diff options
| author | markus <> | 2003-05-11 21:36:58 +0000 |
|---|---|---|
| committer | markus <> | 2003-05-11 21:36:58 +0000 |
| commit | 1c98a87f0daac81245653c227eb2f2508a22a965 (patch) | |
| tree | 3de6d603296ec563b936da4e6a8a1e33d48f8884 /src/lib/libcrypto/rsa | |
| parent | 31392c89d1135cf2a416f97295f6d21681b3fbc4 (diff) | |
| download | openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.tar.gz openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.tar.bz2 openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.zip | |
import 0.9.7b (without idea and rc5)
Diffstat (limited to 'src/lib/libcrypto/rsa')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa.h | 9 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 150 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_lib.c | 43 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_pk1.c | 2 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_saos.c | 6 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_sign.c | 25 |
6 files changed, 196 insertions, 39 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index 98b3bd7cc5..e26a68b482 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h | |||
| @@ -158,6 +158,11 @@ struct rsa_st | |||
| 158 | #define RSA_FLAG_CACHE_PUBLIC 0x02 | 158 | #define RSA_FLAG_CACHE_PUBLIC 0x02 |
| 159 | #define RSA_FLAG_CACHE_PRIVATE 0x04 | 159 | #define RSA_FLAG_CACHE_PRIVATE 0x04 |
| 160 | #define RSA_FLAG_BLINDING 0x08 | 160 | #define RSA_FLAG_BLINDING 0x08 |
| 161 | #define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in | ||
| 162 | * RSA implementation now uses blinding by | ||
| 163 | * default (ignoring RSA_FLAG_BLINDING), | ||
| 164 | * but other engines might not need it | ||
| 165 | */ | ||
| 161 | #define RSA_FLAG_THREAD_SAFE 0x10 | 166 | #define RSA_FLAG_THREAD_SAFE 0x10 |
| 162 | /* This flag means the private key operations will be handled by rsa_mod_exp | 167 | /* This flag means the private key operations will be handled by rsa_mod_exp |
| 163 | * and that they do not depend on the private key components being present: | 168 | * and that they do not depend on the private key components being present: |
| @@ -170,11 +175,15 @@ struct rsa_st | |||
| 170 | */ | 175 | */ |
| 171 | #define RSA_FLAG_SIGN_VER 0x40 | 176 | #define RSA_FLAG_SIGN_VER 0x40 |
| 172 | 177 | ||
| 178 | #define RSA_FLAG_NO_BLINDING 0x80 | ||
| 179 | |||
| 173 | #define RSA_PKCS1_PADDING 1 | 180 | #define RSA_PKCS1_PADDING 1 |
| 174 | #define RSA_SSLV23_PADDING 2 | 181 | #define RSA_SSLV23_PADDING 2 |
| 175 | #define RSA_NO_PADDING 3 | 182 | #define RSA_NO_PADDING 3 |
| 176 | #define RSA_PKCS1_OAEP_PADDING 4 | 183 | #define RSA_PKCS1_OAEP_PADDING 4 |
| 177 | 184 | ||
| 185 | #define RSA_PKCS1_PADDING_SIZE 11 | ||
| 186 | |||
| 178 | #define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) | 187 | #define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) |
| 179 | #define RSA_get_app_data(s) RSA_get_ex_data(s,0) | 188 | #define RSA_get_app_data(s) RSA_get_ex_data(s,0) |
| 180 | 189 | ||
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 0eda816081..027b4dc754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -61,7 +61,6 @@ | |||
| 61 | #include <openssl/bn.h> | 61 | #include <openssl/bn.h> |
| 62 | #include <openssl/rsa.h> | 62 | #include <openssl/rsa.h> |
| 63 | #include <openssl/rand.h> | 63 | #include <openssl/rand.h> |
| 64 | #include <openssl/engine.h> | ||
| 65 | 64 | ||
| 66 | #ifndef RSA_NULL | 65 | #ifndef RSA_NULL |
| 67 | 66 | ||
| @@ -187,12 +186,65 @@ err: | |||
