summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
authordjm <>2012-10-13 21:23:50 +0000
committerdjm <>2012-10-13 21:23:50 +0000
commit228cae30b117c2493f69ad3c195341cd6ec8d430 (patch)
tree29ff00b10d52c0978077c4fd83c33b065bade73e /src/lib/libcrypto/rsa
parent731838c66b52c0ae5888333005b74115a620aa96 (diff)
downloadopenbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.gz
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.bz2
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.zip
import OpenSSL-1.0.1c
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h79
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c351
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c10
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c257
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c21
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c15
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c172
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c6
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c154
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c81
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c33
11 files changed, 977 insertions, 202 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index cf74343657..4814a2fc15 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -222,12 +222,22 @@ struct rsa_st
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ 222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
223 pad, NULL) 223 pad, NULL)
224 224
225#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
227 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
228
225#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ 229#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ 230 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
227 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ 231 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
228 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ 232 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
229 len, NULL) 233 len, NULL)
230 234
235#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
237 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
238 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
239 0, plen)
240
231#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ 241#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
232 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 242 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
233 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) 243 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
@@ -236,11 +246,24 @@ struct rsa_st
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 246 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
237 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) 247 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
238 248
249#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
250 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
251 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
252
253#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
254 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
255 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
256
239#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) 257#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
240#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) 258#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
241 259
242#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) 260#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
243#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) 261#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
262#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
263
264#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
265#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
266#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
244 267
245#define RSA_PKCS1_PADDING 1 268#define RSA_PKCS1_PADDING 1
246#define RSA_SSLV23_PADDING 2 269#define RSA_SSLV23_PADDING 2
@@ -300,6 +323,16 @@ const RSA_METHOD *RSA_null_method(void);
300DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey) 323DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
301DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey) 324DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
302 325
326typedef struct rsa_pss_params_st
327 {
328 X509_ALGOR *hashAlgorithm;
329 X509_ALGOR *maskGenAlgorithm;
330 ASN1_INTEGER *saltLength;
331 ASN1_INTEGER *trailerField;
332 } RSA_PSS_PARAMS;
333
334DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
335
303#ifndef OPENSSL_NO_FP_API 336#ifndef OPENSSL_NO_FP_API
304int RSA_print_fp(FILE *fp, const RSA *r,int offset); 337int RSA_print_fp(FILE *fp, const RSA *r,int offset);
305#endif 338#endif
@@ -380,6 +413,14 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
380 const unsigned char *mHash, 413 const unsigned char *mHash,
381 const EVP_MD *Hash, int sLen); 414 const EVP_MD *Hash, int sLen);
382 415
416int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
417 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
418 const unsigned char *EM, int sLen);
419
420int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
421 const unsigned char *mHash,
422 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen);
423
383int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 424int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
384 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 425 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
385int RSA_set_ex_data(RSA *r,int idx,void *arg); 426int RSA_set_ex_data(RSA *r,int idx,void *arg);
@@ -388,6 +429,25 @@ void *RSA_get_ex_data(const RSA *r, int idx);
388RSA *RSAPublicKey_dup(RSA *rsa); 429RSA *RSAPublicKey_dup(RSA *rsa);
389RSA *RSAPrivateKey_dup(RSA *rsa); 430RSA *RSAPrivateKey_dup(RSA *rsa);
390 431
432/* If this flag is set the RSA method is FIPS compliant and can be used
433 * in FIPS mode. This is set in the validated module method. If an
434 * application sets this flag in its own methods it is its responsibility
435 * to ensure the result is compliant.
436 */
437
438#define RSA_FLAG_FIPS_METHOD 0x0400
439
440/* If this flag is set the operations normally disabled in FIPS mode are
441 * permitted it is then the applications responsibility to ensure that the
442 * usage is compliant.
443 */
444
445#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
446/* Application has decided PRNG is good enough to generate a key: don't
447 * check.
448 */
449#define RSA_FLAG_CHECKED 0x0800
450
391/* BEGIN ERROR CODES */ 451/* BEGIN ERROR CODES */
392/* The following lines are auto generated by the script mkerr.pl. Any changes 452/* The following lines are auto generated by the script mkerr.pl. Any changes
393 * made after this point may be overwritten when the script is next run. 453 * made after this point may be overwritten when the script is next run.
