN_MONT_CTX *_method_mod_q;
149
150 /* all BIGNUM values are actually in the following data, if it is not
151 * NULL */
152 BN_BLINDING *blinding;
153 BN_BLINDING *mt_blinding;
154};
155
156#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
157# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
158#endif
159
160#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
161# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
162#endif
163#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
164# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
165#endif
166
167#define RSA_3 0x3L
168#define RSA_F4 0x10001L
169
170/* Don't check pub/private match. */
171#define RSA_METHOD_FLAG_NO_CHECK 0x0001
172
173#define RSA_FLAG_CACHE_PUBLIC 0x0002
174#define RSA_FLAG_CACHE_PRIVATE 0x0004
175#define RSA_FLAG_BLINDING 0x0008
176#define RSA_FLAG_THREAD_SAFE 0x0010
177
178/*
179 * This flag means the private key operations will be handled by rsa_mod_exp
180 * and that they do not depend on the private key components being present:
181 * for example a key stored in external hardware. Without this flag bn_mod_exp
182 * gets called when private key components are absent.
183 */
184#define RSA_FLAG_EXT_PKEY 0x0020
185
186/*
187 * This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
188 */
189#define RSA_FLAG_SIGN_VER 0x0040
190
191/*
192 * The built-in RSA implementation uses blinding by default, but other engines
193 * might not need it.
194 */
195#define RSA_FLAG_NO_BLINDING 0x0080
196
197#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
198 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
199 pad, NULL)
200
201#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
202 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
203 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
204
205#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
206 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
207 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
208 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
209 len, NULL)
210
211#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
212 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
213 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
214 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
215 0, plen)
216
217#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
218 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
219 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
220
221#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
223 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
224
225#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
227 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
228
229#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
230 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
231 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
232
233#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
234#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
235
236#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
237#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
238#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
239
240#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
241#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
242#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
243
244#define RSA_PKCS1_PADDING 1
245#define RSA_SSLV23_PADDING 2
246#define RSA_NO_PADDING 3
247#define RSA_PKCS1_OAEP_PADDING 4
248#define RSA_X931_PADDING 5
249/* EVP_PKEY_ only */
250#define RSA_PKCS1_PSS_PADDING 6
251
252#define RSA_PKCS1_PADDING_SIZE 11
253
254#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
255#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
256
257RSA *RSA_new(void);
258RSA *RSA_new_method(ENGINE *engine);
259int RSA_size(const RSA *rsa);
260
261/* Deprecated version */
262#ifndef OPENSSL_NO_DEPRECATED
263RSA *RSA_generate_key(int bits, unsigned long e,
264 void (*callback)(int, int, void *), void *cb_arg);
265#endif /* !defined(OPENSSL_NO_DEPRECATED) */
266
267/* New version */
268int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
269
270int RSA_check_key(const RSA *);
271/* next 4 return -1 on error */
272int RSA_public_encrypt(int flen, const unsigned char *from,
273 unsigned char *to, RSA *rsa, int padding);
274int RSA_private_encrypt(int flen, const unsigned char *from,
275 unsigned char *to, RSA *rsa, int padding);
276int RSA_public_decrypt(int flen, const unsigned char *from,
277 unsigned char *to, RSA *rsa, int padding);
278int RSA_private_decrypt(int flen, const unsigned char *from,
279 unsigned char *to, RSA *rsa, int padding);
280void RSA_free(RSA *r);
281/* "up" the RSA object's reference count */
282int RSA_up_ref(RSA *r);
283
284int RSA_flags(const RSA *r);
285
286void RSA_set_default_method(const RSA_METHOD *meth);
287const RSA_METHOD *RSA_get_default_method(void);
288const RSA_METHOD *RSA_get_method(const RSA *rsa);
289int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
290
291/* these are the actual SSLeay RSA functions */
292const RSA_METHOD *RSA_PKCS1_SSLeay(void);
293
294const RSA_METHOD *RSA_null_method(void);
295
296DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
297DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
298
299typedef struct rsa_pss_params_st {
300 X509_ALGOR *hashAlgorithm;
301 X509_ALGOR *maskGenAlgorithm;
302 ASN1_INTEGER *saltLength;
303 ASN1_INTEGER *trailerField;
304} RSA_PSS_PARAMS;
305
306DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
307
308int RSA_print_fp(FILE *fp, const RSA *r, int offset);
309
310#ifndef OPENSSL_NO_BIO
311int RSA_print(BIO *bp, const RSA *r, int offset);
312#endif
313
314#ifndef OPENSSL_NO_RC4
315int i2d_RSA_NET(const RSA *a, unsigned char **pp,
316 int (*cb)(char *buf, int len, const char *prompt, int verify), int sgckey);
317RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
318 int (*cb)(char *buf, int len, const char *prompt, int verify), int sgckey);
319
320int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
321 int (*cb)(char *buf, int len, const char *prompt, int verify));
322RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
323 int (*cb)(char *buf, int len, const char *prompt, int verify));
324#endif
325
326/* The following 2 functions sign and verify a X509_SIG ASN1 object
327 * inside PKCS#1 padded RSA encryption */
328int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
329 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
330int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
331 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
332
333/* The following 2 function sign and verify a ASN1_OCTET_STRING
334 * object inside PKCS#1 padded RSA encryption */
335int RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m,
336 unsigned int m_length, unsigned char *sigret, unsigned int *siglen,
337 RSA *rsa);
338int RSA_verify_ASN1_OCTET_STRING(int type, const unsigned char *m,
339 unsigned int m_length, unsigned char *sigbuf, unsigned int siglen,
340 RSA *rsa);
341
342int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
343void RSA_blinding_off(RSA *rsa);
344BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
345
346int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
347 const unsigned char *f, int fl);
348int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
349 const unsigned char *f, int fl, int rsa_len);
350int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
351 const unsigned char *f, int fl);
352int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
353 const unsigned char *f, int fl, int rsa_len);
354int PKCS1_MGF1(unsigned char *mask, long len,
355 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
356int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
357 const unsigned char *f, int fl,
358 const unsigned char *p, int pl);
359int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
360 const unsigned char *f, int fl, int rsa_len,
361 const unsigned char *p, int pl);
362int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
363 const unsigned char *f, int fl);
364int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
365 const unsigned char *f, int fl, int rsa_len);
366int RSA_padding_add_none(unsigned char *to, int tlen,
367 const unsigned char *f, int fl);
368int RSA_padding_check_none(unsigned char *to, int tlen,
369 const unsigned char *f, int fl, int rsa_len);
370int RSA_padding_add_X931(unsigned char *to, int tlen,
371 const unsigned char *f, int fl);
372int RSA_padding_check_X931(unsigned char *to, int tlen,
373 const unsigned char *f, int fl, int rsa_len);
374int RSA_X931_hash_id(int nid);
375
376int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
377 const EVP_MD *Hash, const unsigned char *EM, int sLen);
378int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
379 const unsigned char *mHash, const EVP_MD *Hash, int sLen);
380
381int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
382 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
383 int sLen);
384
385int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
386 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
387 int sLen);
388
389int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
390 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
391int RSA_set_ex_data(RSA *r, int idx, void *arg);
392void *RSA_get_ex_data(const RSA *r, int idx);
393
394RSA *RSAPublicKey_dup(RSA *rsa);
395RSA *RSAPrivateKey_dup(RSA *rsa);
396
397/* If this flag is set the RSA method is FIPS compliant and can be used
398 * in FIPS mode. This is set in the validated module method. If an
399 * application sets this flag in its own methods it is its responsibility
400 * to ensure the result is compliant.
401 */
402
403#define RSA_FLAG_FIPS_METHOD 0x0400
404
405/* If this flag is set the operations normally disabled in FIPS mode are
406 * permitted it is then the applications responsibility to ensure that the
407 * usage is compliant.
408 */
409
410#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
411/* Application has decided PRNG is good enough to generate a key: don't
412 * check.
413 */
414#define RSA_FLAG_CHECKED 0x0800
415
416/* BEGIN ERROR CODES */
417/* The following lines are auto generated by the script mkerr.pl. Any changes
418 * made after this point may be overwritten when the script is next run.
419 */
420void ERR_load_RSA_strings(void);
421
422/* Error codes for the RSA functions. */
423
424/* Function codes. */
425#define RSA_F_CHECK_PADDING_MD 140
426#define RSA_F_DO_RSA_PRINT 146
427#define RSA_F_INT_RSA_VERIFY 145
428#define RSA_F_MEMORY_LOCK 100
429#define RSA_F_OLD_RSA_PRIV_DECODE 147
430#define RSA_F_PKEY_RSA_CTRL 143
431#define RSA_F_PKEY_RSA_CTRL_STR 144
432#define RSA_F_PKEY_RSA_SIGN 142
433#define RSA_F_PKEY_RSA_VERIFY 154
434#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
435#define RSA_F_RSA_BUILTIN_KEYGEN 129
436#define RSA_F_RSA_CHECK_KEY 123
437#define RSA_F_RSA_EAY_MOD_EXP 157
438#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
439#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
440#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
441#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
442#define RSA_F_RSA_GENERATE_KEY 105
443#define RSA_F_RSA_GENERATE_KEY_EX 155
444#define RSA_F_RSA_ITEM_VERIFY 156
445#define RSA_F_RSA_MEMORY_LOCK 130
446#define RSA_F_RSA_NEW_METHOD 106
447#define RSA_F_RSA_NULL 124
448#define RSA_F_RSA_NULL_MOD_EXP 131
449#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
450#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
451#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
452#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
453#define RSA_F_RSA_PADDING_ADD_NONE 107
454#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
455#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
456#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
457#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
458#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
459#define RSA_F_RSA_PADDING_ADD_SSLV23 110
460#define RSA_F_RSA_PADDING_ADD_X931 127
461#define RSA_F_RSA_PADDING_CHECK_NONE 111
462#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
463#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
464#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
465#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
466#define RSA_F_RSA_PADDING_CHECK_X931 128
467#define RSA_F_RSA_PRINT 115
468#define RSA_F_RSA_PRINT_FP 116
469#define RSA_F_RSA_PRIVATE_DECRYPT 150
470#define RSA_F_RSA_PRIVATE_ENCRYPT 151
471#define RSA_F_RSA_PRIV_DECODE 137
472#define RSA_F_RSA_PRIV_ENCODE 138
473#define RSA_F_RSA_PUBLIC_DECRYPT 152
474#define RSA_F_RSA_PUBLIC_ENCRYPT 153
475#define RSA_F_RSA_PUB_DECODE 139
476#define RSA_F_RSA_SETUP_BLINDING 136
477#define RSA_F_RSA_SIGN 117
478#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
479#define RSA_F_RSA_VERIFY 119
480#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
481#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
482#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
483
484/* Reason codes. */
485#define RSA_R_ALGORITHM_MISMATCH 100
486#define RSA_R_BAD_E_VALUE 101
487#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
488#define RSA_R_BAD_PAD_BYTE_COUNT 103
489#define RSA_R_BAD_SIGNATURE 104
490#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
491#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
492#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
493#define RSA_R_DATA_TOO_LARGE 109
494#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
495#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
496#define RSA_R_DATA_TOO_SMALL 111
497#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
498#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
499#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
500#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
501#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
502#define RSA_R_FIRST_OCTET_INVALID 133
503#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
504#define RSA_R_INVALID_DIGEST_LENGTH 143
505#define RSA_R_INVALID_HEADER 137
506#define RSA_R_INVALID_KEYBITS 145
507#define RSA_R_INVALID_MESSAGE_LENGTH 131
508#define RSA_R_INVALID_MGF1_MD 156
509#define RSA_R_INVALID_PADDING 138
510#define RSA_R_INVALID_PADDING_MODE 141
511#define RSA_R_INVALID_PSS_PARAMETERS 149
512#define RSA_R_INVALID_PSS_SALTLEN 146
513#define RSA_R_INVALID_SALT_LENGTH 150
514#define RSA_R_INVALID_TRAILER 139
515#define RSA_R_INVALID_X931_DIGEST 142
516#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
517#define RSA_R_KEY_SIZE_TOO_SMALL 120
518#define RSA_R_LAST_OCTET_INVALID 134
519#define RSA_R_MODULUS_TOO_LARGE 105
520#define RSA_R_NON_FIPS_RSA_METHOD 157
521#define RSA_R_NO_PUBLIC_EXPONENT 140
522#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
523#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
524#define RSA_R_OAEP_DECODING_ERROR 121
525#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
526#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
527#define RSA_R_PADDING_CHECK_FAILED 114
528#define RSA_R_P_NOT_PRIME 128
529#define RSA_R_Q_NOT_PRIME 129
530#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
531#define RSA_R_SLEN_CHECK_FAILED 136
532#define RSA_R_SLEN_RECOVERY_FAILED 135
533#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
534#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
535#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
536#define RSA_R_UNKNOWN_MASK_DIGEST 151
537#define RSA_R_UNKNOWN_PADDING_TYPE 118
538#define RSA_R_UNKNOWN_PSS_DIGEST 152
539#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
540#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
541#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
542#define RSA_R_VALUE_MISSING 147
543#define RSA_R_WRONG_SIGNATURE_LENGTH 119
544
545#ifdef __cplusplus
546}
547#endif
548#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index b66c749293..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,675 +0,0 @@
1/* $OpenBSD: rsa_ameth.c,v 1.15 2015/12/03 23:03:10 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/asn1t.h>
64#include <openssl/bn.h>
65#include <openssl/err.h>
66#include <openssl/rsa.h>
67#include <openssl/x509.h>
68
69#ifndef OPENSSL_NO_CMS
70#include <openssl/cms.h>
71#endif
72
73#include "asn1_locl.h"
74
75static int
76rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
77{
78 unsigned char *penc = NULL;
79 int penclen;
80
81 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
82 if (penclen <= 0)
83 return 0;
84 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
85 V_ASN1_NULL, NULL, penc, penclen))
86 return 1;
87
88 free(penc);
89 return 0;
90}
91
92static int
93rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
94{
95 const unsigned char *p;
96 int pklen;
97 RSA *rsa = NULL;