| 187 | BN_clear_free(&ret); | 186 | BN_clear_free(&ret); |
| 188 | if (buf != NULL) | 187 | if (buf != NULL) |
| 189 | { | 188 | { |
| 190 | memset(buf,0,num); | 189 | OPENSSL_cleanse(buf,num); |
| 191 | OPENSSL_free(buf); | 190 | OPENSSL_free(buf); |
| 192 | } | 191 | } |
| 193 | return(r); | 192 | return(r); |
| 194 | } | 193 | } |
| 195 | 194 | ||
| 195 | static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) | ||
| 196 | { | ||
| 197 | int ret = 1; | ||
| 198 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 199 | /* Check again inside the lock - the macro's check is racey */ | ||
| 200 | if(rsa->blinding == NULL) | ||
| 201 | ret = RSA_blinding_on(rsa, ctx); | ||
| 202 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 203 | return ret; | ||
| 204 | } | ||
| 205 | |||
| 206 | #define BLINDING_HELPER(rsa, ctx, err_instr) \ | ||
| 207 | do { \ | ||
| 208 | if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ | ||
| 209 | ((rsa)->blinding == NULL) && \ | ||
| 210 | !rsa_eay_blinding(rsa, ctx)) \ | ||
| 211 | err_instr \ | ||
| 212 | } while(0) | ||
| 213 | |||
| 214 | static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) | ||
| 215 | { | ||
| 216 | BIGNUM *A, *Ai; | ||
| 217 | BN_BLINDING *ret = NULL; | ||
| 218 | |||
| 219 | /* added in OpenSSL 0.9.6j and 0.9.7b */ | ||
| 220 | |||
| 221 | /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); | ||
| 222 | * this should be placed in a new function of its own, but for reasons | ||
| 223 | * of binary compatibility can't */ | ||
| 224 | |||
| 225 | BN_CTX_start(ctx); | ||
| 226 | A = BN_CTX_get(ctx); | ||
| 227 | if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) | ||
| 228 | { | ||
| 229 | /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ | ||
| 230 | RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); | ||
| 231 | if (!BN_pseudo_rand_range(A,rsa->n)) goto err; | ||
| 232 | } | ||
| 233 | else | ||
| 234 | { | ||
| 235 | if (!BN_rand_range(A,rsa->n)) goto err; | ||
| 236 | } | ||
| 237 | if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; | ||
| 238 | |||
| 239 | if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) | ||
| 240 | goto err; | ||
| 241 | ret = BN_BLINDING_new(A,Ai,rsa->n); | ||
| 242 | BN_free(Ai); | ||
| 243 | err: | ||
| 244 | BN_CTX_end(ctx); | ||
| 245 | return ret; | ||
| 246 | } | ||
| 247 | |||
| 196 | /* signing */ | 248 | /* signing */ |
| 197 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | 249 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
| 198 | unsigned char *to, RSA *rsa, int padding) | 250 | unsigned char *to, RSA *rsa, int padding) |
| @@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |||
| 201 | int i,j,k,num=0,r= -1; | 253 | int i,j,k,num=0,r= -1; |
| 202 | unsigned char *buf=NULL; | 254 | unsigned char *buf=NULL; |
| 203 | BN_CTX *ctx=NULL; | 255 | BN_CTX *ctx=NULL; |
| 256 | int local_blinding = 0; | ||
| 257 | BN_BLINDING *blinding = NULL; | ||
| 204 | 258 | ||
| 205 | BN_init(&f); | 259 | BN_init(&f); |
| 206 | BN_init(&ret); | 260 | BN_init(&ret); |
| @@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |||
| 237 | goto err; | 291 | goto err; |
| 238 | } | 292 | } |
| 239 | 293 | ||
| 240 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | 294 | BLINDING_HELPER(rsa, ctx, goto err;); |
| 241 | RSA_blinding_on(rsa,ctx); | 295 | blinding = rsa->blinding; |
| 242 | if (rsa->flags & RSA_FLAG_BLINDING) | 296 | |
| 243 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; | 297 | /* Now unless blinding is disabled, 'blinding' is non-NULL. |