@@ -405,6 +465,7 @@ void ERR_load_RSA_strings(void);
405#define RSA_F_PKEY_RSA_CTRL 143 465#define RSA_F_PKEY_RSA_CTRL 143
406#define RSA_F_PKEY_RSA_CTRL_STR 144 466#define RSA_F_PKEY_RSA_CTRL_STR 144
407#define RSA_F_PKEY_RSA_SIGN 142 467#define RSA_F_PKEY_RSA_SIGN 142
468#define RSA_F_PKEY_RSA_VERIFY 154
408#define RSA_F_PKEY_RSA_VERIFYRECOVER 141 469#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
409#define RSA_F_RSA_BUILTIN_KEYGEN 129 470#define RSA_F_RSA_BUILTIN_KEYGEN 129
410#define RSA_F_RSA_CHECK_KEY 123 471#define RSA_F_RSA_CHECK_KEY 123
@@ -413,6 +474,8 @@ void ERR_load_RSA_strings(void);
413#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 474#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
414#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104 475#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
415#define RSA_F_RSA_GENERATE_KEY 105 476#define RSA_F_RSA_GENERATE_KEY 105
477#define RSA_F_RSA_GENERATE_KEY_EX 155
478#define RSA_F_RSA_ITEM_VERIFY 156
416#define RSA_F_RSA_MEMORY_LOCK 130 479#define RSA_F_RSA_MEMORY_LOCK 130
417#define RSA_F_RSA_NEW_METHOD 106 480#define RSA_F_RSA_NEW_METHOD 106
418#define RSA_F_RSA_NULL 124 481#define RSA_F_RSA_NULL 124
@@ -424,6 +487,7 @@ void ERR_load_RSA_strings(void);
424#define RSA_F_RSA_PADDING_ADD_NONE 107 487#define RSA_F_RSA_PADDING_ADD_NONE 107
425#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 488#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
426#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 489#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
490#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
427#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 491#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
428#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 492#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
429#define RSA_F_RSA_PADDING_ADD_SSLV23 110 493#define RSA_F_RSA_PADDING_ADD_SSLV23 110
@@ -436,8 +500,12 @@ void ERR_load_RSA_strings(void);
436#define RSA_F_RSA_PADDING_CHECK_X931 128 500#define RSA_F_RSA_PADDING_CHECK_X931 128
437#define RSA_F_RSA_PRINT 115 501#define RSA_F_RSA_PRINT 115
438#define RSA_F_RSA_PRINT_FP 116 502#define RSA_F_RSA_PRINT_FP 116
503#define RSA_F_RSA_PRIVATE_DECRYPT 150
504#define RSA_F_RSA_PRIVATE_ENCRYPT 151
439#define RSA_F_RSA_PRIV_DECODE 137 505#define RSA_F_RSA_PRIV_DECODE 137
440#define RSA_F_RSA_PRIV_ENCODE 138 506#define RSA_F_RSA_PRIV_ENCODE 138
507#define RSA_F_RSA_PUBLIC_DECRYPT 152
508#define RSA_F_RSA_PUBLIC_ENCRYPT 153
441#define RSA_F_RSA_PUB_DECODE 139 509#define RSA_F_RSA_PUB_DECODE 139
442#define RSA_F_RSA_SETUP_BLINDING 136 510#define RSA_F_RSA_SETUP_BLINDING 136
443#define RSA_F_RSA_SIGN 117 511#define RSA_F_RSA_SIGN 117
@@ -445,6 +513,7 @@ void ERR_load_RSA_strings(void);
445#define RSA_F_RSA_VERIFY 119 513#define RSA_F_RSA_VERIFY 119
446#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 514#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
447#define RSA_F_RSA_VERIFY_PKCS1_PSS 126 515#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
516#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
448 517
449/* Reason codes. */ 518/* Reason codes. */
450#define RSA_R_ALGORITHM_MISMATCH 100 519#define RSA_R_ALGORITHM_MISMATCH 100
@@ -470,19 +539,24 @@ void ERR_load_RSA_strings(void);
470#define RSA_R_INVALID_HEADER 137 539#define RSA_R_INVALID_HEADER 137
471#define RSA_R_INVALID_KEYBITS 145 540#define RSA_R_INVALID_KEYBITS 145
472#define RSA_R_INVALID_MESSAGE_LENGTH 131 541#define RSA_R_INVALID_MESSAGE_LENGTH 131
542#define RSA_R_INVALID_MGF1_MD 156
473#define RSA_R_INVALID_PADDING 138 543#define RSA_R_INVALID_PADDING 138
474#define RSA_R_INVALID_PADDING_MODE 141 544#define RSA_R_INVALID_PADDING_MODE 141
545#define RSA_R_INVALID_PSS_PARAMETERS 149
475#define RSA_R_INVALID_PSS_SALTLEN 146 546#define RSA_R_INVALID_PSS_SALTLEN 146
547#define RSA_R_INVALID_SALT_LENGTH 150
476#define RSA_R_INVALID_TRAILER 139 548#define RSA_R_INVALID_TRAILER 139
477#define RSA_R_INVALID_X931_DIGEST 142 549#define RSA_R_INVALID_X931_DIGEST 142
478#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 550#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
479#define RSA_R_KEY_SIZE_TOO_SMALL 120 551#define RSA_R_KEY_SIZE_TOO_SMALL 120
480#define RSA_R_LAST_OCTET_INVALID 134 552#define RSA_R_LAST_OCTET_INVALID 134
481#define RSA_R_MODULUS_TOO_LARGE 105 553#define RSA_R_MODULUS_TOO_LARGE 105
554#define RSA_R_NON_FIPS_RSA_METHOD 157
482#define RSA_R_NO_PUBLIC_EXPONENT 140 555#define RSA_R_NO_PUBLIC_EXPONENT 140
483#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 556#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
484#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 557#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
485#define RSA_R_OAEP_DECODING_ERROR 121 558#define RSA_R_OAEP_DECODING_ERROR 121
559#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
486#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 560#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
487#define RSA_R_PADDING_CHECK_FAILED 114 561#define RSA_R_PADDING_CHECK_FAILED 114
488#define RSA_R_P_NOT_PRIME 128 562#define RSA_R_P_NOT_PRIME 128
@@ -493,7 +567,12 @@ void ERR_load_RSA_strings(void);
493#define RSA_R_SSLV3_ROLLBACK_ATTACK 115 567#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
494#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 568#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
495#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 569#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
570#define RSA_R_UNKNOWN_MASK_DIGEST 151
496#define RSA_R_UNKNOWN_PADDING_TYPE 118 571#define RSA_R_UNKNOWN_PADDING_TYPE 118
572#define RSA_R_UNKNOWN_PSS_DIGEST 152
573#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
574#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
575#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
497#define RSA_R_VALUE_MISSING 147 576#define RSA_R_VALUE_MISSING 147
498#define RSA_R_WRONG_SIGNATURE_LENGTH 119 577#define RSA_R_WRONG_SIGNATURE_LENGTH 119