98
99 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
100 return 0;
101 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
102 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
103 return 0;
104 }
105 EVP_PKEY_assign_RSA (pkey, rsa);
106 return 1;
107}
108
109static int
110rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
111{
112 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
113 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
114 return 0;
115 return 1;
116}
117
118static int
119old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
120{
121 RSA *rsa;
122
123 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
124 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
125 return 0;
126 }
127 EVP_PKEY_assign_RSA(pkey, rsa);
128 return 1;
129}
130
131static int
132old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
133{
134 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
135}
136
137static int
138rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
139{
140 unsigned char *rk = NULL;
141 int rklen;
142
143 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
144
145 if (rklen <= 0) {
146 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
147 return 0;
148 }
149
150 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
151 V_ASN1_NULL, NULL, rk, rklen)) {
152 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
153 return 0;
154 }
155
156 return 1;
157}
158
159static int
160rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
161{
162 const unsigned char *p;
163 int pklen;
164
165 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
166 return 0;
167 return old_rsa_priv_decode(pkey, &p, pklen);
168}
169
170static int
171int_rsa_size(const EVP_PKEY *pkey)
172{
173 return RSA_size(pkey->pkey.rsa);
174}
175
176static int
177rsa_bits(const EVP_PKEY *pkey)
178{
179 return BN_num_bits(pkey->pkey.rsa->n);
180}
181
182static void
183int_rsa_free(EVP_PKEY *pkey)
184{
185 RSA_free(pkey->pkey.rsa);
186}
187
188static void
189update_buflen(const BIGNUM *b, size_t *pbuflen)
190{
191 size_t i;
192
193 if (!b)
194 return;
195 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
196 *pbuflen = i;
197}
198
199static int
200do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
201{
202 char *str;
203 const char *s;
204 unsigned char *m = NULL;
205 int ret = 0, mod_len = 0;
206 size_t buf_len = 0;
207
208 update_buflen(x->n, &buf_len);
209 update_buflen(x->e, &buf_len);
210
211 if (priv) {
212 update_buflen(x->d, &buf_len);
213 update_buflen(x->p, &buf_len);
214 update_buflen(x->q, &buf_len);
215 update_buflen(x->dmp1, &buf_len);
216 update_buflen(x->dmq1, &buf_len);
217 update_buflen(x->iqmp, &buf_len);
218 }
219
220 m = malloc(buf_len + 10);
221 if (m == NULL) {
222 RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
223 goto err;
224 }
225
226 if (x->n != NULL)
227 mod_len = BN_num_bits(x->n);
228
229 if (!BIO_indent(bp, off, 128))
230 goto err;
231
232 if (priv && x->d) {
233 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
234 goto err;
235 str = "modulus:";
236 s = "publicExponent:";
237 } else {
238 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
239 goto err;
240 str = "Modulus:";
241 s= "Exponent:";
242 }
243 if (!ASN1_bn_print(bp, str, x->n, m, off))
244 goto err;
245 if (!ASN1_bn_print(bp, s, x->e, m, off))
246 goto err;
247 if (priv) {
248 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
249 goto err;
250 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
251 goto err;
252 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
253 goto err;
254 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
255 goto err;
256 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
257 goto err;
258 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
259 goto err;
260 }
261 ret = 1;
262err:
263 free(m);
264 return (ret);
265}
266
267static int
268rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
269{
270 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
271}
272
273static int
274rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
275{
276 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
277}
278
279static RSA_PSS_PARAMS *
280rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
281{
282 const unsigned char *p;
283 int plen;
284 RSA_PSS_PARAMS *pss;
285
286 *pmaskHash = NULL;
287
288 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
289 return NULL;
290
291 p = alg->parameter->value.sequence->data;
292 plen = alg->parameter->value.sequence->length;
293 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
294
295 if (!pss)
296 return NULL;
297
298 if (pss->maskGenAlgorithm) {
299 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
300 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
301 param && param->type == V_ASN1_SEQUENCE) {
302 p = param->value.sequence->data;
303 plen = param->value.sequence->length;
304 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
305 }
306 }
307
308 return pss;
309}
310
311static int
312rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
313 int indent)
314{
315 int rv = 0;
316
317 if (!pss) {
318 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
319 return 0;
320 return 1;
321 }
322 if (BIO_puts(bp, "\n") <= 0)
323 goto err;
324 if (!BIO_indent(bp, indent, 128))
325 goto err;
326 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
327 goto err;
328
329 if (pss->hashAlgorithm) {
330 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
331 goto err;
332 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
333 goto err;
334
335 if (BIO_puts(bp, "\n") <= 0)
336 goto err;
337
338 if (!BIO_indent(bp, indent, 128))
339 goto err;
340
341 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
342 goto err;
343 if (pss->maskGenAlgorithm) {
344 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
345 goto err;
346 if (BIO_puts(bp, " with ") <= 0)
347 goto err;
348 if (maskHash) {
349 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
350 goto err;
351 } else if (BIO_puts(bp, "INVALID") <= 0)
352 goto err;
353 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
354 goto err;
355 BIO_puts(bp, "\n");
356
357 if (!BIO_indent(bp, indent, 128))
358 goto err;
359 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
360 goto err;
361 if (pss->saltLength) {
362 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
363 goto err;
364 } else if (BIO_puts(bp, "14 (default)") <= 0)
365 goto err;
366 BIO_puts(bp, "\n");
367
368 if (!BIO_indent(bp, indent, 128))
369 goto err;
370 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
371 goto err;
372 if (pss->trailerField) {
373 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
374 goto err;
375 } else if (BIO_puts(bp, "BC (default)") <= 0)
376 goto err;
377 BIO_puts(bp, "\n");
378
379 rv = 1;
380
381err:
382 return rv;
383}
384
385static int
386rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
388{
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
390 int rv;
391 RSA_PSS_PARAMS *pss;
392 X509_ALGOR *maskHash;
393 pss = rsa_pss_decode(sigalg, &maskHash);
394 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
395 if (pss)
396 RSA_PSS_PARAMS_free(pss);
397 if (maskHash)
398 X509_ALGOR_free(maskHash);
399 if (!rv)
400 return 0;
401 } else if (!sig && BIO_puts(bp, "\n") <= 0)
402 return 0;
403 if (sig)
404 return X509_signature_dump(bp, sig, indent);
405 return 1;
406}
407
408static int
409rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
410{
411 X509_ALGOR *alg = NULL;
412
413 switch (op) {
414 case ASN1_PKEY_CTRL_PKCS7_SIGN:
415 if (arg1 == 0)
416 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
417 break;
418
419 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
420 if (arg1 == 0)
421 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
422 break;
423#ifndef OPENSSL_NO_CMS
424 case ASN1_PKEY_CTRL_CMS_SIGN:
425 if (arg1 == 0)
426 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
427 break;
428
429 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
430 if (arg1 == 0)
431 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
432 break;
433#endif
434
435 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
436 *(int *)arg2 = NID_sha1;
437 return 1;
438
439 default:
440 return -2;
441 }
442
443 if (alg)
444 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
445 V_ASN1_NULL, 0);
446
447 return 1;
448}
449
450/* Customised RSA item verification routine. This is called
451 * when a signature is encountered requiring special handling. We
452 * currently only handle PSS.
453 */
454static int
455rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
456 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
457{
458 int rv = -1;
459 int saltlen;
460 const EVP_MD *mgf1md = NULL, *md = NULL;
461 RSA_PSS_PARAMS *pss;
462 X509_ALGOR *maskHash;
463 EVP_PKEY_CTX *pkctx;
464
465 /* Sanity check: make sure it is PSS */
466 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
467 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
468 return -1;
469 }
470
471 /* Decode PSS parameters */
472 pss = rsa_pss_decode(sigalg, &maskHash);
473
474 if (pss == NULL) {
475 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
476 goto err;
477 }
478 /* Check mask and lookup mask hash algorithm */
479 if (pss->maskGenAlgorithm) {
480 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY,
482 RSA_R_UNSUPPORTED_MASK_ALGORITHM);
483 goto err;
484 }
485 if (!maskHash) {
486 RSAerr(RSA_F_RSA_ITEM_VERIFY,
487 RSA_R_UNSUPPORTED_MASK_PARAMETER);
488 goto err;
489 }
490 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
491 if (mgf1md == NULL) {
492 RSAerr(RSA_F_RSA_ITEM_VERIFY,
493 RSA_R_UNKNOWN_MASK_DIGEST);
494 goto err;
495 }
496 } else
497 mgf1md = EVP_sha1();
498
499 if (pss->hashAlgorithm) {
500 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
501 if (md == NULL) {
502 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
503 goto err;
504 }
505 } else
506 md = EVP_sha1();
507
508 if (pss->saltLength) {
509 saltlen = ASN1_INTEGER_get(pss->saltLength);
510
511 /* Could perform more salt length sanity checks but the main
512 * RSA routines will trap other invalid values anyway.
513 */
514 if (saltlen < 0) {
515 RSAerr(RSA_F_RSA_ITEM_VERIFY,
516 RSA_R_INVALID_SALT_LENGTH);
517 goto err;
518 }
519 } else
520 saltlen = 20;
521
522 /* low-level routines support only trailer field 0xbc (value 1)
523 * and PKCS#1 says we should reject any other value anyway.
524 */
525 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
526 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
527 goto err;
528 }
529
530 /* We have all parameters now set up context */
531
532 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
533 goto err;
534
535 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
536 goto err;
537
538 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
539 goto err;
540
541 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
542 goto err;
543 /* Carry on */
544 rv = 2;
545
546err:
547 RSA_PSS_PARAMS_free(pss);
548 if (maskHash)
549 X509_ALGOR_free(maskHash);
550 return rv;
551}
552
553static int
554rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
555 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
556{
557 int pad_mode;
558 EVP_PKEY_CTX *pkctx = ctx->pctx;
559
560 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
561 return 0;
562 if (pad_mode == RSA_PKCS1_PADDING)
563 return 2;
564 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
565 const EVP_MD *sigmd, *mgf1md;
566 RSA_PSS_PARAMS *pss = NULL;
567 X509_ALGOR *mgf1alg = NULL;
568 ASN1_STRING *os1 = NULL, *os2 = NULL;
569 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
570 int saltlen, rv = 0;
571
572 sigmd = EVP_MD_CTX_md(ctx);
573 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
574 goto err;
575 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
576 goto err;
577 if (saltlen == -1)
578 saltlen = EVP_MD_size(sigmd);
579 else if (saltlen == -2) {
580 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
581 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
582 saltlen--;
583 }
584 pss = RSA_PSS_PARAMS_new();
585 if (!pss)
586 goto err;
587 if (saltlen != 20) {
588 pss->saltLength = ASN1_INTEGER_new();
589 if (!pss->saltLength)
590 goto err;
591 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
592 goto err;
593 }
594 if (EVP_MD_type(sigmd) != NID_sha1) {
595 pss->hashAlgorithm = X509_ALGOR_new();
596 if (!pss->hashAlgorithm)
597 goto err;
598 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
599 }
600 if (EVP_MD_type(mgf1md) != NID_sha1) {
601 ASN1_STRING *stmp = NULL;
602 /* need to embed algorithm ID inside another */
603 mgf1alg = X509_ALGOR_new();
604 X509_ALGOR_set_md(mgf1alg, mgf1md);
605 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
606 &stmp))
607 goto err;
608 pss->maskGenAlgorithm = X509_ALGOR_new();
609 if (!pss->maskGenAlgorithm)
610 goto err;
611 X509_ALGOR_set0(pss->maskGenAlgorithm,
612 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
613 }
614 /* Finally create string with pss parameter encoding. */
615 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
616 goto err;
617 if (alg2) {
618 os2 = ASN1_STRING_dup(os1);
619 if (!os2)
620 goto err;
621 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
622 V_ASN1_SEQUENCE, os2);
623 }
624 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
625 V_ASN1_SEQUENCE, os1);
626 os1 = os2 = NULL;
627 rv = 3;
628err:
629 if (mgf1alg)
630 X509_ALGOR_free(mgf1alg);
631 if (pss)
632 RSA_PSS_PARAMS_free(pss);
633 ASN1_STRING_free(os1);
634 return rv;
635 }
636 return 2;
637}
638
639const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
640 {
641 .pkey_id = EVP_PKEY_RSA,
642 .pkey_base_id = EVP_PKEY_RSA,
643 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
644
645 .pem_str = "RSA",
646 .info = "OpenSSL RSA method",
647
648 .pub_decode = rsa_pub_decode,
649 .pub_encode = rsa_pub_encode,
650 .pub_cmp = rsa_pub_cmp,
651 .pub_print = rsa_pub_print,
652
653 .priv_decode = rsa_priv_decode,
654 .priv_encode = rsa_priv_encode,
655 .priv_print = rsa_priv_print,
656
657 .pkey_size = int_rsa_size,
658 .pkey_bits = rsa_bits,
659
660 .sig_print = rsa_sig_print,
661
662 .pkey_free = int_rsa_free,
663 .pkey_ctrl = rsa_pkey_ctrl,
664 .old_priv_decode = old_rsa_priv_decode,
665 .old_priv_encode = old_rsa_priv_encode,
666 .item_verify = rsa_item_verify,
667 .item_sign = rsa_item_sign
668 },
669
670 {
671 .pkey_id = EVP_PKEY_RSA2,
672 .pkey_base_id = EVP_PKEY_RSA,
673 .pkey_flags = ASN1_PKEY_ALIAS
674 }
675};
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
deleted file mode 100644
index 27afdece00..0000000000
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ /dev/null
@@ -1,308 +0,0 @@
1/* $OpenBSD: rsa_asn1.c,v 1.12 2015/02/14 15:06:55 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64#include <openssl/x509.h>
65
66/* Override the default free and new methods */
67static int
68rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
69{
70 if (operation == ASN1_OP_NEW_PRE) {
71 *pval = (ASN1_VALUE *)RSA_new();
72 if (*pval)
73 return 2;
74 return 0;
75 } else if (operation == ASN1_OP_FREE_PRE) {
76 RSA_free((RSA *)*pval);
77 *pval = NULL;
78 return 2;
79 }
80 return 1;
81}
82
83static const ASN1_AUX RSAPrivateKey_aux = {
84 .app_data = NULL,
85 .flags = 0,
86 .ref_offset = 0,
87 .ref_lock = 0,
88 .asn1_cb = rsa_cb,
89 .enc_offset = 0,
90};
91static const ASN1_TEMPLATE RSAPrivateKey_seq_tt[] = {
92 {
93 .flags = 0,
94 .tag = 0,
95 .offset = offsetof(RSA, version),
96 .field_name = "version",
97 .item = &LONG_it,
98 },
99 {
100 .flags = 0,
101 .tag = 0,
102 .offset = offsetof(RSA, n),
103 .field_name = "n",
104 .item = &BIGNUM_it,
105 },
106 {
107 .flags = 0,
108 .tag = 0,
109 .offset = offsetof(RSA, e),
110 .field_name = "e",
111 .item = &BIGNUM_it,
112 },
113 {
114 .flags = 0,
115 .tag = 0,
116 .offset = offsetof(RSA, d),
117 .field_name = "d",
118 .item = &BIGNUM_it,
119 },
120 {
121 .flags = 0,
122 .tag = 0,
123 .offset = offsetof(RSA, p),
124 .field_name = "p",
125 .item = &BIGNUM_it,
126 },
127 {
128 .flags = 0,
129 .tag = 0,
130 .offset = offsetof(RSA, q),
131 .field_name = "q",
132 .item = &BIGNUM_it,
133 },
134 {
135 .flags = 0,
136 .tag = 0,
137 .offset = offsetof(RSA, dmp1),
138 .field_name = "dmp1",
139 .item = &BIGNUM_it,
140 },
141 {
142 .flags = 0,
143 .tag = 0,
144 .offset = offsetof(RSA, dmq1),
145 .field_name = "dmq1",
146 .item = &BIGNUM_it,
147 },
148 {
149 .flags = 0,
150 .tag = 0,
151 .offset = offsetof(RSA, iqmp),
152 .field_name = "iqmp",
153 .item = &BIGNUM_it,
154 },
155};
156
157const ASN1_ITEM RSAPrivateKey_it = {
158 .itype = ASN1_ITYPE_SEQUENCE,
159 .utype = V_ASN1_SEQUENCE,
160 .templates = RSAPrivateKey_seq_tt,
161 .tcount = sizeof(RSAPrivateKey_seq_tt) / sizeof(ASN1_TEMPLATE),
162 .funcs = &RSAPrivateKey_aux,
163 .size = sizeof(RSA),
164 .sname = "RSA",
165};
166
167
168static const ASN1_AUX RSAPublicKey_aux = {