| 298 | * But the BN_BLINDING object may be owned by some other thread | ||
| 299 | * (we don't want to keep it constant and we don't want to use | ||
| 300 | * lots of locking to avoid race conditions, so only a single | ||
| 301 | * thread can use it; other threads have to use local blinding | ||
| 302 | * factors) */ | ||
| 303 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | ||
| 304 | { | ||
| 305 | if (blinding == NULL) | ||
| 306 | { | ||
| 307 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); | ||
| 308 | goto err; | ||
| 309 | } | ||
| 310 | } | ||
| 311 | |||
| 312 | if (blinding != NULL) | ||
| 313 | { | ||
| 314 | if (blinding->thread_id != CRYPTO_thread_id()) | ||
| 315 | { | ||
| 316 | /* we need a local one-time blinding factor */ | ||
| 317 | |||
| 318 | blinding = setup_blinding(rsa, ctx); | ||
| 319 | if (blinding == NULL) | ||
| 320 | goto err; | ||
| 321 | local_blinding = 1; | ||
| 322 | } | ||
| 323 | } | ||
| 324 | |||
| 325 | if (blinding) | ||
| 326 | if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; | ||
| 244 | 327 | ||
| 245 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | 328 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || |
| 246 | ((rsa->p != NULL) && | 329 | ((rsa->p != NULL) && |
| @@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |||
| 254 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; | 337 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; |
| 255 | } | 338 | } |
| 256 | 339 | ||
| 257 | if (rsa->flags & RSA_FLAG_BLINDING) | 340 | if (blinding) |
| 258 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; | 341 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; |
| 259 | 342 | ||
| 260 | /* put in leading 0 bytes if the number is less than the | 343 | /* put in leading 0 bytes if the number is less than the |
| 261 | * length of the modulus */ | 344 | * length of the modulus */ |
| @@ -269,9 +352,11 @@ err: | |||
| 269 | if (ctx != NULL) BN_CTX_free(ctx); | 352 | if (ctx != NULL) BN_CTX_free(ctx); |
| 270 | BN_clear_free(&ret); | 353 | BN_clear_free(&ret); |
| 271 | BN_clear_free(&f); | 354 | BN_clear_free(&f); |
| 355 | if (local_blinding) | ||
| 356 | BN_BLINDING_free(blinding); | ||
| 272 | if (buf != NULL) | 357 | if (buf != NULL) |
| 273 | { | 358 | { |
| 274 | memset(buf,0,num); | 359 | OPENSSL_cleanse(buf,num); |
| 275 | OPENSSL_free(buf); | 360 | OPENSSL_free(buf); |
| 276 | } | 361 | } |
| 277 | return(r); | 362 | return(r); |
| @@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |||
| 285 | unsigned char *p; | 370 | unsigned char *p; |
| 286 | unsigned char *buf=NULL; | 371 | unsigned char *buf=NULL; |
| 287 | BN_CTX *ctx=NULL; | 372 | BN_CTX *ctx=NULL; |
| 373 | int local_blinding = 0; | ||
| 374 | BN_BLINDING *blinding = NULL; | ||
| 288 | 375 | ||
| 289 | BN_init(&f); | 376 | BN_init(&f); |
| 290 | BN_init(&ret); | 377 | BN_init(&ret); |
| @@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |||
| 316 | goto err; | 403 | goto err; |
| 317 | } | 404 | } |
| 318 | 405 | ||
| 319 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | 406 | BLINDING_HELPER(rsa, ctx, goto err;); |
| 320 | RSA_blinding_on(rsa,ctx); | 407 | blinding = rsa->blinding; |
| 321 | if (rsa->flags & RSA_FLAG_BLINDING) | 408 | |
| 322 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; | 409 | /* Now unless blinding is disabled, 'blinding' is non-NULL. |
| 410 | * But the BN_BLINDING object may be owned by some other thread | ||
| 411 | * (we don't want to keep it constant and we don't want to use | ||