499 578
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 8c3209885e..2460910ab2 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -265,6 +265,147 @@ static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); 265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 } 266 }
267 267
268static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
269 X509_ALGOR **pmaskHash)
270 {
271 const unsigned char *p;
272 int plen;
273 RSA_PSS_PARAMS *pss;
274
275 *pmaskHash = NULL;
276
277 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
278 return NULL;
279 p = alg->parameter->value.sequence->data;
280 plen = alg->parameter->value.sequence->length;
281 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
282
283 if (!pss)
284 return NULL;
285
286 if (pss->maskGenAlgorithm)
287 {
288 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
289 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
290 && param->type == V_ASN1_SEQUENCE)
291 {
292 p = param->value.sequence->data;
293 plen = param->value.sequence->length;
294 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
295 }
296 }
297
298 return pss;
299 }
300
301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
302 X509_ALGOR *maskHash, int indent)
303 {
304 int rv = 0;
305 if (!pss)
306 {
307 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
308 return 0;
309 return 1;
310 }
311 if (BIO_puts(bp, "\n") <= 0)
312 goto err;
313 if (!BIO_indent(bp, indent, 128))
314 goto err;
315 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
316 goto err;
317
318 if (pss->hashAlgorithm)
319 {
320 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
321 goto err;
322 }
323 else if (BIO_puts(bp, "sha1 (default)") <= 0)
324 goto err;
325
326 if (BIO_puts(bp, "\n") <= 0)
327 goto err;
328
329 if (!BIO_indent(bp, indent, 128))
330 goto err;
331
332 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
333 goto err;
334 if (pss->maskGenAlgorithm)
335 {
336 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
337 goto err;
338 if (BIO_puts(bp, " with ") <= 0)
339 goto err;
340 if (maskHash)
341 {
342 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
343 goto err;
344 }
345 else if (BIO_puts(bp, "INVALID") <= 0)
346 goto err;
347 }
348 else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
349 goto err;
350 BIO_puts(bp, "\n");
351
352 if (!BIO_indent(bp, indent, 128))
353 goto err;
354 if (BIO_puts(bp, "Salt Length: ") <= 0)
355 goto err;
356 if (pss->saltLength)
357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err;
360 }
361 else if (BIO_puts(bp, "20 (default)") <= 0)
362 goto err;
363 BIO_puts(bp, "\n");
364
365 if (!BIO_indent(bp, indent, 128))
366 goto err;
367 if (BIO_puts(bp, "Trailer Field: ") <= 0)
368 goto err;
369 if (pss->trailerField)
370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err;
373 }
374 else if (BIO_puts(bp, "0xbc (default)") <= 0)
375 goto err;
376 BIO_puts(bp, "\n");
377
378 rv = 1;
379
380 err:
381 return rv;
382
383 }
384
385static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
386 const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
388 {
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss)
390 {
391 int rv;
392 RSA_PSS_PARAMS *pss;
393 X509_ALGOR *maskHash;
394 pss = rsa_pss_decode(sigalg, &maskHash);
395 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
396 if (pss)
397 RSA_PSS_PARAMS_free(pss);
398 if (maskHash)
399 X509_ALGOR_free(maskHash);
400 if (!rv)
401 return 0;
402 }
403 else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return 0;
405 if (sig)
406 return X509_signature_dump(bp, sig, indent);
407 return 1;
408 }
268 409
269static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 410static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
270 { 411 {
@@ -310,6 +451,211 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
310 451
311 } 452 }
312 453
454/* Customised RSA item verification routine. This is called
455 * when a signature is encountered requiring special handling. We
456 * currently only handle PSS.
457 */
458
459
460static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
461 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
462 EVP_PKEY *pkey)
463 {
464 int rv = -1;
465 int saltlen;
466 const EVP_MD *mgf1md = NULL, *md = NULL;
467 RSA_PSS_PARAMS *pss;
468 X509_ALGOR *maskHash;
469 EVP_PKEY_CTX *pkctx;
470 /* Sanity check: make sure it is PSS */
471 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss)
472 {
473 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
474 return -1;
475 }
476 /* Decode PSS parameters */
477 pss = rsa_pss_decode(sigalg, &maskHash);
478
479 if (pss == NULL)
480 {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
482 goto err;
483 }
484 /* Check mask and lookup mask hash algorithm */
485 if (pss->maskGenAlgorithm)
486 {
487 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1)
488 {
489 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
490 goto err;
491 }
492 if (!maskHash)
493 {
494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_PARAMETER);
495 goto err;
496 }
497 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
498 if (mgf1md == NULL)
499 {
500 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_MASK_DIGEST);
501 goto err;
502 }
503 }
504 else
505 mgf1md = EVP_sha1();
506
507 if (pss->hashAlgorithm)
508 {
509 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
510 if (md == NULL)
511 {
512 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
513 goto err;
514 }
515 }
516 else
517 md = EVP_sha1();
518
519 if (pss->saltLength)
520 {
521 saltlen = ASN1_INTEGER_get(pss->saltLength);
522
523 /* Could perform more salt length sanity checks but the main
524 * RSA routines will trap other invalid values anyway.
525 */
526 if (saltlen < 0)
527 {
528 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_SALT_LENGTH);
529 goto err;
530 }
531 }
532 else
533 saltlen = 20;
534
535 /* low-level routines support only trailer field 0xbc (value 1)
536 * and PKCS#1 says we should reject any other value anyway.