169 .app_data = NULL,
170 .flags = 0,
171 .ref_offset = 0,
172 .ref_lock = 0,
173 .asn1_cb = rsa_cb,
174 .enc_offset = 0,
175};
176static const ASN1_TEMPLATE RSAPublicKey_seq_tt[] = {
177 {
178 .flags = 0,
179 .tag = 0,
180 .offset = offsetof(RSA, n),
181 .field_name = "n",
182 .item = &BIGNUM_it,
183 },
184 {
185 .flags = 0,
186 .tag = 0,
187 .offset = offsetof(RSA, e),
188 .field_name = "e",
189 .item = &BIGNUM_it,
190 },
191};
192
193const ASN1_ITEM RSAPublicKey_it = {
194 .itype = ASN1_ITYPE_SEQUENCE,
195 .utype = V_ASN1_SEQUENCE,
196 .templates = RSAPublicKey_seq_tt,
197 .tcount = sizeof(RSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
198 .funcs = &RSAPublicKey_aux,
199 .size = sizeof(RSA),
200 .sname = "RSA",
201};
202
203static const ASN1_TEMPLATE RSA_PSS_PARAMS_seq_tt[] = {
204 {
205 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
206 .tag = 0,
207 .offset = offsetof(RSA_PSS_PARAMS, hashAlgorithm),
208 .field_name = "hashAlgorithm",
209 .item = &X509_ALGOR_it,
210 },
211 {
212 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
213 .tag = 1,
214 .offset = offsetof(RSA_PSS_PARAMS, maskGenAlgorithm),
215 .field_name = "maskGenAlgorithm",
216 .item = &X509_ALGOR_it,
217 },
218 {
219 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
220 .tag = 2,
221 .offset = offsetof(RSA_PSS_PARAMS, saltLength),
222 .field_name = "saltLength",
223 .item = &ASN1_INTEGER_it,
224 },
225 {
226 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
227 .tag = 3,
228 .offset = offsetof(RSA_PSS_PARAMS, trailerField),
229 .field_name = "trailerField",
230 .item = &ASN1_INTEGER_it,
231 },
232};
233
234const ASN1_ITEM RSA_PSS_PARAMS_it = {
235 .itype = ASN1_ITYPE_SEQUENCE,
236 .utype = V_ASN1_SEQUENCE,
237 .templates = RSA_PSS_PARAMS_seq_tt,
238 .tcount = sizeof(RSA_PSS_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE),
239 .funcs = NULL,
240 .size = sizeof(RSA_PSS_PARAMS),
241 .sname = "RSA_PSS_PARAMS",
242};
243
244
245RSA_PSS_PARAMS *
246d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len)
247{
248 return (RSA_PSS_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
249 &RSA_PSS_PARAMS_it);
250}
251
252int
253i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out)
254{
255 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_PSS_PARAMS_it);
256}
257
258RSA_PSS_PARAMS *
259RSA_PSS_PARAMS_new(void)
260{
261 return (RSA_PSS_PARAMS *)ASN1_item_new(&RSA_PSS_PARAMS_it);
262}
263
264void
265RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a)
266{
267 ASN1_item_free((ASN1_VALUE *)a, &RSA_PSS_PARAMS_it);
268}
269
270
271RSA *
272d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len)
273{
274 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
275 &RSAPrivateKey_it);
276}
277
278int
279i2d_RSAPrivateKey(const RSA *a, unsigned char **out)
280{
281 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPrivateKey_it);
282}
283
284
285RSA *
286d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len)
287{
288 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
289 &RSAPublicKey_it);
290}
291
292int
293i2d_RSAPublicKey(const RSA *a, unsigned char **out)
294{
295 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPublicKey_it);
296}
297
298RSA *
299RSAPublicKey_dup(RSA *rsa)
300{
301 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
302}
303
304RSA *
305RSAPrivateKey_dup(RSA *rsa)
306{
307 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
308}
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
deleted file mode 100644
index c247a8d80e..0000000000
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ /dev/null
@@ -1,213 +0,0 @@
1/* $OpenBSD: rsa_chk.c,v 1.9 2014/07/10 07:43:11 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55int
56RSA_check_key(const RSA *key)
57{
58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx;
60 int r;
61 int ret = 1;
62
63 if (!key->p || !key->q || !key->n || !key->e || !key->d) {
64 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
65 return 0;
66 }
67
68 i = BN_new();
69 j = BN_new();
70 k = BN_new();
71 l = BN_new();
72 m = BN_new();
73 ctx = BN_CTX_new();
74 if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
75 ctx == NULL) {
76 ret = -1;
77 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
78 goto err;
79 }
80
81 /* p prime? */
82 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
83 if (r != 1) {
84 ret = r;
85 if (r != 0)
86 goto err;
87 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
88 }
89
90 /* q prime? */
91 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
92 if (r != 1) {
93 ret = r;
94 if (r != 0)
95 goto err;
96 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
97 }
98
99 /* n = p*q? */
100 r = BN_mul(i, key->p, key->q, ctx);
101 if (!r) {
102 ret = -1;
103 goto err;
104 }
105
106 if (BN_cmp(i, key->n) != 0) {
107 ret = 0;
108 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
109 }
110
111 /* d*e = 1 mod lcm(p-1,q-1)? */
112
113 r = BN_sub(i, key->p, BN_value_one());
114 if (!r) {
115 ret = -1;
116 goto err;
117 }
118 r = BN_sub(j, key->q, BN_value_one());
119 if (!r) {
120 ret = -1;
121 goto err;
122 }
123
124 /* now compute k = lcm(i,j) */
125 r = BN_mul(l, i, j, ctx);
126 if (!r) {
127 ret = -1;
128 goto err;
129 }
130 r = BN_gcd(m, i, j, ctx);
131 if (!r) {
132 ret = -1;
133 goto err;
134 }
135 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
136 if (!r) {
137 ret = -1;
138 goto err;
139 }
140
141 r = BN_mod_mul(i, key->d, key->e, k, ctx);
142 if (!r) {
143 ret = -1;
144 goto err;
145 }
146
147 if (!BN_is_one(i)) {
148 ret = 0;
149 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
150 }
151
152 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
153 /* dmp1 = d mod (p-1)? */
154 r = BN_sub(i, key->p, BN_value_one());
155 if (!r) {
156 ret = -1;
157 goto err;
158 }
159
160 r = BN_mod(j, key->d, i, ctx);
161 if (!r) {
162 ret = -1;
163 goto err;
164 }
165
166 if (BN_cmp(j, key->dmp1) != 0) {
167 ret = 0;
168 RSAerr(RSA_F_RSA_CHECK_KEY,
169 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
170 }
171
172 /* dmq1 = d mod (q-1)? */
173 r = BN_sub(i, key->q, BN_value_one());
174 if (!r) {
175 ret = -1;
176 goto err;
177 }
178
179 r = BN_mod(j, key->d, i, ctx);
180 if (!r) {
181 ret = -1;
182 goto err;
183 }
184
185 if (BN_cmp(j, key->dmq1) != 0) {
186 ret = 0;
187 RSAerr(RSA_F_RSA_CHECK_KEY,
188 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
189 }
190
191 /* iqmp = q^-1 mod p? */
192 if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
193 ret = -1;
194 goto err;
195 }
196
197 if (BN_cmp(i, key->iqmp) != 0) {
198 ret = 0;
199 RSAerr(RSA_F_RSA_CHECK_KEY,
200 RSA_R_IQMP_NOT_INVERSE_OF_Q);
201 }
202 }
203
204err:
205 BN_free(i);
206 BN_free(j);
207 BN_free(k);
208 BN_free(l);
209 BN_free(m);
210 BN_CTX_free(ctx);
211
212 return (ret);
213}
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
deleted file mode 100644
index ccb677c12b..0000000000
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ /dev/null
@@ -1,214 +0,0 @@
1/* $OpenBSD: rsa_crpt.c,v 1.16 2016/07/07 11:53:12 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bn.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/lhash.h>
67#include <openssl/rsa.h>
68
69#ifndef OPENSSL_NO_ENGINE
70#include <openssl/engine.h>
71#endif
72
73int
74RSA_size(const RSA *r)
75{
76 return BN_num_bytes(r->n);
77}
78
79int
80RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
81 RSA *rsa, int padding)
82{
83 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
84}
85
86int
87RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
88 RSA *rsa, int padding)
89{
90 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
91}
92
93int
94RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
95 RSA *rsa, int padding)
96{
97 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
98}
99
100int
101RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
102 RSA *rsa, int padding)
103{
104 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
105}
106
107int
108RSA_flags(const RSA *r)
109{
110 return r == NULL ? 0 : r->meth->flags;
111}
112
113void
114RSA_blinding_off(RSA *rsa)
115{
116 BN_BLINDING_free(rsa->blinding);
117 rsa->blinding = NULL;
118 rsa->flags |= RSA_FLAG_NO_BLINDING;
119}
120
121int
122RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
123{
124 int ret = 0;
125
126 if (rsa->blinding != NULL)
127 RSA_blinding_off(rsa);
128
129 rsa->blinding = RSA_setup_blinding(rsa, ctx);
130 if (rsa->blinding == NULL)
131 goto err;
132
133 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
134 ret = 1;
135err:
136 return (ret);
137}
138
139static BIGNUM *
140rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
141 BN_CTX *ctx)
142{
143 BIGNUM *ret = NULL, *r0, *r1, *r2;
144
145 if (d == NULL || p == NULL || q == NULL)
146 return NULL;
147
148 BN_CTX_start(ctx);
149 if ((r0 = BN_CTX_get(ctx)) == NULL)
150 goto err;
151 if ((r1 = BN_CTX_get(ctx)) == NULL)
152 goto err;
153 if ((r2 = BN_CTX_get(ctx)) == NULL)
154 goto err;
155
156 if (!BN_sub(r1, p, BN_value_one()))
157 goto err;
158 if (!BN_sub(r2, q, BN_value_one()))
159 goto err;
160 if (!BN_mul(r0, r1, r2, ctx))
161 goto err;
162
163 ret = BN_mod_inverse(NULL, d, r0, ctx);
164err:
165 BN_CTX_end(ctx);
166 return ret;
167}
168
169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
171{
172 BIGNUM *e;
173 BIGNUM n;
174 BN_CTX *ctx;
175 BN_BLINDING *ret = NULL;
176
177 if (in_ctx == NULL) {
178 if ((ctx = BN_CTX_new()) == NULL)
179 return 0;
180 } else
181 ctx = in_ctx;
182
183 BN_CTX_start(ctx);
184
185 if (rsa->e == NULL) {
186 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
187 if (e == NULL) {
188 RSAerr(RSA_F_RSA_SETUP_BLINDING,
189 RSA_R_NO_PUBLIC_EXPONENT);
190 goto err;
191 }
192 } else
193 e = rsa->e;
194
195 BN_init(&n);
196 BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
197
198 ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
199 rsa->_method_mod_n);
200
201 if (ret == NULL) {
202 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
203 goto err;
204 }
205 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
206err:
207 BN_CTX_end(ctx);
208 if (in_ctx == NULL)
209 BN_CTX_free(ctx);
210 if (rsa->e == NULL)
211 BN_free(e);
212
213 return ret;
214}
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
deleted file mode 100644
index b830a2293c..0000000000
--- a/src/lib/libcrypto/rsa/rsa_depr.c
+++ /dev/null
@@ -1,101 +0,0 @@
1/* $OpenBSD: rsa_depr.c,v 1.8 2014/07/11 08:44:49 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/bn.h>
65#include <openssl/rsa.h>
66
67#ifndef OPENSSL_NO_DEPRECATED
68
69RSA *
70RSA_generate_key(int bits, unsigned long e_value,
71 void (*callback)(int, int, void *), void *cb_arg)
72{
73 BN_GENCB cb;
74 int i;
75 RSA *rsa = RSA_new();
76 BIGNUM *e = BN_new();
77
78 if (!rsa || !e)
79 goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) {
84 if (e_value & (1UL << i))
85 if (BN_set_bit(e, i) == 0)
86 goto err;
87 }
88
89 BN_GENCB_set_old(&cb, callback, cb_arg);
90
91 if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
92 BN_free(e);
93 return rsa;
94 }
95err:
96 BN_free(e);
97 RSA_free(rsa);
98
99 return 0;
100}
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
deleted file mode 100644
index 2facd1c6f6..0000000000
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ /dev/null
@@ -1,888 +0,0 @@
1/* $OpenBSD: rsa_eay.c,v 1.42 2016/07/07 11:53:12 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include <string.h>
114
115#include <openssl/opensslconf.h>
116
117#include <openssl/bn.h>
118#include <openssl/err.h>
119#include <openssl/rsa.h>
120
121static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
122 unsigned char *to, RSA *rsa, int padding);
123static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
124 unsigned char *to, RSA *rsa, int padding);
125static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
126 unsigned char *to, RSA *rsa, int padding);
127static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
128 unsigned char *to, RSA *rsa, int padding);
129static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
130static int RSA_eay_init(RSA *rsa);
131static int RSA_eay_finish(RSA *rsa);
132
133static RSA_METHOD rsa_pkcs1_eay_meth = {
134 .name = "Eric Young's PKCS#1 RSA",
135 .rsa_pub_enc = RSA_eay_public_encrypt,
136 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */
137 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */
138 .rsa_priv_dec = RSA_eay_private_decrypt,
139 .rsa_mod_exp = RSA_eay_mod_exp,
140 .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
141 .init = RSA_eay_init,
142 .finish = RSA_eay_finish,
143};
144
145const RSA_METHOD *
146RSA_PKCS1_SSLeay(void)
147{
148 return &rsa_pkcs1_eay_meth;
149}
150
151static int
152RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
153 RSA *rsa, int padding)
154{
155 BIGNUM *f, *ret;
156 int i, j, k, num = 0, r = -1;
157 unsigned char *buf = NULL;
158 BN_CTX *ctx = NULL;
159
160 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
161 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
162 return -1;
163 }
164
165 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
167 return -1;
168 }
169
170 /* for large moduli, enforce exponent limit */
171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
172 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
174 return -1;
175 }
176 }
177
178 if ((ctx = BN_CTX_new()) == NULL)
179 goto err;
180
181 BN_CTX_start(ctx);
182 f = BN_CTX_get(ctx);
183 ret = BN_CTX_get(ctx);
184 num = BN_num_bytes(rsa->n);
185 buf = malloc(num);
186
187 if (f == NULL || ret == NULL || buf == NULL) {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
189 goto err;
190 }
191
192 switch (padding) {
193 case RSA_PKCS1_PADDING:
194 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
195 break;
196#ifndef OPENSSL_NO_SHA
197 case RSA_PKCS1_OAEP_PADDING:
198 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
199 break;
200#endif
201 case RSA_SSLV23_PADDING:
202 i = RSA_padding_add_SSLv23(buf, num, from, flen);
203 break;
204 case RSA_NO_PADDING:
205 i = RSA_padding_add_none(buf, num, from, flen);
206 break;
207 default:
208 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
209 RSA_R_UNKNOWN_PADDING_TYPE);
210 goto err;
211 }
212 if (i <= 0)
213 goto err;
214
215 if (BN_bin2bn(buf, num, f) == NULL)
216 goto err;
217
218 if (BN_ucmp(f, rsa->n) >= 0) {
219 /* usually the padding functions would catch this */
220 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
221 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
222 goto err;
223 }
224
225 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
226 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
227 CRYPTO_LOCK_RSA, rsa->n, ctx))
228 goto err;
229
230 if (!rsa->meth->bn_mod_exp(ret, f,rsa->e, rsa->n, ctx,
231 rsa->_method_mod_n))
232 goto err;
233
234 /* put in leading 0 bytes if the number is less than the
235 * length of the modulus */
236 j = BN_num_bytes(ret);
237 i = BN_bn2bin(ret, &(to[num - j]));
238 for (k = 0; k < num - i; k++)
239 to[k] = 0;
240
241 r = num;
242err:
243 if (ctx != NULL) {
244 BN_CTX_end(ctx);
245 BN_CTX_free(ctx);
246 }
247 if (buf != NULL) {
248 explicit_bzero(buf, num);
249 free(buf);
250 }
251 return r;
252}
253
254static BN_BLINDING *
255rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
256{
257 BN_BLINDING *ret;
258 int got_write_lock = 0;
259 CRYPTO_THREADID cur;
260
261 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
262
263 if (rsa->blinding == NULL) {
264 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
265 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
266 got_write_lock = 1;
267
268 if (rsa->blinding == NULL)
269 rsa->blinding = RSA_setup_blinding(rsa, ctx);
270 }
271
272 ret = rsa->blinding;
273 if (ret == NULL)
274 goto err;
275
276 CRYPTO_THREADID_current(&cur);
277 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
278 /* rsa->blinding is ours! */
279 *local = 1;
280 } else {
281 /* resort to rsa->mt_blinding instead */
282 /*
283 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
284 * that the BN_BLINDING is shared, meaning that accesses
285 * require locks, and that the blinding factor must be
286 * stored outside the BN_BLINDING
287 */
288 *local = 0;
289
290 if (rsa->mt_blinding == NULL) {
291 if (!got_write_lock) {
292 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
293 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
294 got_write_lock = 1;
295 }
296
297 if (rsa->mt_blinding == NULL)
298 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
299 }
300 ret = rsa->mt_blinding;
301 }
302
303err:
304 if (got_write_lock)
305 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
306 else
307 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
308 return ret;
309}
310
311static int
312rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
313{
314 if (unblind == NULL)
315 /*
316 * Local blinding: store the unblinding factor
317 * in BN_BLINDING.