| 412 | * lots of locking to avoid race conditions, so only a single | ||
| 413 | * thread can use it; other threads have to use local blinding | ||
| 414 | * factors) */ | ||
| 415 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | ||
| 416 | { | ||
| 417 | if (blinding == NULL) | ||
| 418 | { | ||
| 419 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); | ||
| 420 | goto err; | ||
| 421 | } | ||
| 422 | } | ||
| 423 | |||
| 424 | if (blinding != NULL) | ||
| 425 | { | ||
| 426 | if (blinding->thread_id != CRYPTO_thread_id()) | ||
| 427 | { | ||
| 428 | /* we need a local one-time blinding factor */ | ||
| 429 | |||
| 430 | blinding = setup_blinding(rsa, ctx); | ||
| 431 | if (blinding == NULL) | ||
| 432 | goto err; | ||
| 433 | local_blinding = 1; | ||
| 434 | } | ||
| 435 | } | ||
| 436 | |||
| 437 | if (blinding) | ||
| 438 | if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; | ||
| 323 | 439 | ||
| 324 | /* do the decrypt */ | 440 | /* do the decrypt */ |
| 325 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | 441 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || |
| @@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |||
| 335 | goto err; | 451 | goto err; |
| 336 | } | 452 | } |
| 337 | 453 | ||
| 338 | if (rsa->flags & RSA_FLAG_BLINDING) | 454 | if (blinding) |
| 339 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; | 455 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; |
| 340 | 456 | ||
| 341 | p=buf; | 457 | p=buf; |
| 342 | j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ | 458 | j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ |
| @@ -370,7 +486,7 @@ err: | |||
| 370 | BN_clear_free(&ret); | 486 | BN_clear_free(&ret); |
| 371 | if (buf != NULL) | 487 | if (buf != NULL) |
| 372 | { | 488 | { |
| 373 | memset(buf,0,num); | 489 | OPENSSL_cleanse(buf,num); |
| 374 | OPENSSL_free(buf); | 490 | OPENSSL_free(buf); |
| 375 | } | 491 | } |
| 376 | return(r); | 492 | return(r); |
| @@ -467,7 +583,7 @@ err: | |||
| 467 | BN_clear_free(&ret); | 583 | BN_clear_free(&ret); |
| 468 | if (buf != NULL) | 584 | if (buf != NULL) |
| 469 | { | 585 | { |
| 470 | memset(buf,0,num); | 586 | OPENSSL_cleanse(buf,num); |
| 471 | OPENSSL_free(buf); | 587 | OPENSSL_free(buf); |
| 472 | } | 588 | } |
| 473 | return(r); | 589 | return(r); |
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index 93235744f7..53c5092014 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c | |||
| @@ -62,7 +62,10 @@ | |||
| 62 | #include <openssl/lhash.h> | 62 | #include <openssl/lhash.h> |
| 63 | #include <openssl/bn.h> | 63 | #include <openssl/bn.h> |
| 64 | #include <openssl/rsa.h> | 64 | #include <openssl/rsa.h> |
| 65 | #include <openssl/rand.h> | ||
| 66 | #ifndef OPENSSL_NO_ENGINE | ||
| 65 | #include <openssl/engine.h> | 67 | #include <openssl/engine.h> |
| 68 | #endif | ||
| 66 | 69 | ||
| 67 | const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; | 70 | const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; |
| 68 | 71 | ||
| @@ -70,7 +73,9 @@ static const RSA_METHOD *default_RSA_meth=NULL; | |||
| 70 | 73 | ||
| 71 | RSA *RSA_new(void) | 74 | RSA *RSA_new(void) |
| 72 | { | 75 | { |
| 73 | return(RSA_new_method(NULL)); | 76 | RSA *r=RSA_new_method(NULL); |
| 77 | |||
| 78 | return r; | ||
| 74 | } | 79 | } |
| 75 | 80 | ||
| 76 | void RSA_set_default_method(const RSA_METHOD *meth) | 81 | void RSA_set_default_method(const RSA_METHOD *meth) |
| @@ -108,11 +113,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) | |||
| 108 | const RSA_METHOD *mtmp; | 113 | const RSA_METHOD *mtmp; |