537 */
538 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1)
539 {
540 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
541 goto err;
542 }
543
544 /* We have all parameters now set up context */
545
546 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
547 goto err;
548
549 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
550 goto err;
551
552 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
553 goto err;
554
555 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
556 goto err;
557 /* Carry on */
558 rv = 2;
559
560 err:
561 RSA_PSS_PARAMS_free(pss);
562 if (maskHash)
563 X509_ALGOR_free(maskHash);
564 return rv;
565 }
566
567static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
568 X509_ALGOR *alg1, X509_ALGOR *alg2,
569 ASN1_BIT_STRING *sig)
570 {
571 int pad_mode;
572 EVP_PKEY_CTX *pkctx = ctx->pctx;
573 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
574 return 0;
575 if (pad_mode == RSA_PKCS1_PADDING)
576 return 2;
577 if (pad_mode == RSA_PKCS1_PSS_PADDING)
578 {
579 const EVP_MD *sigmd, *mgf1md;
580 RSA_PSS_PARAMS *pss = NULL;
581 X509_ALGOR *mgf1alg = NULL;
582 ASN1_STRING *os1 = NULL, *os2 = NULL;
583 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
584 int saltlen, rv = 0;
585 sigmd = EVP_MD_CTX_md(ctx);
586 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
587 goto err;
588 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
589 goto err;
590 if (saltlen == -1)
591 saltlen = EVP_MD_size(sigmd);
592 else if (saltlen == -2)
593 {
594 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
595 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
596 saltlen--;
597 }
598 pss = RSA_PSS_PARAMS_new();
599 if (!pss)
600 goto err;
601 if (saltlen != 20)
602 {
603 pss->saltLength = ASN1_INTEGER_new();
604 if (!pss->saltLength)
605 goto err;
606 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
607 goto err;
608 }
609 if (EVP_MD_type(sigmd) != NID_sha1)
610 {
611 pss->hashAlgorithm = X509_ALGOR_new();
612 if (!pss->hashAlgorithm)
613 goto err;
614 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
615 }
616 if (EVP_MD_type(mgf1md) != NID_sha1)
617 {
618 ASN1_STRING *stmp = NULL;
619 /* need to embed algorithm ID inside another */
620 mgf1alg = X509_ALGOR_new();
621 X509_ALGOR_set_md(mgf1alg, mgf1md);
622 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
623 &stmp))
624 goto err;
625 pss->maskGenAlgorithm = X509_ALGOR_new();
626 if (!pss->maskGenAlgorithm)
627 goto err;
628 X509_ALGOR_set0(pss->maskGenAlgorithm,
629 OBJ_nid2obj(NID_mgf1),
630 V_ASN1_SEQUENCE, stmp);
631 }
632 /* Finally create string with pss parameter encoding. */
633 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
634 goto err;
635 if (alg2)
636 {
637 os2 = ASN1_STRING_dup(os1);
638 if (!os2)
639 goto err;
640 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
641 V_ASN1_SEQUENCE, os2);
642 }
643 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
644 V_ASN1_SEQUENCE, os1);
645 os1 = os2 = NULL;
646 rv = 3;
647 err:
648 if (mgf1alg)
649 X509_ALGOR_free(mgf1alg);
650 if (pss)
651 RSA_PSS_PARAMS_free(pss);
652 if (os1)
653 ASN1_STRING_free(os1);
654 return rv;
655
656 }
657 return 2;
658 }
313 659
314const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = 660const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
315 { 661 {
@@ -335,10 +681,13 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
335 681
336 0,0,0,0,0,0, 682 0,0,0,0,0,0,
337 683
684 rsa_sig_print,
338 int_rsa_free, 685 int_rsa_free,
339 rsa_pkey_ctrl, 686 rsa_pkey_ctrl,
340 old_rsa_priv_decode, 687 old_rsa_priv_decode,
341 old_rsa_priv_encode 688 old_rsa_priv_encode,
689 rsa_item_verify,
690 rsa_item_sign
342 }, 691 },
343 692
344 { 693 {
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index 4efca8cdc8..6ed5de3db4 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -60,6 +60,7 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/bn.h> 61#include <openssl/bn.h>
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/x509.h>
63#include <openssl/asn1t.h> 64#include <openssl/asn1t.h>
64 65
65/* Override the default free and new methods */ 66/* Override the default free and new methods */
@@ -96,6 +97,15 @@ ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
96 ASN1_SIMPLE(RSA, e, BIGNUM), 97 ASN1_SIMPLE(RSA, e, BIGNUM),
97} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey) 98} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
98 99
100ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
101 ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
102 ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
103 ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
104 ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3)
105} ASN1_SEQUENCE_END(RSA_PSS_PARAMS)
106
107IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
108
99IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey) 109IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
100 110
101IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey) 111IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
new file mode 100644
index 0000000000..d3e44785dc
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -0,0 +1,257 @@
1/* crypto/rsa/rsa_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/crypto.h>
61#include "cryptlib.h"
62#include <openssl/lhash.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65#include <openssl/rand.h>
66#ifndef OPENSSL_NO_ENGINE
67#include <openssl/engine.h>
68#endif
69
70int RSA_size(const RSA *r)
71 {
72 return(BN_num_bytes(r->n));
73 }
74
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76 RSA *rsa, int padding)
77 {
78#ifdef OPENSSL_FIPS
79 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81 {
82 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83 return -1;
84 }
85#endif
86 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87 }
88
89int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90 RSA *rsa, int padding)
91 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95 {
96 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97 return -1;
98 }
99#endif
100 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101 }
102
103int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104 RSA *rsa, int padding)
105 {
106#ifdef OPENSSL_FIPS
107 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109 {
110 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111 return -1;
112 }
113#endif
114 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115 }
116
117int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118 RSA *rsa, int padding)
119 {
120#ifdef OPENSSL_FIPS
121 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123 {
124 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125 return -1;
126 }
127#endif
128 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129 }
130
131int RSA_flags(const RSA *r)
132 {
133 return((r == NULL)?0:r->meth->flags);
134 }
135
136void RSA_blinding_off(RSA *rsa)
137 {
138 if (rsa->blinding != NULL)
139 {
140 BN_BLINDING_free(rsa->blinding);
141 rsa->blinding=NULL;
142 }
143 rsa->flags &= ~RSA_FLAG_BLINDING;
144 rsa->flags |= RSA_FLAG_NO_BLINDING;
145 }
146
147int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
148 {
149 int ret=0;
150