318 */
319 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
320 else {
321 /*
322 * Shared blinding: store the unblinding factor
323 * outside BN_BLINDING.
324 */
325 int ret;
326 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
327 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
328 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
329 return ret;
330 }
331}
332
333static int
334rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
335{
336 /*
337 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
338 * will use the unblinding factor stored in BN_BLINDING.
339 * If BN_BLINDING is shared between threads, unblind must be non-null:
340 * BN_BLINDING_invert_ex will then use the local unblinding factor,
341 * and will only read the modulus from BN_BLINDING.
342 * In both cases it's safe to access the blinding without a lock.
343 */
344 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
345}
346
347/* signing */
348static int
349RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
350 RSA *rsa, int padding)
351{
352 BIGNUM *f, *ret, *res;
353 int i, j, k, num = 0, r = -1;
354 unsigned char *buf = NULL;
355 BN_CTX *ctx = NULL;
356 int local_blinding = 0;
357 /*
358 * Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure.
361 */
362 BIGNUM *unblind = NULL;
363 BN_BLINDING *blinding = NULL;
364
365 if ((ctx = BN_CTX_new()) == NULL)
366 goto err;
367
368 BN_CTX_start(ctx);
369 f = BN_CTX_get(ctx);
370 ret = BN_CTX_get(ctx);
371 num = BN_num_bytes(rsa->n);
372 buf = malloc(num);
373
374 if (f == NULL || ret == NULL || buf == NULL) {
375 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
376 goto err;
377 }
378
379 switch (padding) {
380 case RSA_PKCS1_PADDING:
381 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
382 break;
383 case RSA_X931_PADDING:
384 i = RSA_padding_add_X931(buf, num, from, flen);
385 break;
386 case RSA_NO_PADDING:
387 i = RSA_padding_add_none(buf, num, from, flen);
388 break;
389 case RSA_SSLV23_PADDING:
390 default:
391 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
392 RSA_R_UNKNOWN_PADDING_TYPE);
393 goto err;
394 }
395 if (i <= 0)
396 goto err;
397
398 if (BN_bin2bn(buf, num, f) == NULL)
399 goto err;
400
401 if (BN_ucmp(f, rsa->n) >= 0) {
402 /* usually the padding functions would catch this */
403 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
404 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
405 goto err;
406 }
407
408 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
409 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
410 if (blinding == NULL) {
411 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
412 ERR_R_INTERNAL_ERROR);
413 goto err;
414 }
415 }
416
417 if (blinding != NULL) {
418 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
419 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
420 ERR_R_MALLOC_FAILURE);
421 goto err;
422 }
423 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
424 goto err;
425 }
426
427 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
428 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
429 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
430 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
431 goto err;
432 } else {
433 BIGNUM d;
434
435 BN_init(&d);
436 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
437
438 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
439 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
440 CRYPTO_LOCK_RSA, rsa->n, ctx))
441 goto err;
442
443 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
444 rsa->_method_mod_n)) {
445 goto err;
446 }
447 }
448
449 if (blinding)
450 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
451 goto err;
452
453 if (padding == RSA_X931_PADDING) {
454 BN_sub(f, rsa->n, ret);
455 if (BN_cmp(ret, f) > 0)
456 res = f;
457 else
458 res = ret;
459 } else
460 res = ret;
461
462 /* put in leading 0 bytes if the number is less than the
463 * length of the modulus */
464 j = BN_num_bytes(res);
465 i = BN_bn2bin(res, &(to[num - j]));
466 for (k = 0; k < num - i; k++)
467 to[k] = 0;
468
469 r = num;
470err:
471 if (ctx != NULL) {
472 BN_CTX_end(ctx);
473 BN_CTX_free(ctx);
474 }
475 if (buf != NULL) {
476 explicit_bzero(buf, num);
477 free(buf);
478 }
479 return r;
480}
481
482static int
483RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
484 RSA *rsa, int padding)
485{
486 BIGNUM *f, *ret;
487 int j, num = 0, r = -1;
488 unsigned char *p;
489 unsigned char *buf = NULL;
490 BN_CTX *ctx = NULL;
491 int local_blinding = 0;
492 /*
493 * Used only if the blinding structure is shared. A non-NULL unblind
494 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
495 * the unblinding factor outside the blinding structure.
496 */
497 BIGNUM *unblind = NULL;
498 BN_BLINDING *blinding = NULL;
499
500 if ((ctx = BN_CTX_new()) == NULL)
501 goto err;
502
503 BN_CTX_start(ctx);
504 f = BN_CTX_get(ctx);
505 ret = BN_CTX_get(ctx);
506 num = BN_num_bytes(rsa->n);
507 buf = malloc(num);
508
509 if (!f || !ret || !buf) {
510 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
511 goto err;
512 }
513
514 /* This check was for equality but PGP does evil things
515 * and chops off the top '0' bytes */
516 if (flen > num) {
517 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
518 RSA_R_DATA_GREATER_THAN_MOD_LEN);
519 goto err;
520 }
521
522 /* make data into a big number */
523 if (BN_bin2bn(from, (int)flen, f) == NULL)
524 goto err;
525
526 if (BN_ucmp(f, rsa->n) >= 0) {
527 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
528 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
529 goto err;
530 }
531
532 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
534 if (blinding == NULL) {
535 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
536 ERR_R_INTERNAL_ERROR);
537 goto err;
538 }
539 }
540
541 if (blinding != NULL) {
542 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
543 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
544 ERR_R_MALLOC_FAILURE);
545 goto err;
546 }
547 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
548 goto err;
549 }
550
551 /* do the decrypt */
552 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
553 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
554 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
555 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
556 goto err;
557 } else {
558 BIGNUM d;
559
560 BN_init(&d);
561 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
562
563 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
564 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
565 CRYPTO_LOCK_RSA, rsa->n, ctx))
566 goto err;
567
568 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
569 rsa->_method_mod_n)) {
570 goto err;
571 }
572 }
573
574 if (blinding)
575 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
576 goto err;
577
578 p = buf;
579 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
580
581 switch (padding) {
582 case RSA_PKCS1_PADDING:
583 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
584 break;
585#ifndef OPENSSL_NO_SHA
586 case RSA_PKCS1_OAEP_PADDING:
587 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
588 break;
589#endif
590 case RSA_SSLV23_PADDING:
591 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
592 break;
593 case RSA_NO_PADDING:
594 r = RSA_padding_check_none(to, num, buf, j, num);
595 break;
596 default:
597 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
598 RSA_R_UNKNOWN_PADDING_TYPE);
599 goto err;
600 }
601 if (r < 0)
602 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
603 RSA_R_PADDING_CHECK_FAILED);
604
605err:
606 if (ctx != NULL) {
607 BN_CTX_end(ctx);
608 BN_CTX_free(ctx);
609 }
610 if (buf != NULL) {
611 explicit_bzero(buf, num);
612 free(buf);
613 }
614 return r;
615}
616
617/* signature verification */
618static int
619RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
620 RSA *rsa, int padding)
621{
622 BIGNUM *f, *ret;
623 int i, num = 0, r = -1;
624 unsigned char *p;
625 unsigned char *buf = NULL;
626 BN_CTX *ctx = NULL;
627
628 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
629 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
630 return -1;
631 }
632
633 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
634 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
635 return -1;
636 }
637
638 /* for large moduli, enforce exponent limit */
639 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
640 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
641 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
642 return -1;
643 }
644 }
645
646 if ((ctx = BN_CTX_new()) == NULL)
647 goto err;
648
649 BN_CTX_start(ctx);
650 f = BN_CTX_get(ctx);
651 ret = BN_CTX_get(ctx);
652 num = BN_num_bytes(rsa->n);
653 buf = malloc(num);
654
655 if (!f || !ret || !buf) {
656 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
657 goto err;
658 }
659
660 /* This check was for equality but PGP does evil things
661 * and chops off the top '0' bytes */
662 if (flen > num) {
663 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
664 RSA_R_DATA_GREATER_THAN_MOD_LEN);
665 goto err;
666 }
667
668 if (BN_bin2bn(from, flen, f) == NULL)
669 goto err;
670
671 if (BN_ucmp(f, rsa->n) >= 0) {
672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
673 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
674 goto err;
675 }
676
677 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
678 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
679 CRYPTO_LOCK_RSA, rsa->n, ctx))
680 goto err;
681
682 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
683 rsa->_method_mod_n))
684 goto err;
685
686 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
687 if (!BN_sub(ret, rsa->n, ret))
688 goto err;
689
690 p = buf;
691 i = BN_bn2bin(ret, p);
692
693 switch (padding) {
694 case RSA_PKCS1_PADDING:
695 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
696 break;
697 case RSA_X931_PADDING:
698 r = RSA_padding_check_X931(to, num, buf, i, num);
699 break;
700 case RSA_NO_PADDING:
701 r = RSA_padding_check_none(to, num, buf, i, num);
702 break;
703 default:
704 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
705 RSA_R_UNKNOWN_PADDING_TYPE);
706 goto err;
707 }
708 if (r < 0)
709 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
710 RSA_R_PADDING_CHECK_FAILED);
711
712err:
713 if (ctx != NULL) {
714 BN_CTX_end(ctx);
715 BN_CTX_free(ctx);
716 }
717 if (buf != NULL) {
718 explicit_bzero(buf, num);
719 free(buf);
720 }
721 return r;
722}
723
724static int
725RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
726{
727 BIGNUM *r1, *m1, *vrfy;
728 BIGNUM dmp1, dmq1, c, pr1;
729 int ret = 0;
730
731 BN_CTX_start(ctx);
732 r1 = BN_CTX_get(ctx);
733 m1 = BN_CTX_get(ctx);
734 vrfy = BN_CTX_get(ctx);
735 if (r1 == NULL || m1 == NULL || vrfy == NULL) {
736 RSAerr(RSA_F_RSA_EAY_MOD_EXP, ERR_R_MALLOC_FAILURE);
737 goto err;
738 }
739
740 {
741 BIGNUM p, q;
742
743 /*
744 * Make sure BN_mod_inverse in Montgomery intialization uses the
745 * BN_FLG_CONSTTIME flag
746 */
747 BN_init(&p);
748 BN_init(&q);
749 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
750 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
751
752 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
753 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
754 CRYPTO_LOCK_RSA, &p, ctx) ||
755 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
756 CRYPTO_LOCK_RSA, &q, ctx)) {
757 goto err;
758 }
759 }
760 }
761
762 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
763 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
764 CRYPTO_LOCK_RSA, rsa->n, ctx))
765 goto err;
766
767 /* compute I mod q */
768 BN_init(&c);
769 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
770
771 if (!BN_mod(r1, &c, rsa->q, ctx))
772 goto err;
773
774 /* compute r1^dmq1 mod q */
775 BN_init(&dmq1);
776 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
777
778 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
779 rsa->_method_mod_q))
780 goto err;
781
782 /* compute I mod p */
783 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
784
785 if (!BN_mod(r1, &c, rsa->p, ctx))
786 goto err;
787
788 /* compute r1^dmp1 mod p */
789 BN_init(&dmp1);
790 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
791
792 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
793 rsa->_method_mod_p))
794 goto err;
795
796 if (!BN_sub(r0, r0, m1))
797 goto err;
798
799 /*
800 * This will help stop the size of r0 increasing, which does
801 * affect the multiply if it optimised for a power of 2 size
802 */
803 if (BN_is_negative(r0))
804 if (!BN_add(r0, r0, rsa->p))
805 goto err;
806
807 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
808 goto err;
809
810 /* Turn BN_FLG_CONSTTIME flag on before division operation */
811 BN_init(&pr1);
812 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
813
814 if (!BN_mod(r0, &pr1, rsa->p, ctx))
815 goto err;
816
817 /*
818 * If p < q it is occasionally possible for the correction of
819 * adding 'p' if r0 is negative above to leave the result still
820 * negative. This can break the private key operations: the following
821 * second correction should *always* correct this rare occurrence.