| 109 | mtmp = rsa->meth; | 114 | mtmp = rsa->meth; |
| 110 | if (mtmp->finish) mtmp->finish(rsa); | 115 | if (mtmp->finish) mtmp->finish(rsa); |
| 116 | #ifndef OPENSSL_NO_ENGINE | ||
| 111 | if (rsa->engine) | 117 | if (rsa->engine) |
| 112 | { | 118 | { |
| 113 | ENGINE_finish(rsa->engine); | 119 | ENGINE_finish(rsa->engine); |
| 114 | rsa->engine = NULL; | 120 | rsa->engine = NULL; |
| 115 | } | 121 | } |
| 122 | #endif | ||
| 116 | rsa->meth = meth; | 123 | rsa->meth = meth; |
| 117 | if (meth->init) meth->init(rsa); | 124 | if (meth->init) meth->init(rsa); |
| 118 | return 1; | 125 | return 1; |
| @@ -130,6 +137,7 @@ RSA *RSA_new_method(ENGINE *engine) | |||
| 130 | } | 137 | } |
| 131 | 138 | ||
| 132 | ret->meth = RSA_get_default_method(); | 139 | ret->meth = RSA_get_default_method(); |
| 140 | #ifndef OPENSSL_NO_ENGINE | ||
| 133 | if (engine) | 141 | if (engine) |
| 134 | { | 142 | { |
| 135 | if (!ENGINE_init(engine)) | 143 | if (!ENGINE_init(engine)) |
| @@ -154,6 +162,7 @@ RSA *RSA_new_method(ENGINE *engine) | |||
| 154 | return NULL; | 162 | return NULL; |
| 155 | } | 163 | } |
| 156 | } | 164 | } |
| 165 | #endif | ||
| 157 | 166 | ||
| 158 | ret->pad=0; | 167 | ret->pad=0; |
| 159 | ret->version=0; | 168 | ret->version=0; |
| @@ -175,8 +184,10 @@ RSA *RSA_new_method(ENGINE *engine) | |||
| 175 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); | 184 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); |
| 176 | if ((ret->meth->init != NULL) && !ret->meth->init(ret)) | 185 | if ((ret->meth->init != NULL) && !ret->meth->init(ret)) |
| 177 | { | 186 | { |
| 187 | #ifndef OPENSSL_NO_ENGINE | ||
| 178 | if (ret->engine) | 188 | if (ret->engine) |
| 179 | ENGINE_finish(ret->engine); | 189 | ENGINE_finish(ret->engine); |
| 190 | #endif | ||
| 180 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); | 191 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); |
| 181 | OPENSSL_free(ret); | 192 | OPENSSL_free(ret); |
| 182 | ret=NULL; | 193 | ret=NULL; |
| @@ -205,8 +216,10 @@ void RSA_free(RSA *r) | |||
| 205 | 216 | ||
| 206 | if (r->meth->finish) | 217 | if (r->meth->finish) |
| 207 | r->meth->finish(r); | 218 | r->meth->finish(r); |
| 219 | #ifndef OPENSSL_NO_ENGINE | ||
| 208 | if (r->engine) | 220 | if (r->engine) |
| 209 | ENGINE_finish(r->engine); | 221 | ENGINE_finish(r->engine); |
| 222 | #endif | ||
| 210 | 223 | ||
| 211 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); | 224 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); |
| 212 | 225 | ||
| @@ -297,7 +310,8 @@ void RSA_blinding_off(RSA *rsa) | |||
| 297 | BN_BLINDING_free(rsa->blinding); | 310 | BN_BLINDING_free(rsa->blinding); |
| 298 | rsa->blinding=NULL; | 311 | rsa->blinding=NULL; |
| 299 | } | 312 | } |
| 300 | rsa->flags&= ~RSA_FLAG_BLINDING; | 313 | rsa->flags &= ~RSA_FLAG_BLINDING; |
| 314 | rsa->flags |= RSA_FLAG_NO_BLINDING; | ||
| 301 | } | 315 | } |
| 302 | 316 | ||
| 303 | int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) | 317 | int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) |
| @@ -316,15 +330,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) | |||
| 316 | if (rsa->blinding != NULL) | 330 | if (rsa->blinding != NULL) |
| 317 | BN_BLINDING_free(rsa->blinding); | 331 | BN_BLINDING_free(rsa->blinding); |
| 318 | 332 | ||
| 333 | /* NB: similar code appears in setup_blinding (rsa_eay.c); | ||
| 334 | * this should be placed in a new function of its own, but for reasons | ||
| 335 | * of binary compatibility can't */ | ||
| 336 | |||