151 if (rsa->blinding != NULL)
152 RSA_blinding_off(rsa);
153
154 rsa->blinding = RSA_setup_blinding(rsa, ctx);
155 if (rsa->blinding == NULL)
156 goto err;
157
158 rsa->flags |= RSA_FLAG_BLINDING;
159 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
160 ret=1;
161err:
162 return(ret);
163 }
164
165static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
166 const BIGNUM *q, BN_CTX *ctx)
167{
168 BIGNUM *ret = NULL, *r0, *r1, *r2;
169
170 if (d == NULL || p == NULL || q == NULL)
171 return NULL;
172
173 BN_CTX_start(ctx);
174 r0 = BN_CTX_get(ctx);
175 r1 = BN_CTX_get(ctx);
176 r2 = BN_CTX_get(ctx);
177 if (r2 == NULL)
178 goto err;
179
180 if (!BN_sub(r1, p, BN_value_one())) goto err;
181 if (!BN_sub(r2, q, BN_value_one())) goto err;
182 if (!BN_mul(r0, r1, r2, ctx)) goto err;
183
184 ret = BN_mod_inverse(NULL, d, r0, ctx);
185err:
186 BN_CTX_end(ctx);
187 return ret;
188}
189
190BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
191{
192 BIGNUM local_n;
193 BIGNUM *e,*n;
194 BN_CTX *ctx;
195 BN_BLINDING *ret = NULL;
196
197 if (in_ctx == NULL)
198 {
199 if ((ctx = BN_CTX_new()) == NULL) return 0;
200 }
201 else
202 ctx = in_ctx;
203
204 BN_CTX_start(ctx);
205 e = BN_CTX_get(ctx);
206 if (e == NULL)
207 {
208 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
209 goto err;
210 }
211
212 if (rsa->e == NULL)
213 {
214 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
215 if (e == NULL)
216 {
217 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
218 goto err;
219 }
220 }
221 else
222 e = rsa->e;
223
224
225 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
226 {
227 /* if PRNG is not properly seeded, resort to secret
228 * exponent as unpredictable seed */
229 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
230 }
231
232 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
233 {
234 /* Set BN_FLG_CONSTTIME flag */
235 n = &local_n;
236 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
237 }
238 else
239 n = rsa->n;
240
241 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
242 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
243 if (ret == NULL)
244 {
245 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
246 goto err;
247 }
248 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
249err:
250 BN_CTX_end(ctx);
251 if (in_ctx == NULL)
252 BN_CTX_free(ctx);
253 if(rsa->e == NULL)
254 BN_free(e);
255
256 return ret;
257}
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index cf9f1106b0..46e0bf9980 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
1/* crypto/rsa/rsa_err.c */ 1/* crypto/rsa/rsa_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"}, 78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"}, 79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"}, 80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"}, 82{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
82{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"}, 83{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
83{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, 84{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
@@ -86,6 +87,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
86{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, 87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, 88{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
88{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"}, 89{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
90{ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
91{ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
89{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"}, 92{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
90{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"}, 93{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
91{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"}, 94{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
@@ -97,6 +100,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
97{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, 100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
98{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, 101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
99{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, 102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
103{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"}, 104{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"}, 105{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"}, 106{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
@@ -109,8 +113,12 @@ static ERR_STRING_DATA RSA_str_functs[]=
109{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, 113{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
110{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, 114{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
111{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, 115{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
116{ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
117{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
112{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, 118{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
113{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"}, 119{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
120{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
121{ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
114{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, 122{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
115{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, 123{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
116{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, 124{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
@@ -118,6 +126,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
118{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, 126{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
119{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"}, 127{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
120{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"}, 128{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
129{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
121{0,NULL} 130{0,NULL}
122 }; 131 };
123 132
@@ -146,19 +155,24 @@ static ERR_STRING_DATA RSA_str_reasons[]=
146{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"}, 155{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
147{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"}, 156{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
148{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"}, 157{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
158{ERR_REASON(RSA_R_INVALID_MGF1_MD) ,"invalid mgf1 md"},
149{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"}, 159{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
150{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"}, 160{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
161{ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS),"invalid pss parameters"},
151{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"}, 162{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},