822 * This will *never* happen with OpenSSL generated keys because
823 * they ensure p > q [steve]
824 */
825 if (BN_is_negative(r0))
826 if (!BN_add(r0, r0, rsa->p))
827 goto err;
828 if (!BN_mul(r1, r0, rsa->q, ctx))
829 goto err;
830 if (!BN_add(r0, r1, m1))
831 goto err;
832
833 if (rsa->e && rsa->n) {
834 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
835 rsa->_method_mod_n))
836 goto err;
837 /*
838 * If 'I' was greater than (or equal to) rsa->n, the operation
839 * will be equivalent to using 'I mod n'. However, the result of
840 * the verify will *always* be less than 'n' so we don't check
841 * for absolute equality, just congruency.
842 */
843 if (!BN_sub(vrfy, vrfy, I))
844 goto err;
845 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
846 goto err;
847 if (BN_is_negative(vrfy))
848 if (!BN_add(vrfy, vrfy, rsa->n))
849 goto err;
850 if (!BN_is_zero(vrfy)) {
851 /*
852 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
853 * miscalculated CRT output, just do a raw (slower)
854 * mod_exp and return that instead.
855 */
856 BIGNUM d;
857
858 BN_init(&d);
859 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
860
861 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
862 rsa->_method_mod_n)) {
863 goto err;
864 }
865 }
866 }
867 ret = 1;
868err:
869 BN_CTX_end(ctx);
870 return ret;
871}
872
873static int
874RSA_eay_init(RSA *rsa)
875{
876 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
877 return 1;
878}
879
880static int
881RSA_eay_finish(RSA *rsa)
882{
883 BN_MONT_CTX_free(rsa->_method_mod_n);
884 BN_MONT_CTX_free(rsa->_method_mod_p);
885 BN_MONT_CTX_free(rsa->_method_mod_q);
886
887 return 1;
888}
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
deleted file mode 100644
index 81622c6099..0000000000
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/* $OpenBSD: rsa_err.c,v 1.16 2015/02/15 14:35:30 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/rsa.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
73
74static ERR_STRING_DATA RSA_str_functs[] = {
75 {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
76 {ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
77 {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
78 {ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
79 {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
80 {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
81 {ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
82 {ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
83 {ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
84 {ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
85 {ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
86 {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
87 {ERR_FUNC(RSA_F_RSA_EAY_MOD_EXP), "RSA_EAY_MOD_EXP"},
88 {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
89 {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
90 {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
91 {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
92 {ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
93 {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
94 {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
95 {ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
96 {ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
97 {ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
98 {ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
99 {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
100 {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
101 {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
102 {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
103 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
104 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
105 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
106 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
107 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
108 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
109 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
110 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
111 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
112 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
113 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
114 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
115 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
116 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
117 {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
118 {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
119 {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
120 {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
121 {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
122 {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
123 {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
124 {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
125 {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
126 {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
127 {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
128 {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
129 {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
130 {ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
131 {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
132 {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
133 {0, NULL}
134};
135
136static ERR_STRING_DATA RSA_str_reasons[] = {
137 {ERR_REASON(RSA_R_ALGORITHM_MISMATCH) , "algorithm mismatch"},
138 {ERR_REASON(RSA_R_BAD_E_VALUE) , "bad e value"},
139 {ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT), "bad fixed header decrypt"},
140 {ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) , "bad pad byte count"},
141 {ERR_REASON(RSA_R_BAD_SIGNATURE) , "bad signature"},
142 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) , "block type is not 01"},
143 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) , "block type is not 02"},
144 {ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN), "data greater than mod len"},
145 {ERR_REASON(RSA_R_DATA_TOO_LARGE) , "data too large"},
146 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE), "data too large for key size"},
147 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"},
148 {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"},
149 {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"},
150 {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"},
151 {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"},
152 {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"},
153 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"},
154 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"},
155 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"},
156 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
157 {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},
158 {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},
159 {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
160 {ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"},
161 {ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"},
162 {ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"},
163 {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},
164 {ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) , "invalid pss saltlen"},
165 {ERR_REASON(RSA_R_INVALID_SALT_LENGTH) , "invalid salt length"},
166 {ERR_REASON(RSA_R_INVALID_TRAILER) , "invalid trailer"},
167 {ERR_REASON(RSA_R_INVALID_X931_DIGEST) , "invalid x931 digest"},
168 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"},
169 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"},
170 {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"},
171 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"},
172 {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"},
173 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"},
174 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"},
175 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) , "n does not equal p q"},
176 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) , "oaep decoding error"},
177 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"},
178 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"},
179 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"},
180 {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"},
181 {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"},
182 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"},
183 {ERR_REASON(RSA_R_SLEN_CHECK_FAILED) , "salt length check failed"},
184 {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) , "salt length recovery failed"},
185 {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"},
186 {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"},
187 {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"},
188 {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},
189 {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},
190 {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},
191 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},
192 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},
193 {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},
194 {ERR_REASON(RSA_R_VALUE_MISSING) , "value missing"},
195 {ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"},
196 {0, NULL}
197};
198
199#endif
200
201void
202ERR_load_RSA_strings(void)
203{
204#ifndef OPENSSL_NO_ERR
205 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) {
206 ERR_load_strings(0, RSA_str_functs);
207 ERR_load_strings(0, RSA_str_reasons);
208 }
209#endif
210}
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
deleted file mode 100644
index d46f4f2478..0000000000
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ /dev/null
@@ -1,229 +0,0 @@
1/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
65#include <stdio.h>
66#include <time.h>
67
68#include <openssl/bn.h>
69#include <openssl/err.h>
70#include <openssl/rsa.h>
71
72static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
73
74/*
75 * NB: this wrapper would normally be placed in rsa_lib.c and the static
76 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
77 * that we don't introduce a new linker dependency. Eg. any application that
78 * wasn't previously linking object code related to key-generation won't have to
79 * now just because key-generation is part of RSA_METHOD.
80 */
81int
82RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
83{
84 if (rsa->meth->rsa_keygen)
85 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
86 return rsa_builtin_keygen(rsa, bits, e_value, cb);
87}
88
89static int
90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
91{
92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
93 BIGNUM pr0, d, p;
94 int bitsp, bitsq, ok = -1, n = 0;
95 BN_CTX *ctx = NULL;
96
97 ctx = BN_CTX_new();
98 if (ctx == NULL)
99 goto err;
100 BN_CTX_start(ctx);
101 if ((r0 = BN_CTX_get(ctx)) == NULL)
102 goto err;
103 if ((r1 = BN_CTX_get(ctx)) == NULL)
104 goto err;
105 if ((r2 = BN_CTX_get(ctx)) == NULL)
106 goto err;
107 if ((r3 = BN_CTX_get(ctx)) == NULL)
108 goto err;
109
110 bitsp = (bits + 1) / 2;
111 bitsq = bits - bitsp;
112
113 /* We need the RSA components non-NULL */
114 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
115 goto err;
116 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
117 goto err;
118 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
119 goto err;
120 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
121 goto err;
122 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
123 goto err;
124 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
125 goto err;
126 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
127 goto err;
128 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
129 goto err;
130
131 BN_copy(rsa->e, e_value);
132
133 /* generate p and q */
134 for (;;) {
135 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
136 goto err;
137 if (!BN_sub(r2, rsa->p, BN_value_one()))
138 goto err;
139 if (!BN_gcd(r1, r2, rsa->e, ctx))
140 goto err;
141 if (BN_is_one(r1))
142 break;
143 if (!BN_GENCB_call(cb, 2, n++))
144 goto err;
145 }
146 if (!BN_GENCB_call(cb, 3, 0))
147 goto err;
148 for (;;) {
149 /*
150 * When generating ridiculously small keys, we can get stuck
151 * continually regenerating the same prime values. Check for
152 * this and bail if it happens 3 times.
153 */
154 unsigned int degenerate = 0;
155 do {
156 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
157 cb))
158 goto err;
159 } while (BN_cmp(rsa->p, rsa->q) == 0 &&
160 ++degenerate < 3);
161 if (degenerate == 3) {
162 ok = 0; /* we set our own err */
163 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
164 RSA_R_KEY_SIZE_TOO_SMALL);
165 goto err;
166 }
167 if (!BN_sub(r2, rsa->q, BN_value_one()))
168 goto err;
169 if (!BN_gcd(r1, r2, rsa->e, ctx))
170 goto err;
171 if (BN_is_one(r1))
172 break;
173 if (!BN_GENCB_call(cb, 2, n++))
174 goto err;
175 }
176 if (!BN_GENCB_call(cb, 3, 1))
177 goto err;
178 if (BN_cmp(rsa->p, rsa->q) < 0) {
179 tmp = rsa->p;
180 rsa->p = rsa->q;
181 rsa->q = tmp;
182 }
183
184 /* calculate n */
185 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
186 goto err;
187
188 /* calculate d */
189 if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
190 goto err;
191 if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
192 goto err;
193 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
194 goto err;
195
196 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
197
198 if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
199 goto err;
200
201 /* set up d for correct BN_FLG_CONSTTIME flag */
202 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
203
204 /* calculate d mod (p-1) */
205 if (!BN_mod(rsa->dmp1, &d, r1, ctx))
206 goto err;
207
208 /* calculate d mod (q-1) */
209 if (!BN_mod(rsa->dmq1, &d, r2, ctx))
210 goto err;
211
212 /* calculate inverse of q mod p */
213 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
214 if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
215 goto err;
216
217 ok = 1;
218err:
219 if (ok == -1) {
220 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
221 ok = 0;
222 }
223 if (ctx != NULL) {
224 BN_CTX_end(ctx);
225 BN_CTX_free(ctx);
226 }
227
228 return ok;
229}
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
deleted file mode 100644
index 51dc94a134..0000000000
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ /dev/null
@@ -1,258 +0,0 @@
1/* $OpenBSD: rsa_lib.c,v 1.30 2015/02/11 03:19:37 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bn.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/lhash.h>
67#include <openssl/rsa.h>
68
69#ifndef OPENSSL_NO_ENGINE
70#include <openssl/engine.h>
71#endif
72
73static const RSA_METHOD *default_RSA_meth = NULL;
74
75RSA *
76RSA_new(void)
77{
78 RSA *r = RSA_new_method(NULL);
79
80 return r;
81}
82
83void
84RSA_set_default_method(const RSA_METHOD *meth)
85{
86 default_RSA_meth = meth;
87}
88
89const RSA_METHOD *
90RSA_get_default_method(void)
91{
92 if (default_RSA_meth == NULL)
93 default_RSA_meth = RSA_PKCS1_SSLeay();
94
95 return default_RSA_meth;
96}
97
98const RSA_METHOD *
99RSA_get_method(const RSA *rsa)
100{
101 return rsa->meth;
102}
103
104int
105RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
106{
107 /*
108 * NB: The caller is specifically setting a method, so it's not up to us
109 * to deal with which ENGINE it comes from.