| 319 | BN_CTX_start(ctx); | 337 | BN_CTX_start(ctx); |
| 320 | A = BN_CTX_get(ctx); | 338 | A = BN_CTX_get(ctx); |
| 321 | if (!BN_rand_range(A,rsa->n)) goto err; | 339 | if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) |
| 340 | { | ||
| 341 | /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ | ||
| 342 | RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); | ||
| 343 | if (!BN_pseudo_rand_range(A,rsa->n)) goto err; | ||
| 344 | } | ||
| 345 | else | ||
| 346 | { | ||
| 347 | if (!BN_rand_range(A,rsa->n)) goto err; | ||
| 348 | } | ||
| 322 | if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; | 349 | if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; |
| 323 | 350 | ||
| 324 | if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) | 351 | if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) |
| 325 | goto err; | 352 | goto err; |
| 326 | rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); | 353 | if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; |
| 327 | rsa->flags|=RSA_FLAG_BLINDING; | 354 | /* to make things thread-safe without excessive locking, |
| 355 | * rsa->blinding will be used just by the current thread: */ | ||
| 356 | rsa->blinding->thread_id = CRYPTO_thread_id(); | ||
| 357 | rsa->flags |= RSA_FLAG_BLINDING; | ||
| 358 | rsa->flags &= ~RSA_FLAG_NO_BLINDING; | ||
| 328 | BN_free(Ai); | 359 | BN_free(Ai); |
| 329 | ret=1; | 360 | ret=1; |
| 330 | err: | 361 | err: |
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c index c1edd6764f..8560755f1d 100644 --- a/src/lib/libcrypto/rsa/rsa_pk1.c +++ b/src/lib/libcrypto/rsa/rsa_pk1.c | |||
| @@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, | |||
| 68 | int j; | 68 | int j; |
| 69 | unsigned char *p; | 69 | unsigned char *p; |
| 70 | 70 | ||
| 71 | if (flen > (tlen-11)) | 71 | if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) |
| 72 | { | 72 | { |
| 73 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | 73 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
| 74 | return(0); | 74 | return(0); |
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c index 85adacc08f..f462716a57 100644 --- a/src/lib/libcrypto/rsa/rsa_saos.c +++ b/src/lib/libcrypto/rsa/rsa_saos.c | |||
| @@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, | |||
| 77 | 77 | ||
| 78 | i=i2d_ASN1_OCTET_STRING(&sig,NULL); | 78 | i=i2d_ASN1_OCTET_STRING(&sig,NULL); |
| 79 | j=RSA_size(rsa); | 79 | j=RSA_size(rsa); |
| 80 | if ((i-RSA_PKCS1_PADDING) > j) | 80 | if (i > (j-RSA_PKCS1_PADDING_SIZE)) |
| 81 | { | 81 | { |
| 82 | RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); | 82 | RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); |
| 83 | return(0); | 83 | return(0); |
| @@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, | |||
| 96 | else | 96 | else |
| 97 | *siglen=i; | 97 | *siglen=i; |
| 98 | 98 | ||
| 99 | memset(s,0,(unsigned int)j+1); | 99 | OPENSSL_cleanse(s,(unsigned int)j+1); |
| 100 | OPENSSL_free(s); | 100 | OPENSSL_free(s); |
| 101 | return(ret); | 101 | return(ret); |
| 102 | } | 102 | } |
| @@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, | |||
| 139 | ret=1; | 139 | ret=1; |
| 140 | err: | 140 | err: |
| 141 | if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); | 141 | if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); |
| 142 | memset(s,0,(unsigned int)siglen); | 142 | OPENSSL_cleanse(s,(unsigned int)siglen); |
| 143 | OPENSSL_free(s); | 143 | OPENSSL_free(s); |
| 144 | return(ret); | 144 | return(ret); |
| 145 | } | 145 | } |