163{ERR_REASON(RSA_R_INVALID_SALT_LENGTH) ,"invalid salt length"},
152{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"}, 164{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
153{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"}, 165{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"},
154{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, 166{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
155{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, 167{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
156{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, 168{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
157{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 169{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
170{ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) ,"non fips rsa method"},
158{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, 171{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
159{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, 172{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
160{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, 173{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
161{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, 174{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
175{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
162{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, 176{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
163{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, 177{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
164{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, 178{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
@@ -169,7 +183,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
169{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"}, 183{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
170{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, 184{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
171{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"}, 185{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
186{ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) ,"unknown mask digest"},
172{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"}, 187{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
188{ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) ,"unknown pss digest"},
189{ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM),"unsupported mask algorithm"},
190{ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER),"unsupported mask parameter"},
191{ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE),"unsupported signature type"},
173{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"}, 192{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"},
174{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, 193{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
175{0,NULL} 194{0,NULL}
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 767f7ab682..42290cce66 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,6 +67,9 @@
67#include "cryptlib.h" 67#include "cryptlib.h"
68#include <openssl/bn.h> 68#include <openssl/bn.h>
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
70 73
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 74static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72 75
@@ -77,8 +80,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
77 * now just because key-generation is part of RSA_METHOD. */ 80 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 81int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 { 82 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88 return 0;
89 }
90#endif
80 if(rsa->meth->rsa_keygen) 91 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 92 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93#ifdef OPENSSL_FIPS
94 if (FIPS_mode())
95 return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96#endif
82 return rsa_builtin_keygen(rsa, bits, e_value, cb); 97 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 } 98 }
84 99
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index de45088d76..c95ceafc82 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,6 +67,10 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 74const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
71 75
72static const RSA_METHOD *default_RSA_meth=NULL; 76static const RSA_METHOD *default_RSA_meth=NULL;
@@ -87,12 +91,15 @@ const RSA_METHOD *RSA_get_default_method(void)
87 { 91 {
88 if (default_RSA_meth == NULL) 92 if (default_RSA_meth == NULL)
89 { 93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 return FIPS_rsa_pkcs1_ssleay();
97 else
98 return RSA_PKCS1_SSLeay();
99#else
90#ifdef RSA_NULL 100#ifdef RSA_NULL
91 default_RSA_meth=RSA_null_method(); 101 default_RSA_meth=RSA_null_method();
92#else 102#else
93#if 0 /* was: #ifdef RSAref */
94 default_RSA_meth=RSA_PKCS1_RSAref();
95#else
96 default_RSA_meth=RSA_PKCS1_SSLeay(); 103 default_RSA_meth=RSA_PKCS1_SSLeay();
97#endif 104#endif
98#endif 105#endif
@@ -181,7 +188,7 @@ RSA *RSA_new_method(ENGINE *engine)
181 ret->blinding=NULL; 188 ret->blinding=NULL;
182 ret->mt_blinding=NULL; 189 ret->mt_blinding=NULL;
183 ret->bignum_data=NULL; 190 ret->bignum_data=NULL;
184 ret->flags=ret->meth->flags; 191 ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
185 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) 192 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
186 { 193 {
187#ifndef OPENSSL_NO_ENGINE 194#ifndef OPENSSL_NO_ENGINE
@@ -280,163 +287,6 @@ void *RSA_get_ex_data(const RSA *r, int idx)
280 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 287 return(CRYPTO_get_ex_data(&r->ex_data,idx));
281 } 288 }
282 289
283int RSA_size(const RSA *r)
284 {
285 return(BN_num_bytes(r->n));
286 }
287
288int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
289 RSA *rsa, int padding)
290 {
291 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
292 }
293
294int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
295 RSA *rsa, int padding)
296 {
297 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
298 }
299
300int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
301 RSA *rsa, int padding)
302 {
303 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
304 }
305
306int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
307 RSA *rsa, int padding)
308 {
309 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
310 }
311
312int RSA_flags(const RSA *r)
313 {
314 return((r == NULL)?0:r->meth->flags);
315 }
316
317void RSA_blinding_off(RSA *rsa)
318 {
319 if (rsa->blinding != NULL)
320 {
321 BN_BLINDING_free(rsa->blinding);
322 rsa->blinding=NULL;
323 }
324 rsa->flags &= ~RSA_FLAG_BLINDING;
325 rsa->flags |= RSA_FLAG_NO_BLINDING;
326 }
327
328int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
329 {
330 int ret=0;
331
332 if (rsa->blinding != NULL)
333 RSA_blinding_off(rsa);
334
335 rsa->blinding = RSA_setup_blinding(rsa, ctx);
336 if (rsa->blinding == NULL)
337 goto err;
338
339 rsa->flags |= RSA_FLAG_BLINDING;
340 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
341 ret=1;
342err:
343 return(ret);
344 }
345