110 */
111 const RSA_METHOD *mtmp;
112
113 mtmp = rsa->meth;
114 if (mtmp->finish)
115 mtmp->finish(rsa);
116#ifndef OPENSSL_NO_ENGINE
117 if (rsa->engine) {
118 ENGINE_finish(rsa->engine);
119 rsa->engine = NULL;
120 }
121#endif
122 rsa->meth = meth;
123 if (meth->init)
124 meth->init(rsa);
125 return 1;
126}
127
128RSA *
129RSA_new_method(ENGINE *engine)
130{
131 RSA *ret;
132
133 ret = malloc(sizeof(RSA));
134 if (ret == NULL) {
135 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
136 return NULL;
137 }
138
139 ret->meth = RSA_get_default_method();
140#ifndef OPENSSL_NO_ENGINE
141 if (engine) {
142 if (!ENGINE_init(engine)) {
143 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
144 free(ret);
145 return NULL;
146 }
147 ret->engine = engine;
148 } else
149 ret->engine = ENGINE_get_default_RSA();
150 if (ret->engine) {
151 ret->meth = ENGINE_get_RSA(ret->engine);
152 if (!ret->meth) {
153 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
154 ENGINE_finish(ret->engine);
155 free(ret);
156 return NULL;
157 }
158 }
159#endif
160
161 ret->pad = 0;
162 ret->version = 0;
163 ret->n = NULL;
164 ret->e = NULL;
165 ret->d = NULL;
166 ret->p = NULL;
167 ret->q = NULL;
168 ret->dmp1 = NULL;
169 ret->dmq1 = NULL;
170 ret->iqmp = NULL;
171 ret->references = 1;
172 ret->_method_mod_n = NULL;
173 ret->_method_mod_p = NULL;
174 ret->_method_mod_q = NULL;
175 ret->blinding = NULL;
176 ret->mt_blinding = NULL;
177 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
178 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
179#ifndef OPENSSL_NO_ENGINE
180 if (ret->engine)
181 ENGINE_finish(ret->engine);
182#endif
183 free(ret);
184 return NULL;
185 }
186
187 if (ret->meth->init != NULL && !ret->meth->init(ret)) {
188#ifndef OPENSSL_NO_ENGINE
189 if (ret->engine)
190 ENGINE_finish(ret->engine);
191#endif
192 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
193 free(ret);
194 ret = NULL;
195 }
196 return ret;
197}
198
199void
200RSA_free(RSA *r)
201{
202 int i;
203
204 if (r == NULL)
205 return;
206
207 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
208 if (i > 0)
209 return;
210
211 if (r->meth->finish)
212 r->meth->finish(r);
213#ifndef OPENSSL_NO_ENGINE
214 if (r->engine)
215 ENGINE_finish(r->engine);
216#endif
217
218 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
219
220 BN_clear_free(r->n);
221 BN_clear_free(r->e);
222 BN_clear_free(r->d);
223 BN_clear_free(r->p);
224 BN_clear_free(r->q);
225 BN_clear_free(r->dmp1);
226 BN_clear_free(r->dmq1);
227 BN_clear_free(r->iqmp);
228 BN_BLINDING_free(r->blinding);
229 BN_BLINDING_free(r->mt_blinding);
230 free(r);
231}
232
233int
234RSA_up_ref(RSA *r)
235{
236 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
237 return i > 1 ? 1 : 0;
238}
239
240int
241RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
242 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
243{
244 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
245 new_func, dup_func, free_func);
246}
247
248int
249RSA_set_ex_data(RSA *r, int idx, void *arg)
250{
251 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
252}
253
254void *
255RSA_get_ex_data(const RSA *r, int idx)
256{
257 return CRYPTO_get_ex_data(&r->ex_data, idx);
258}
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
deleted file mode 100644
index 24da0dc179..0000000000
--- a/src/lib/libcrypto/rsa/rsa_locl.h
+++ /dev/null
@@ -1,4 +0,0 @@
1/* $OpenBSD: rsa_locl.h,v 1.3 2014/07/09 19:51:31 jsing Exp $ */
2extern int int_rsa_verify(int dtype, const unsigned char *m,
3 unsigned int m_len, unsigned char *rm, size_t *prm_len,
4 const unsigned char *sigbuf, size_t siglen, RSA *rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
deleted file mode 100644
index 5222b3c1eb..0000000000
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ /dev/null
@@ -1,98 +0,0 @@
1/* $OpenBSD: rsa_none.c,v 1.10 2014/10/18 17:20:40 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/rsa.h>
65
66int
67RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
68 int flen)
69{
70 if (flen > tlen) {
71 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
72 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
73 return 0;
74 }
75
76 if (flen < tlen) {
77 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
78 RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
79 return 0;
80 }
81
82 memcpy(to, from, flen);
83 return 1;
84}
85
86int
87RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *from,
88 int flen, int num)
89{
90 if (flen > tlen) {
91 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE, RSA_R_DATA_TOO_LARGE);
92 return -1;
93 }
94
95 memset(to, 0, tlen - flen);
96 memcpy(to + tlen - flen, from, flen);
97 return tlen;
98}
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
deleted file mode 100644
index 86e2bfc34f..0000000000
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ /dev/null
@@ -1,236 +0,0 @@
1/* $OpenBSD: rsa_oaep.c,v 1.25 2015/06/20 12:01:14 jsing Exp $ */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4
5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6
7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21#include <stdio.h>
22#include <stdlib.h>
23#include <string.h>
24
25#include <openssl/opensslconf.h>
26
27#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
28
29#include <openssl/bn.h>
30#include <openssl/err.h>
31#include <openssl/evp.h>
32#include <openssl/rsa.h>
33#include <openssl/sha.h>
34
35static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
36 long seedlen);
37
38int
39RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
40 const unsigned char *from, int flen, const unsigned char *param, int plen)
41{
42 int i, emlen = tlen - 1;
43 unsigned char *db, *seed;
44 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
45
46 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) {
47 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
48 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
49 return 0;
50 }
51
52 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) {
53 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
54 RSA_R_KEY_SIZE_TOO_SMALL);
55 return 0;
56 }
57
58 to[0] = 0;
59 seed = to + 1;
60 db = to + SHA_DIGEST_LENGTH + 1;
61
62 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
63 return 0;
64 memset(db + SHA_DIGEST_LENGTH, 0,
65 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
66 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
67 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, flen);
68 arc4random_buf(seed, SHA_DIGEST_LENGTH);
69
70 dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
71 if (dbmask == NULL) {
72 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
73 return 0;
74 }
75
76 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed,
77 SHA_DIGEST_LENGTH) < 0)
78 return 0;
79 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
80 db[i] ^= dbmask[i];
81
82 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db,
83 emlen - SHA_DIGEST_LENGTH) < 0)
84 return 0;
85 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
86 seed[i] ^= seedmask[i];
87
88 free(dbmask);
89 return 1;
90}
91
92int
93RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
94 const unsigned char *from, int flen, int num, const unsigned char *param,
95 int plen)
96{
97 int i, dblen, mlen = -1;
98 const unsigned char *maskeddb;
99 int lzero;
100 unsigned char *db = NULL;
101 unsigned char seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
102 unsigned char *padded_from;
103 int bad = 0;
104
105 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
106 /*
107 * 'num' is the length of the modulus, i.e. does not depend
108 * on the particular ciphertext.
109 */
110 goto decoding_err;
111
112 lzero = num - flen;
113 if (lzero < 0) {
114 /*
115 * signalling this error immediately after detection might allow
116 * for side-channel attacks (e.g. timing if 'plen' is huge
117 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA
118 * Optimal Asymmetric Encryption Padding (OAEP) [...]",
119 * CRYPTO 2001), so we use a 'bad' flag
120 */
121 bad = 1;
122 lzero = 0;
123 flen = num; /* don't overflow the memcpy to padded_from */
124 }
125
126 dblen = num - SHA_DIGEST_LENGTH;
127 db = malloc(dblen + num);
128 if (db == NULL) {
129 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
130 ERR_R_MALLOC_FAILURE);
131 return -1;
132 }
133
134 /*
135 * Always do this zero-padding copy (even when lzero == 0)
136 * to avoid leaking timing info about the value of lzero.
137 */
138 padded_from = db + dblen;
139 memset(padded_from, 0, lzero);
140 memcpy(padded_from + lzero, from, flen);
141
142 maskeddb = padded_from + SHA_DIGEST_LENGTH;
143
144 if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
145 return -1;
146 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
147 seed[i] ^= padded_from[i];
148
149 if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
150 return -1;
151 for (i = 0; i < dblen; i++)
152 db[i] ^= maskeddb[i];
153
154 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
155 return -1;
156
157 if (timingsafe_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
158 goto decoding_err;
159 else {
160 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
161 if (db[i] != 0x00)
162 break;
163 if (i == dblen || db[i] != 0x01)
164 goto decoding_err;
165 else {
166 /* everything looks OK */
167
168 mlen = dblen - ++i;
169 if (tlen < mlen) {
170 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
171 RSA_R_DATA_TOO_LARGE);
172 mlen = -1;
173 } else
174 memcpy(to, db + i, mlen);
175 }
176 }
177 free(db);
178 return mlen;
179
180decoding_err:
181 /*
182 * To avoid chosen ciphertext attacks, the error message should not
183 * reveal which kind of decoding error happened
184 */
185 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
186 free(db);
187 return -1;
188}
189
190int
191PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
192 long seedlen, const EVP_MD *dgst)
193{
194 long i, outlen = 0;
195 unsigned char cnt[4];
196 EVP_MD_CTX c;
197 unsigned char md[EVP_MAX_MD_SIZE];
198 int mdlen;
199 int rv = -1;
200
201 EVP_MD_CTX_init(&c);
202 mdlen = EVP_MD_size(dgst);
203 if (mdlen < 0)
204 goto err;
205 for (i = 0; outlen < len; i++) {
206 cnt[0] = (unsigned char)((i >> 24) & 255);
207 cnt[1] = (unsigned char)((i >> 16) & 255);
208 cnt[2] = (unsigned char)((i >> 8)) & 255;
209 cnt[3] = (unsigned char)(i & 255);
210 if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
211 !EVP_DigestUpdate(&c, seed, seedlen) ||
212 !EVP_DigestUpdate(&c, cnt, 4))
213 goto err;
214 if (outlen + mdlen <= len) {
215 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
216 goto err;
217 outlen += mdlen;
218 } else {
219 if (!EVP_DigestFinal_ex(&c, md, NULL))
220 goto err;
221 memcpy(mask + outlen, md, len - outlen);
222 outlen = len;
223 }
224 }
225 rv = 0;
226err:
227 EVP_MD_CTX_cleanup(&c);
228 return rv;
229}
230
231static int
232MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
233{
234 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
235}
236#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
deleted file mode 100644
index 6c3e7fb846..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ /dev/null
@@ -1,224 +0,0 @@
1/* $OpenBSD: rsa_pk1.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
69 const unsigned char *from, int flen)
70{
71 int j;
72 unsigned char *p;
73
74 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,
76 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
77 return 0;
78 }
79
80 p = (unsigned char *)to;
81
82 *(p++) = 0;
83 *(p++) = 1; /* Private Key BT (Block Type) */
84
85 /* pad out with 0xff data */
86 j = tlen - 3 - flen;
87 memset(p, 0xff, j);
88 p += j;
89 *(p++) = '\0';
90 memcpy(p, from, flen);
91
92 return 1;
93}
94
95int
96RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
97 const unsigned char *from, int flen, int num)
98{
99 int i, j;
100 const unsigned char *p;
101
102 p = from;
103 if (num != flen + 1 || *(p++) != 01) {
104 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
105 RSA_R_BLOCK_TYPE_IS_NOT_01);
106 return -1;
107 }
108
109 /* scan over padding data */
110 j = flen - 1; /* one for type. */
111 for (i = 0; i < j; i++) {
112 if (*p != 0xff) {
113 /* should decrypt to 0xff */
114 if (*p == 0) {
115 p++;
116 break;
117 } else {
118 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
119 RSA_R_BAD_FIXED_HEADER_DECRYPT);
120 return -1;
121 }
122 }
123 p++;
124 }
125
126 if (i == j) {
127 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
128 RSA_R_NULL_BEFORE_BLOCK_MISSING);
129 return -1;
130 }
131
132 if (i < 8) {
133 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
134 RSA_R_BAD_PAD_BYTE_COUNT);
135 return -1;
136 }
137 i++; /* Skip over the '\0' */
138 j -= i;
139 if (j > tlen) {
140 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
141 RSA_R_DATA_TOO_LARGE);
142 return -1;
143 }
144 memcpy(to, p, j);
145
146 return j;
147}
148
149int
150RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
151 const unsigned char *from, int flen)
152{
153 int i, j;
154 unsigned char *p;
155
156 if (flen > tlen - 11) {
157 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
158 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
159 return 0;
160 }
161
162 p = (unsigned char *)to;
163
164 *(p++) = 0;
165 *(p++) = 2; /* Public Key BT (Block Type) */
166
167 /* pad out with non-zero random data */
168 j = tlen - 3 - flen;
169
170 arc4random_buf(p, j);
171 for (i = 0; i < j; i++) {
172 while (*p == '\0')
173 arc4random_buf(p, 1);
174 p++;
175 }
176
177 *(p++) = '\0';
178
179 memcpy(p, from, flen);
180 return 1;
181}
182
183int
184RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
185 const unsigned char *from, int flen, int num)
186{
187 int i, j;
188 const unsigned char *p;
189
190 p = from;
191 if (num != flen + 1 || *(p++) != 02) {
192 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
193 RSA_R_BLOCK_TYPE_IS_NOT_02);
194 return -1;
195 }
196
197 /* scan over padding data */
198 j = flen - 1; /* one for type. */
199 for (i = 0; i < j; i++)
200 if (*(p++) == 0)
201 break;
202
203 if (i == j) {
204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
205 RSA_R_NULL_BEFORE_BLOCK_MISSING);
206 return -1;
207 }
208
209 if (i < 8) {
210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
211 RSA_R_BAD_PAD_BYTE_COUNT);
212 return -1;
213 }
214 i++; /* Skip over the '\0' */
215 j -= i;
216 if (j > tlen) {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
218 RSA_R_DATA_TOO_LARGE);
219 return -1;
220 }
221 memcpy(to, p, j);
222
223 return j;
224}
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 0b648138ee..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,616 +0,0 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.17 2015/06/20 01:07:25 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdio.h>
61#include <string.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/asn1t.h>
66#include <openssl/bn.h>
67#include <openssl/err.h>
68#include <openssl/evp.h>
69#include <openssl/rsa.h>
70#include <openssl/x509.h>
71
72#ifndef OPENSSL_NO_CMS
73#include <openssl/cms.h>
74#endif
75
76#include "evp_locl.h"
77#include "rsa_locl.h"
78
79/* RSA pkey context structure */
80
81typedef struct {
82 /* Key gen parameters */
83 int nbits;
84 BIGNUM *pub_exp;
85 /* Keygen callback info */
86 int gentmp[2];
87 /* RSA padding mode */
88 int pad_mode;
89 /* message digest */
90 const EVP_MD *md;
91 /* message digest for MGF1 */
92 const EVP_MD *mgf1md;
93 /* PSS/OAEP salt length */
94 int saltlen;
95 /* Temp buffer */
96 unsigned char *tbuf;
97} RSA_PKEY_CTX;
98
99static int
100pkey_rsa_init(EVP_PKEY_CTX *ctx)
101{
102 RSA_PKEY_CTX *rctx;
103
104 rctx = malloc(sizeof(RSA_PKEY_CTX));
105 if (!rctx)
106 return 0;
107 rctx->nbits = 2048;
108 rctx->pub_exp = NULL;
109 rctx->pad_mode = RSA_PKCS1_PADDING;
110 rctx->md = NULL;
111 rctx->mgf1md = NULL;
112 rctx->tbuf = NULL;
113
114 rctx->saltlen = -2;
115
116 ctx->data = rctx;
117 ctx->keygen_info = rctx->gentmp;
118 ctx->keygen_info_count = 2;
119
120 return 1;
121}
122
123static int
124pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
125{
126 RSA_PKEY_CTX *dctx, *sctx;
127
128 if (!pkey_rsa_init(dst))
129 return 0;
130 sctx = src->data;
131 dctx = dst->data;
132 dctx->nbits = sctx->nbits;
133 if (sctx->pub_exp) {
134 dctx->pub_exp = BN_dup(sctx->pub_exp);
135 if (!dctx->pub_exp)
136 return 0;
137 }
138 dctx->pad_mode = sctx->pad_mode;
139 dctx->md = sctx->md;
140 return 1;
141}
142
143static int
144setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
145{
146 if (ctx->tbuf)
147 return 1;
148 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
149 if (!ctx->tbuf)
150 return 0;
151 return 1;
152}
153
154static void
155pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156{
157 RSA_PKEY_CTX *rctx = ctx->data;
158
159 if (rctx) {
160 BN_free(rctx->pub_exp);
161 free(rctx->tbuf);
162 free(rctx);
163 }
164}
165
166static int
167pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
168 const unsigned char *tbs, size_t tbslen)
169{
170 int ret;
171 RSA_PKEY_CTX *rctx = ctx->data;
172 RSA *rsa = ctx->pkey->pkey.rsa;
173
174 if (rctx->md) {
175 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
176 RSAerr(RSA_F_PKEY_RSA_SIGN,