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c index 2a440901de..8a1e642183 100644 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ b/src/lib/libcrypto/rsa/rsa_sign.c | |||
| @@ -62,7 +62,6 @@ | |||
| 62 | #include <openssl/rsa.h> | 62 | #include <openssl/rsa.h> |
| 63 | #include <openssl/objects.h> | 63 | #include <openssl/objects.h> |
| 64 | #include <openssl/x509.h> | 64 | #include <openssl/x509.h> |
| 65 | #include <openssl/engine.h> | ||
| 66 | 65 | ||
| 67 | /* Size of an SSL signature: MD5+SHA1 */ | 66 | /* Size of an SSL signature: MD5+SHA1 */ |
| 68 | #define SSL_SIG_LENGTH 36 | 67 | #define SSL_SIG_LENGTH 36 |
| @@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |||
| 77 | const unsigned char *s = NULL; | 76 | const unsigned char *s = NULL; |
| 78 | X509_ALGOR algor; | 77 | X509_ALGOR algor; |
| 79 | ASN1_OCTET_STRING digest; | 78 | ASN1_OCTET_STRING digest; |
| 80 | if((rsa->flags & RSA_FLAG_SIGN_VER) | 79 | if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) |
| 81 | && ENGINE_get_RSA(rsa->engine)->rsa_sign) | 80 | { |
| 82 | return ENGINE_get_RSA(rsa->engine)->rsa_sign(type, | 81 | return rsa->meth->rsa_sign(type, m, m_len, |
| 83 | m, m_len, sigret, siglen, rsa); | 82 | sigret, siglen, rsa); |
| 83 | } | ||
| 84 | /* Special case: SSL signature, just check the length */ | 84 | /* Special case: SSL signature, just check the length */ |
| 85 | if(type == NID_md5_sha1) { | 85 | if(type == NID_md5_sha1) { |
| 86 | if(m_len != SSL_SIG_LENGTH) { | 86 | if(m_len != SSL_SIG_LENGTH) { |
| @@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |||
| 113 | i=i2d_X509_SIG(&sig,NULL); | 113 | i=i2d_X509_SIG(&sig,NULL); |
| 114 | } | 114 | } |
| 115 | j=RSA_size(rsa); | 115 | j=RSA_size(rsa); |
| 116 | if ((i-RSA_PKCS1_PADDING) > j) | 116 | if (i > (j-RSA_PKCS1_PADDING_SIZE)) |
| 117 | { | 117 | { |
| 118 | RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); | 118 | RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); |
| 119 | return(0); | 119 | return(0); |
| @@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |||
| 136 | *siglen=i; | 136 | *siglen=i; |
| 137 | 137 | ||
| 138 | if(type != NID_md5_sha1) { | 138 | if(type != NID_md5_sha1) { |
| 139 | memset(tmps,0,(unsigned int)j+1); | 139 | OPENSSL_cleanse(tmps,(unsigned int)j+1); |
| 140 | OPENSSL_free(tmps); | 140 | OPENSSL_free(tmps); |
| 141 | } | 141 | } |
| 142 | return(ret); | 142 | return(ret); |
| @@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, | |||
| 155 | return(0); | 155 | return(0); |
| 156 | } | 156 | } |
| 157 | 157 | ||
| 158 | if((rsa->flags & RSA_FLAG_SIGN_VER) | 158 | if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) |
| 159 | && ENGINE_get_RSA(rsa->engine)->rsa_verify) | 159 | { |
| 160 | return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype, | 160 | return rsa->meth->rsa_verify(dtype, m, m_len, |
| 161 | m, m_len, sigbuf, siglen, rsa); | 161 | sigbuf, siglen, rsa); |
| 162 | } | ||
| 162 | 163 | ||
| 163 | s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); | 164 | s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); |
| 164 | if (s == NULL) | 165 | if (s == NULL) |
| @@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, | |||
| 221 | } | 222 | } |
| 222 | err: | 223 | err: |
| 223 | if (sig != NULL) X509_SIG_free(sig); | 224 | if (sig != NULL) X509_SIG_free(sig); |
| 224 | memset(s,0,(unsigned int)siglen); | 225 | OPENSSL_cleanse(s,(unsigned int)siglen); |
| 225 | OPENSSL_free(s); | 226 | OPENSSL_free(s); |
| 226 | return(ret); | 227 | return(ret); |
| 227 | } | 228 | } |