346static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
347 const BIGNUM *q, BN_CTX *ctx)
348{
349 BIGNUM *ret = NULL, *r0, *r1, *r2;
350
351 if (d == NULL || p == NULL || q == NULL)
352 return NULL;
353
354 BN_CTX_start(ctx);
355 r0 = BN_CTX_get(ctx);
356 r1 = BN_CTX_get(ctx);
357 r2 = BN_CTX_get(ctx);
358 if (r2 == NULL)
359 goto err;
360
361 if (!BN_sub(r1, p, BN_value_one())) goto err;
362 if (!BN_sub(r2, q, BN_value_one())) goto err;
363 if (!BN_mul(r0, r1, r2, ctx)) goto err;
364
365 ret = BN_mod_inverse(NULL, d, r0, ctx);
366err:
367 BN_CTX_end(ctx);
368 return ret;
369}
370
371BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
372{
373 BIGNUM local_n;
374 BIGNUM *e,*n;
375 BN_CTX *ctx;
376 BN_BLINDING *ret = NULL;
377
378 if (in_ctx == NULL)
379 {
380 if ((ctx = BN_CTX_new()) == NULL) return 0;
381 }
382 else
383 ctx = in_ctx;
384
385 BN_CTX_start(ctx);
386 e = BN_CTX_get(ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
390 goto err;
391 }
392
393 if (rsa->e == NULL)
394 {
395 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
396 if (e == NULL)
397 {
398 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
399 goto err;
400 }
401 }
402 else
403 e = rsa->e;
404
405
406 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
407 {
408 /* if PRNG is not properly seeded, resort to secret
409 * exponent as unpredictable seed */
410 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
411 }
412
413 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
414 {
415 /* Set BN_FLG_CONSTTIME flag */
416 n = &local_n;
417 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
418 }
419 else
420 n = rsa->n;
421
422 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
423 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
424 if (ret == NULL)
425 {
426 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
427 goto err;
428 }
429 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
430err:
431 BN_CTX_end(ctx);
432 if (in_ctx == NULL)
433 BN_CTX_free(ctx);
434 if(rsa->e == NULL)
435 BN_free(e);
436
437 return ret;
438}
439
440int RSA_memory_lock(RSA *r) 290int RSA_memory_lock(RSA *r)
441 { 291 {
442 int i,j,k,off; 292 int i,j,k,off;
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 18d307ea9e..553d212ebe 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -56,7 +56,8 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
56 seed = to + 1; 56 seed = to + 1;
57 db = to + SHA_DIGEST_LENGTH + 1; 57 db = to + SHA_DIGEST_LENGTH + 1;
58 58
59 EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL); 59 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
60 return 0;
60 memset(db + SHA_DIGEST_LENGTH, 0, 61 memset(db + SHA_DIGEST_LENGTH, 0,
61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); 62 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; 63 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
@@ -145,7 +146,8 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
145 for (i = 0; i < dblen; i++) 146 for (i = 0; i < dblen; i++)
146 db[i] ^= maskeddb[i]; 147 db[i] ^= maskeddb[i];
147 148
148 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); 149 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
150 return -1;
149 151
150 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) 152 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
151 goto decoding_err; 153 goto decoding_err;
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index c6892ecd09..5b2ecf56ad 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -63,6 +63,12 @@
63#include <openssl/rsa.h> 63#include <openssl/rsa.h>
64#include <openssl/bn.h> 64#include <openssl/bn.h>
65#include <openssl/evp.h> 65#include <openssl/evp.h>
66#ifndef OPENSSL_NO_CMS
67#include <openssl/cms.h>
68#endif
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
66#include "evp_locl.h" 72#include "evp_locl.h"
67#include "rsa_locl.h" 73#include "rsa_locl.h"
68 74
@@ -79,6 +85,8 @@ typedef struct
79 int pad_mode; 85 int pad_mode;
80 /* message digest */ 86 /* message digest */
81 const EVP_MD *md; 87 const EVP_MD *md;
88 /* message digest for MGF1 */
89 const EVP_MD *mgf1md;
82 /* PSS/OAEP salt length */ 90 /* PSS/OAEP salt length */
83 int saltlen; 91 int saltlen;
84 /* Temp buffer */ 92 /* Temp buffer */
@@ -95,6 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
95 rctx->pub_exp = NULL; 103 rctx->pub_exp = NULL;
96 rctx->pad_mode = RSA_PKCS1_PADDING; 104 rctx->pad_mode = RSA_PKCS1_PADDING;
97 rctx->md = NULL; 105 rctx->md = NULL;
106 rctx->mgf1md = NULL;
98 rctx->tbuf = NULL; 107 rctx->tbuf = NULL;
99 108
100 rctx->saltlen = -2; 109 rctx->saltlen = -2;
@@ -147,6 +156,31 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
147 OPENSSL_free(rctx); 156 OPENSSL_free(rctx);
148 } 157 }
149 } 158 }
159#ifdef OPENSSL_FIPS
160/* FIP checker. Return value indicates status of context parameters:
161 * 1 : redirect to FIPS.
162 * 0 : don't redirect to FIPS.
163 * -1 : illegal operation in FIPS mode.
164 */
165
166static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167 {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 int rv = -1;
171 if (!FIPS_mode())
172 return 0;
173 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174 rv = 0;
175 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176 return -1;
177 if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178 return rv;
179 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180 return rv;
181 return 1;
182 }
183#endif
150 184
151static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 185static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
152 const unsigned char *tbs, size_t tbslen) 186 const unsigned char *tbs, size_t tbslen)
@@ -155,6 +189,15 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
155 RSA_PKEY_CTX *rctx = ctx->data; 189 RSA_PKEY_CTX *rctx = ctx->data;
156 RSA *rsa = ctx->pkey->pkey.rsa; 190 RSA *rsa = ctx->pkey->pkey.rsa;
157 191
192#ifdef OPENSSL_FIPS
193 ret = pkey_fips_check_ctx(ctx);
194 if (ret < 0)
195 {
196 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197 return -1;
198 }
199#endif
200
158 if (rctx->md) 201 if (rctx->md)
159 { 202 {
160 if (tbslen != (size_t)EVP_MD_size(rctx->md)) 203 if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -163,7 +206,36 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
163 RSA_R_INVALID_DIGEST_LENGTH); 206 RSA_R_INVALID_DIGEST_LENGTH);
164 return -1; 207 return -1;
165 } 208 }
166 if (rctx->pad_mode == RSA_X931_PADDING) 209#ifdef OPENSSL_FIPS
210 if (ret > 0)
211 {
212 unsigned int slen;
213 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214 rctx->pad_mode,
215 rctx->saltlen,
216 rctx->mgf1md,
217 sig, &slen);
218 if (ret > 0)
219 *siglen = slen;
220 else
221 *siglen = 0;
222 return ret;
223 }
224#endif
225
226 if (EVP_MD_type(rctx->md) == NID_mdc2)
227 {
228 unsigned int sltmp;
229 if (rctx->pad_mode != RSA_PKCS1_PADDING)
230 return -1;
231 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
232 tbs, tbslen, sig, &sltmp, rsa);
233
234 if (ret <= 0)
235 return ret;
236 ret = sltmp;
237 }
238 else if (rctx->pad_mode == RSA_X931_PADDING)
167 { 239 {
168 if (!setup_tbuf(rctx, ctx)) 240 if (!setup_tbuf(rctx, ctx))
169 return -1; 241 return -1;
@@ -186,8 +258,10 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