177 RSA_R_INVALID_DIGEST_LENGTH);
178 return -1;
179 }
180
181 if (rctx->pad_mode == RSA_X931_PADDING) {
182 if (!setup_tbuf(rctx, ctx))
183 return -1;
184 memcpy(rctx->tbuf, tbs, tbslen);
185 rctx->tbuf[tbslen] =
186 RSA_X931_hash_id(EVP_MD_type(rctx->md));
187 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
188 rsa, RSA_X931_PADDING);
189 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
190 unsigned int sltmp;
191
192 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
193 &sltmp, rsa);
194 if (ret <= 0)
195 return ret;
196 ret = sltmp;
197 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
198 if (!setup_tbuf(rctx, ctx))
199 return -1;
200 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
201 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
202 return -1;
203 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
204 sig, rsa, RSA_NO_PADDING);
205 } else
206 return -1;
207 } else
208 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
209 rctx->pad_mode);
210 if (ret < 0)
211 return ret;
212 *siglen = ret;
213 return 1;
214}
215
216static int
217pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
218 const unsigned char *sig, size_t siglen)
219{
220 int ret;
221 RSA_PKEY_CTX *rctx = ctx->data;
222
223 if (rctx->md) {
224 if (rctx->pad_mode == RSA_X931_PADDING) {
225 if (!setup_tbuf(rctx, ctx))
226 return -1;
227 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
228 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
229 if (ret < 1)
230 return 0;
231 ret--;
232 if (rctx->tbuf[ret] !=
233 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
234 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
235 RSA_R_ALGORITHM_MISMATCH);
236 return 0;
237 }
238 if (ret != EVP_MD_size(rctx->md)) {
239 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
240 RSA_R_INVALID_DIGEST_LENGTH);
241 return 0;
242 }
243 if (rout)
244 memcpy(rout, rctx->tbuf, ret);
245 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
246 size_t sltmp;
247
248 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
249 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
250 if (ret <= 0)
251 return 0;
252 ret = sltmp;
253 } else
254 return -1;
255 } else
256 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
257 rctx->pad_mode);
258 if (ret < 0)
259 return ret;
260 *routlen = ret;
261 return 1;
262}
263
264static int
265pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
266 const unsigned char *tbs, size_t tbslen)
267{
268 RSA_PKEY_CTX *rctx = ctx->data;
269 RSA *rsa = ctx->pkey->pkey.rsa;
270 size_t rslen;
271
272 if (rctx->md) {
273 if (rctx->pad_mode == RSA_PKCS1_PADDING)
274 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
275 sig, siglen, rsa);
276 if (rctx->pad_mode == RSA_X931_PADDING) {
277 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
278 siglen) <= 0)
279 return 0;
280 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
281 int ret;
282
283 if (!setup_tbuf(rctx, ctx))
284 return -1;
285 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
286 rsa, RSA_NO_PADDING);
287 if (ret <= 0)
288 return 0;
289 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
290 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
291 if (ret <= 0)
292 return 0;
293 return 1;
294 } else
295 return -1;
296 } else {
297 if (!setup_tbuf(rctx, ctx))
298 return -1;
299 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
300 rctx->pad_mode);
301 if (rslen == 0)
302 return 0;
303 }
304
305 if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
306 return 0;
307
308 return 1;
309}
310
311static int
312pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
313 const unsigned char *in, size_t inlen)
314{
315 int ret;
316 RSA_PKEY_CTX *rctx = ctx->data;
317
318 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
319 rctx->pad_mode);
320 if (ret < 0)
321 return ret;
322 *outlen = ret;
323 return 1;
324}
325
326static int
327pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
328 const unsigned char *in, size_t inlen)
329{
330 int ret;
331 RSA_PKEY_CTX *rctx = ctx->data;
332
333 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
334 rctx->pad_mode);
335 if (ret < 0)
336 return ret;
337 *outlen = ret;
338 return 1;
339}
340
341static int
342check_padding_md(const EVP_MD *md, int padding)
343{
344 if (!md)
345 return 1;
346
347 if (padding == RSA_NO_PADDING) {
348 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
349 return 0;
350 }
351
352 if (padding == RSA_X931_PADDING) {
353 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
354 RSAerr(RSA_F_CHECK_PADDING_MD,
355 RSA_R_INVALID_X931_DIGEST);
356 return 0;
357 }
358 return 1;
359 }
360
361 return 1;
362}
363
364static int
365pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
366{
367 RSA_PKEY_CTX *rctx = ctx->data;
368
369 switch (type) {
370 case EVP_PKEY_CTRL_RSA_PADDING:
371 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
372 if (!check_padding_md(rctx->md, p1))
373 return 0;
374 if (p1 == RSA_PKCS1_PSS_PADDING) {
375 if (!(ctx->operation &
376 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
377 goto bad_pad;
378 if (!rctx->md)
379 rctx->md = EVP_sha1();
380 }
381 if (p1 == RSA_PKCS1_OAEP_PADDING) {
382 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
383 goto bad_pad;
384 if (!rctx->md)
385 rctx->md = EVP_sha1();
386 }
387 rctx->pad_mode = p1;
388 return 1;
389 }
390bad_pad:
391 RSAerr(RSA_F_PKEY_RSA_CTRL,
392 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
393 return -2;
394
395 case EVP_PKEY_CTRL_GET_RSA_PADDING:
396 *(int *)p2 = rctx->pad_mode;
397 return 1;
398
399 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
400 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
401 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
402 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
403 return -2;
404 }
405 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
406 *(int *)p2 = rctx->saltlen;
407 else {
408 if (p1 < -2)
409 return -2;
410 rctx->saltlen = p1;
411 }
412 return 1;
413
414 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
415 if (p1 < 256) {
416 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
417 return -2;
418 }
419 rctx->nbits = p1;
420 return 1;
421
422 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
423 if (!p2)
424 return -2;
425 rctx->pub_exp = p2;
426 return 1;
427
428 case EVP_PKEY_CTRL_MD:
429 if (!check_padding_md(p2, rctx->pad_mode))
430 return 0;
431 rctx->md = p2;
432 return 1;
433
434 case EVP_PKEY_CTRL_RSA_MGF1_MD:
435 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
436 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
437 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
438 return -2;
439 }
440 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
441 if (rctx->mgf1md)
442 *(const EVP_MD **)p2 = rctx->mgf1md;
443 else
444 *(const EVP_MD **)p2 = rctx->md;
445 } else
446 rctx->mgf1md = p2;
447 return 1;
448
449 case EVP_PKEY_CTRL_DIGESTINIT:
450 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
451 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
452 case EVP_PKEY_CTRL_PKCS7_SIGN:
453 return 1;
454#ifndef OPENSSL_NO_CMS
455 case EVP_PKEY_CTRL_CMS_DECRYPT:
456 {
457 X509_ALGOR *alg = NULL;
458 ASN1_OBJECT *encalg = NULL;
459
460 if (p2)
461 CMS_RecipientInfo_ktri_get0_algs(p2, NULL,
462 NULL, &alg);
463 if (alg)
464 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
465 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
466 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
467 }
468 /* FALLTHROUGH */
469
470 case EVP_PKEY_CTRL_CMS_ENCRYPT:
471 case EVP_PKEY_CTRL_CMS_SIGN:
472 return 1;
473#endif
474 case EVP_PKEY_CTRL_PEER_KEY:
475 RSAerr(RSA_F_PKEY_RSA_CTRL,
476 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
477 return -2;
478
479 default:
480 return -2;
481 }
482}
483
484static int
485pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
486{
487 long lval;
488 char *ep;
489
490 if (!value) {
491 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
492 return 0;
493 }
494 if (!strcmp(type, "rsa_padding_mode")) {
495 int pm;
496 if (!strcmp(value, "pkcs1"))
497 pm = RSA_PKCS1_PADDING;
498 else if (!strcmp(value, "sslv23"))
499 pm = RSA_SSLV23_PADDING;
500 else if (!strcmp(value, "none"))
501 pm = RSA_NO_PADDING;
502 else if (!strcmp(value, "oeap"))
503 pm = RSA_PKCS1_OAEP_PADDING;
504 else if (!strcmp(value, "oaep"))
505 pm = RSA_PKCS1_OAEP_PADDING;
506 else if (!strcmp(value, "x931"))
507 pm = RSA_X931_PADDING;
508 else if (!strcmp(value, "pss"))
509 pm = RSA_PKCS1_PSS_PADDING;
510 else {
511 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
512 RSA_R_UNKNOWN_PADDING_TYPE);
513 return -2;
514 }
515 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
516 }
517
518 if (!strcmp(type, "rsa_pss_saltlen")) {
519 int saltlen;
520
521 errno = 0;
522 lval = strtol(value, &ep, 10);
523 if (value[0] == '\0' || *ep != '\0')
524 goto not_a_number;
525 if ((errno == ERANGE &&
526 (lval == LONG_MAX || lval == LONG_MIN)) ||
527 (lval > INT_MAX || lval < INT_MIN))
528 goto out_of_range;
529 saltlen = lval;
530 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
531 }
532
533 if (!strcmp(type, "rsa_keygen_bits")) {
534 int nbits;
535
536 errno = 0;
537 lval = strtol(value, &ep, 10);
538 if (value[0] == '\0' || *ep != '\0')
539 goto not_a_number;
540 if ((errno == ERANGE &&
541 (lval == LONG_MAX || lval == LONG_MIN)) ||
542 (lval > INT_MAX || lval < INT_MIN))
543 goto out_of_range;
544 nbits = lval;
545 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
546 }
547
548 if (!strcmp(type, "rsa_keygen_pubexp")) {
549 int ret;
550 BIGNUM *pubexp = NULL;
551
552 if (!BN_asc2bn(&pubexp, value))
553 return 0;
554 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
555 if (ret <= 0)
556 BN_free(pubexp);
557 return ret;
558 }
559
560not_a_number:
561out_of_range:
562 return -2;
563}
564
565static int
566pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
567{
568 RSA *rsa = NULL;
569 RSA_PKEY_CTX *rctx = ctx->data;
570 BN_GENCB *pcb, cb;
571 int ret;
572
573 if (!rctx->pub_exp) {
574 rctx->pub_exp = BN_new();
575 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
576 return 0;
577 }
578 rsa = RSA_new();
579 if (!rsa)
580 return 0;
581 if (ctx->pkey_gencb) {
582 pcb = &cb;
583 evp_pkey_set_cb_translate(pcb, ctx);
584 } else
585 pcb = NULL;
586 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
587 if (ret > 0)
588 EVP_PKEY_assign_RSA(pkey, rsa);
589 else
590 RSA_free(rsa);
591 return ret;
592}
593
594const EVP_PKEY_METHOD rsa_pkey_meth = {
595 .pkey_id = EVP_PKEY_RSA,
596 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
597
598 .init = pkey_rsa_init,
599 .copy = pkey_rsa_copy,
600 .cleanup = pkey_rsa_cleanup,
601
602 .keygen = pkey_rsa_keygen,
603
604 .sign = pkey_rsa_sign,
605
606 .verify = pkey_rsa_verify,
607
608 .verify_recover = pkey_rsa_verifyrecover,
609
610 .encrypt = pkey_rsa_encrypt,
611
612 .decrypt = pkey_rsa_decrypt,
613
614 .ctrl = pkey_rsa_ctrl,
615 .ctrl_str = pkey_rsa_ctrl_str
616};
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
deleted file mode 100644
index db82dab5be..0000000000
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ /dev/null
@@ -1,93 +0,0 @@
1/* $OpenBSD: rsa_prn.c,v 1.6 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/evp.h>
63#include <openssl/rsa.h>
64
65int
66RSA_print_fp(FILE *fp, const RSA *x, int off)
67{
68 BIO *b;
69 int ret;
70
71 if ((b = BIO_new(BIO_s_file())) == NULL) {
72 RSAerr(RSA_F_RSA_PRINT_FP, ERR_R_BUF_LIB);
73 return 0;
74 }
75 BIO_set_fp(b, fp, BIO_NOCLOSE);
76 ret = RSA_print(b, x, off);
77 BIO_free(b);
78 return ret;
79}
80
81int
82RSA_print(BIO *bp, const RSA *x, int off)
83{
84 EVP_PKEY *pk;
85 int ret;
86
87 pk = EVP_PKEY_new();
88 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
89 return 0;
90 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
91 EVP_PKEY_free(pk);
92 return ret;
93}
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
deleted file mode 100644
index 5e137a3090..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ /dev/null
@@ -1,289 +0,0 @@
1/* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/rsa.h>
67#include <openssl/sha.h>
68
69static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
70
71int
72RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
73 const unsigned char *EM, int sLen)
74{
75 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
76}
77
78int
79RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
81 int sLen)
82{
83 int i;
84 int ret = 0;
85 int hLen, maskedDBLen, MSBits, emLen;
86 const unsigned char *H;
87 unsigned char *DB = NULL;
88 EVP_MD_CTX ctx;
89 unsigned char H_[EVP_MAX_MD_SIZE];
90
91 EVP_MD_CTX_init(&ctx);
92
93 if (mgf1Hash == NULL)
94 mgf1Hash = Hash;
95
96 hLen = EVP_MD_size(Hash);
97 if (hLen < 0)
98 goto err;
99 /*
100 * Negative sLen has special meanings:
101 * -1 sLen == hLen
102 * -2 salt length is autorecovered from signature
103 * -N reserved
104 */
105 if (sLen == -1)
106 sLen = hLen;
107 else if (sLen == -2)
108 sLen = -2;
109 else if (sLen < -2) {
110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
111 RSA_R_SLEN_CHECK_FAILED);
112 goto err;
113 }
114
115 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
116 emLen = RSA_size(rsa);
117 if (EM[0] & (0xFF << MSBits)) {
118 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
119 RSA_R_FIRST_OCTET_INVALID);
120 goto err;
121 }
122 if (MSBits == 0) {
123 EM++;
124 emLen--;
125 }
126 if (emLen < (hLen + sLen + 2)) {
127 /* sLen can be small negative */
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
129 goto err;
130 }
131 if (EM[emLen - 1] != 0xbc) {
132 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
133 RSA_R_LAST_OCTET_INVALID);
134 goto err;
135 }
136 maskedDBLen = emLen - hLen - 1;
137 H = EM + maskedDBLen;
138 DB = malloc(maskedDBLen);
139 if (!DB) {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
141 goto err;
142 }
143 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
144 goto err;
145 for (i = 0; i < maskedDBLen; i++)
146 DB[i] ^= EM[i];
147 if (MSBits)
148 DB[0] &= 0xFF >> (8 - MSBits);
149 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
150 ;
151 if (DB[i++] != 0x1) {
152 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
153 RSA_R_SLEN_RECOVERY_FAILED);
154 goto err;
155 }
156 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
157 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
158 RSA_R_SLEN_CHECK_FAILED);
159 goto err;
160 }
161 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
162 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
163 !EVP_DigestUpdate(&ctx, mHash, hLen))
164 goto err;
165 if (maskedDBLen - i) {
166 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
167 goto err;
168 }
169 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
170 goto err;
171 if (memcmp(H_, H, hLen)) {
172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
173 ret = 0;
174 } else
175 ret = 1;
176
177err:
178 free(DB);
179 EVP_MD_CTX_cleanup(&ctx);
180
181 return ret;
182}
183
184int
185RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
186 const unsigned char *mHash, const EVP_MD *Hash, int sLen)
187{
188 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
189}
190
191int
192RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
193 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
194 int sLen)
195{
196 int i;
197 int ret = 0;
198 int hLen, maskedDBLen, MSBits, emLen;
199 unsigned char *H, *salt = NULL, *p;
200 EVP_MD_CTX ctx;
201
202 EVP_MD_CTX_init(&ctx);
203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
207 hLen = EVP_MD_size(Hash);
208 if (hLen < 0)
209 goto err;
210 /*
211 * Negative sLen has special meanings:
212 * -1 sLen == hLen
213 * -2 salt length is maximized
214 * -N reserved
215 */
216 if (sLen == -1)
217 sLen = hLen;
218 else if (sLen == -2)
219 sLen = -2;
220 else if (sLen < -2) {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
222 RSA_R_SLEN_CHECK_FAILED);
223 goto err;
224 }
225
226 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
227 emLen = RSA_size(rsa);
228 if (MSBits == 0) {
229 *EM++ = 0;
230 emLen--;
231 }
232 if (sLen == -2)
233 sLen = emLen - hLen - 2;
234 else if (emLen < (hLen + sLen + 2)) {
235 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
236 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
237 goto err;
238 }
239 if (sLen > 0) {
240 salt = malloc(sLen);
241 if (!salt) {
242 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
243 ERR_R_MALLOC_FAILURE);
244 goto err;
245 }
246 arc4random_buf(salt, sLen);
247 }
248 maskedDBLen = emLen - hLen - 1;
249 H = EM + maskedDBLen;
250 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
251 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
252 !EVP_DigestUpdate(&ctx, mHash, hLen))
253 goto err;
254 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
255 goto err;
256 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
257 goto err;
258
259 /* Generate dbMask in place then perform XOR on it */
260 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
261 goto err;
262
263 p = EM;
264
265 /*
266 * Initial PS XORs with all zeroes which is a NOP so just update
267 * pointer. Note from a test above this value is guaranteed to
268 * be non-negative.
269 */
270 p += emLen - sLen - hLen - 2;
271 *p++ ^= 0x1;
272 if (sLen > 0) {
273 for (i = 0; i < sLen; i++)
274 *p++ ^= salt[i];
275 }
276 if (MSBits)
277 EM[0] &= 0xFF >> (8 - MSBits);
278
279 /* H is already in place so just set final 0xbc */
280 EM[emLen - 1] = 0xbc;
281
282 ret = 1;
283
284err:
285 free(salt);
286 EVP_MD_CTX_cleanup(&ctx);
287
288 return ret;
289}
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
deleted file mode 100644
index 5dbc10dbb2..0000000000
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ /dev/null
@@ -1,149 +0,0 @@
1/* $OpenBSD: rsa_saos.c,v 1.19 2015/09/30 18:41:06 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68int
69RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
70 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
71{
72 ASN1_OCTET_STRING sig;
73 int i, j, ret = 1;
74 unsigned char *p, *s;
75
76 sig.type = V_ASN1_OCTET_STRING;
77 sig.length = m_len;
78 sig.data = (unsigned char *)m;
79
80 i = i2d_ASN1_OCTET_STRING(&sig, NULL);
81 j = RSA_size(rsa);
82 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
83 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,
84 RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
85 return 0;
86 }
87 s = malloc(j + 1);
88 if (s == NULL) {
89 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
90 return 0;
91 }
92 p = s;
93 i2d_ASN1_OCTET_STRING(&sig, &p);
94 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
95 if (i <= 0)
96 ret = 0;
97 else
98 *siglen = i;
99
100 explicit_bzero(s, (unsigned int)j + 1);
101 free(s);
102 return ret;
103}
104
105int
106RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
107 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
108{
109 int i, ret = 0;
110 unsigned char *s;
111 const unsigned char *p;
112 ASN1_OCTET_STRING *sig = NULL;
113
114 if (siglen != (unsigned int)RSA_size(rsa)) {
115 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
116 RSA_R_WRONG_SIGNATURE_LENGTH);
117 return 0;
118 }
119
120 s = malloc(siglen);
121 if (s == NULL) {
122 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
123 ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
127
128 if (i <= 0)
129 goto err;
130
131 p = s;
132 sig = d2i_ASN1_OCTET_STRING(NULL, &p, (long)i);
133 if (sig == NULL)
134 goto err;
135
136 if ((unsigned int)sig->length != m_len ||
137 memcmp(m, sig->data, m_len) != 0) {
138 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
139 RSA_R_BAD_SIGNATURE);
140 } else
141 ret = 1;
142err:
143 ASN1_OCTET_STRING_free(sig);
144 if (s != NULL) {
145 explicit_bzero(s, (unsigned int)siglen);
146 free(s);
147 }
148 return ret;
149}
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index 7be08f544b..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,255 +0,0 @@
1/* $OpenBSD: rsa_sign.c,v 1.25 2015/09/10 15:56:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68#include "rsa_locl.h"
69
70/* Size of an SSL signature: MD5+SHA1 */
71#define SSL_SIG_LENGTH 36
72
73int
74RSA_sign(int type, const unsigned char *m, unsigned int m_len,
75 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
76{
77 X509_SIG sig;
78 ASN1_TYPE parameter;
79 int i, j, ret = 1;
80 unsigned char *p, *tmps = NULL;
81 const unsigned char *s = NULL;
82 X509_ALGOR algor;
83 ASN1_OCTET_STRING digest;
84
85 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
86 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
87
88 /* Special case: SSL signature, just check the length */
89 if (type == NID_md5_sha1) {
90 if (m_len != SSL_SIG_LENGTH) {
91 RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
92 return 0;
93 }
94 i = SSL_SIG_LENGTH;
95 s = m;
96 } else {
97 sig.algor = &algor;
98 sig.algor->algorithm = OBJ_nid2obj(type);
99 if (sig.algor->algorithm == NULL) {
100 RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
101 return 0;
102 }
103 if (sig.algor->algorithm->length == 0) {
104 RSAerr(RSA_F_RSA_SIGN,
105 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
106 return 0;
107 }
108 parameter.type = V_ASN1_NULL;
109 parameter.value.ptr = NULL;
110 sig.algor->parameter = &parameter;
111
112 sig.digest = &digest;
113 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
114 sig.digest->length = m_len;
115
116 i = i2d_X509_SIG(&sig, NULL);
117 }
118 j = RSA_size(rsa);
119 if (i > j - RSA_PKCS1_PADDING_SIZE) {
120 RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
121 return 0;
122 }
123 if (type != NID_md5_sha1) {
124 tmps = malloc(j + 1);
125 if (tmps == NULL) {
126 RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
127 return 0;
128 }
129 p = tmps;
130 i2d_X509_SIG(&sig, &p);
131 s = tmps;
132 }
133 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
134 if (i <= 0)
135 ret = 0;
136 else
137 *siglen = i;
138
139 if (type != NID_md5_sha1) {
140 explicit_bzero(tmps, (unsigned int)j + 1);
141 free(tmps);
142 }
143 return (ret);
144}
145
146int
147int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
148 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
149 size_t siglen, RSA *rsa)
150{
151 int i, ret = 0, sigtype;
152 unsigned char *s;
153 X509_SIG *sig = NULL;
154
155 if (siglen != (unsigned int)RSA_size(rsa)) {
156 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
157 return 0;
158 }
159
160 if ((dtype == NID_md5_sha1) && rm) {
161 i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa,
162 RSA_PKCS1_PADDING);
163 if (i <= 0)
164 return 0;
165 *prm_len = i;
166 return 1;
167 }
168
169 s = malloc(siglen);
170 if (s == NULL) {
171 RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
172 goto err;
173 }
174 if (dtype == NID_md5_sha1 && m_len != SSL_SIG_LENGTH) {
175 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
176 goto err;
177 }
178 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
179
180 if (i <= 0)
181 goto err;
182
183 /* Special case: SSL signature */
184 if (dtype == NID_md5_sha1) {
185 if (i != SSL_SIG_LENGTH || memcmp(s, m, SSL_SIG_LENGTH))
186 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
187 else
188 ret = 1;
189 } else {
190 const unsigned char *p = s;
191
192 sig = d2i_X509_SIG(NULL, &p, (long)i);
193
194 if (sig == NULL)
195 goto err;
196
197 /* Excess data can be used to create forgeries */
198 if (p != s + i) {
199 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
200 goto err;
201 }
202
203 /* Parameters to the signature algorithm can also be used to
204 create forgeries */
205 if (sig->algor->parameter &&
206 ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
207 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
208 goto err;
209 }
210
211 sigtype = OBJ_obj2nid(sig->algor->algorithm);
212
213 if (sigtype != dtype) {
214 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
215 goto err;
216 }
217 if (rm) {
218 const EVP_MD *md;
219
220 md = EVP_get_digestbynid(dtype);
221 if (md && (EVP_MD_size(md) != sig->digest->length))
222 RSAerr(RSA_F_INT_RSA_VERIFY,
223 RSA_R_INVALID_DIGEST_LENGTH);
224 else {
225 memcpy(rm, sig->digest->data,
226 sig->digest->length);
227 *prm_len = sig->digest->length;
228 ret = 1;
229 }
230 } else if ((unsigned int)sig->digest->length != m_len ||
231 memcmp(m, sig->digest->data, m_len) != 0) {
232 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
233 } else
234 ret = 1;
235 }
236err:
237 if (sig != NULL)
238 X509_SIG_free(sig);
239 if (s != NULL) {
240 explicit_bzero(s, (unsigned int)siglen);
241 free(s);
242 }
243 return ret;
244}
245
246int
247RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
248 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
249{
250 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
251 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
252 rsa);
253
254 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
255}
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
deleted file mode 100644
index 73262f29c1..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ /dev/null
@@ -1,151 +0,0 @@
1/* $OpenBSD: rsa_ssl.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
69 int flen)
70{
71 int i, j;
72 unsigned char *p;
73
74 if (flen > tlen - 11) {
75 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
76 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
77 return 0;
78 }
79
80 p = (unsigned char *)to;
81
82 *(p++) = 0;
83 *(p++) = 2; /* Public Key BT (Block Type) */
84
85 /* pad out with non-zero random data */
86 j = tlen - 3 - 8 - flen;
87
88 arc4random_buf(p, j);
89 for (i = 0; i < j; i++) {
90 while (*p == '\0')
91 arc4random_buf(p, 1);
92 p++;
93 }
94
95 memset(p, 3, 8);
96 p += 8;
97 *(p++) = '\0';
98
99 memcpy(p, from, flen);
100 return 1;
101}
102
103int
104RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
105 int flen, int num)
106{
107 int i, j, k;
108 const unsigned char *p;
109
110 p = from;
111 if (flen < 10) {
112 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
113 return -1;
114 }
115 if (num != flen + 1 || *(p++) != 02) {
116 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
117 RSA_R_BLOCK_TYPE_IS_NOT_02);
118 return -1;
119 }
120
121 /* scan over padding data */
122 j = flen - 1; /* one for type */
123 for (i = 0; i < j; i++)
124 if (*(p++) == 0)
125 break;
126
127 if (i == j || i < 8) {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
129 RSA_R_NULL_BEFORE_BLOCK_MISSING);
130 return -1;
131 }
132 for (k = -9; k < -1; k++) {
133 if (p[k] != 0x03)
134 break;
135 }
136 if (k == -1) {
137 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
138 RSA_R_SSLV3_ROLLBACK_ATTACK);
139 return -1;
140 }
141
142 i++; /* Skip over the '\0' */
143 j -= i;
144 if (j > tlen) {
145 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
146 return -1;
147 }
148 memcpy(to, p, j);
149
150 return j;
151}
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
deleted file mode 100644
index 2993b4028d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ /dev/null
@@ -1,167 +0,0 @@
1/* $OpenBSD: rsa_x931.c,v 1.9 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
69 int flen)
70{
71 int j;
72 unsigned char *p;
73
74 /*
75 * Absolute minimum amount of padding is 1 header nibble, 1 padding
76 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
77 */
78 j = tlen - flen - 2;
79
80 if (j < 0) {
81 RSAerr(RSA_F_RSA_PADDING_ADD_X931,
82 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
83 return -1;
84 }
85
86 p = (unsigned char *)to;
87
88 /* If no padding start and end nibbles are in one byte */
89 if (j == 0)
90 *p++ = 0x6A;
91 else {
92 *p++ = 0x6B;
93 if (j > 1) {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p, from, flen);
100 p += flen;
101 *p = 0xCC;
102 return 1;
103}
104
105int
106RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
107 int flen, int num)
108{
109 int i = 0, j;
110 const unsigned char *p = from;
111
112 if (num != flen || (*p != 0x6A && *p != 0x6B)) {
113 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_HEADER);
114 return -1;
115 }
116
117 if (*p++ == 0x6B) {
118 j = flen - 3;
119 for (i = 0; i < j; i++) {
120 unsigned char c = *p++;
121 if (c == 0xBA)
122 break;
123 if (c != 0xBB) {
124 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
125 RSA_R_INVALID_PADDING);
126 return -1;
127 }
128 }
129
130 if (i == 0) {
131 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
132 RSA_R_INVALID_PADDING);
133 return -1;
134 }
135
136 j -= i;
137 } else
138 j = flen - 2;
139
140 if (j < 0 || p[j] != 0xCC) {
141 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
142 return -1;
143 }
144
145 memcpy(to, p, j);
146
147 return j;
148}
149
150/* Translate between X931 hash ids and NIDs */
151
152int
153RSA_X931_hash_id(int nid)
154{
155 switch (nid) {
156 case NID_sha1:
157 return 0x33;
158 case NID_sha256:
159 return 0x34;
160 case NID_sha384:
161 return 0x36;
162 case NID_sha512:
163 return 0x35;
164 }
165
166 return -1;
167}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-10 08:36:04 +0000