186 { 258 {
187 if (!setup_tbuf(rctx, ctx)) 259 if (!setup_tbuf(rctx, ctx))
188 return -1; 260 return -1;
189 if (!RSA_padding_add_PKCS1_PSS(rsa, rctx->tbuf, tbs, 261 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
190 rctx->md, rctx->saltlen)) 262 rctx->tbuf, tbs,
263 rctx->md, rctx->mgf1md,
264 rctx->saltlen))
191 return -1; 265 return -1;
192 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 266 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
193 sig, rsa, RSA_NO_PADDING); 267 sig, rsa, RSA_NO_PADDING);
@@ -269,8 +343,30 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
269 RSA_PKEY_CTX *rctx = ctx->data; 343 RSA_PKEY_CTX *rctx = ctx->data;
270 RSA *rsa = ctx->pkey->pkey.rsa; 344 RSA *rsa = ctx->pkey->pkey.rsa;
271 size_t rslen; 345 size_t rslen;
346#ifdef OPENSSL_FIPS
347 int rv;
348 rv = pkey_fips_check_ctx(ctx);
349 if (rv < 0)
350 {
351 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352 return -1;
353 }
354#endif
272 if (rctx->md) 355 if (rctx->md)
273 { 356 {
357#ifdef OPENSSL_FIPS
358 if (rv > 0)
359 {
360 return FIPS_rsa_verify_digest(rsa,
361 tbs, tbslen,
362 rctx->md,
363 rctx->pad_mode,
364 rctx->saltlen,
365 rctx->mgf1md,
366 sig, siglen);
367
368 }
369#endif
274 if (rctx->pad_mode == RSA_PKCS1_PADDING) 370 if (rctx->pad_mode == RSA_PKCS1_PADDING)
275 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 371 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
276 sig, siglen, rsa); 372 sig, siglen, rsa);
@@ -289,7 +385,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
289 rsa, RSA_NO_PADDING); 385 rsa, RSA_NO_PADDING);
290 if (ret <= 0) 386 if (ret <= 0)
291 return 0; 387 return 0;
292 ret = RSA_verify_PKCS1_PSS(rsa, tbs, rctx->md, 388 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
389 rctx->md, rctx->mgf1md,
293 rctx->tbuf, rctx->saltlen); 390 rctx->tbuf, rctx->saltlen);
294 if (ret <= 0) 391 if (ret <= 0)
295 return 0; 392 return 0;
@@ -403,15 +500,25 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
403 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 500 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
404 return -2; 501 return -2;
405 502
503 case EVP_PKEY_CTRL_GET_RSA_PADDING:
504 *(int *)p2 = rctx->pad_mode;
505 return 1;
506
406 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 507 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
407 if (p1 < -2) 508 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
408 return -2;
409 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 509 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
410 { 510 {
411 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 511 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
412 return -2; 512 return -2;
413 } 513 }
414 rctx->saltlen = p1; 514 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
515 *(int *)p2 = rctx->saltlen;
516 else
517 {
518 if (p1 < -2)
519 return -2;
520 rctx->saltlen = p1;
521 }
415 return 1; 522 return 1;
416 523
417 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 524 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
@@ -435,16 +542,45 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
435 rctx->md = p2; 542 rctx->md = p2;
436 return 1; 543 return 1;
437 544
545 case EVP_PKEY_CTRL_RSA_MGF1_MD:
546 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
547 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
548 {
549 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
550 return -2;
551 }
552 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
553 {
554 if (rctx->mgf1md)
555 *(const EVP_MD **)p2 = rctx->mgf1md;
556 else
557 *(const EVP_MD **)p2 = rctx->md;
558 }
559 else
560 rctx->mgf1md = p2;
561 return 1;
562
438 case EVP_PKEY_CTRL_DIGESTINIT: 563 case EVP_PKEY_CTRL_DIGESTINIT:
439 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 564 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
440 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 565 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
441 case EVP_PKEY_CTRL_PKCS7_SIGN: 566 case EVP_PKEY_CTRL_PKCS7_SIGN:
567 return 1;
442#ifndef OPENSSL_NO_CMS 568#ifndef OPENSSL_NO_CMS
443 case EVP_PKEY_CTRL_CMS_ENCRYPT:
444 case EVP_PKEY_CTRL_CMS_DECRYPT: 569 case EVP_PKEY_CTRL_CMS_DECRYPT:
570 {
571 X509_ALGOR *alg = NULL;
572 ASN1_OBJECT *encalg = NULL;
573 if (p2)
574 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
575 if (alg)
576 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
577 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
578 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
579 }
580 case EVP_PKEY_CTRL_CMS_ENCRYPT:
445 case EVP_PKEY_CTRL_CMS_SIGN: 581 case EVP_PKEY_CTRL_CMS_SIGN:
446#endif
447 return 1; 582 return 1;
583#endif
448 case EVP_PKEY_CTRL_PEER_KEY: 584 case EVP_PKEY_CTRL_PEER_KEY:
449 RSAerr(RSA_F_PKEY_RSA_CTRL, 585 RSAerr(RSA_F_PKEY_RSA_CTRL,
450 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 586 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index ac211e2ffe..5f9f533d0c 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -73,6 +73,13 @@ static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
74 const EVP_MD *Hash, const unsigned char *EM, int sLen) 74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
75 { 75 {
76 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
77 }
78
79int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
81 const unsigned char *EM, int sLen)
82 {
76 int i; 83 int i;
77 int ret = 0; 84 int ret = 0;
78 int hLen, maskedDBLen, MSBits, emLen; 85 int hLen, maskedDBLen, MSBits, emLen;
@@ -80,6 +87,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
80 unsigned char *DB = NULL; 87 unsigned char *DB = NULL;
81 EVP_MD_CTX ctx; 88 EVP_MD_CTX ctx;
82 unsigned char H_[EVP_MAX_MD_SIZE]; 89 unsigned char H_[EVP_MAX_MD_SIZE];
90 EVP_MD_CTX_init(&ctx);
91
92 if (mgf1Hash == NULL)
93 mgf1Hash = Hash;
83 94
84 hLen = EVP_MD_size(Hash); 95 hLen = EVP_MD_size(Hash);
85 if (hLen < 0) 96 if (hLen < 0)
@@ -94,7 +105,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
94 else if (sLen == -2) sLen = -2; 105 else if (sLen == -2) sLen = -2;
95 else if (sLen < -2) 106 else if (sLen < -2)
96 { 107 {
97 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
98 goto err; 109 goto err;
99 } 110 }
100 111
@@ -102,7 +113,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
102 emLen = RSA_size(rsa); 113 emLen = RSA_size(rsa);
103 if (EM[0] & (0xFF << MSBits)) 114 if (EM[0] & (0xFF << MSBits))
104 { 115 {
105 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); 116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
106 goto err; 117 goto err;
107 } 118 }
108 if (MSBits == 0) 119 if (MSBits == 0)
@@ -112,12 +123,12 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
112 } 123 }
113 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 124 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
114 { 125 {
115 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); 126 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
116 goto err; 127 goto err;
117 } 128 }
118 if (EM[emLen - 1] != 0xbc) 129 if (EM[emLen - 1] != 0xbc)
119 { 130 {
120 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); 131 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
121 goto err; 132 goto err;
122 } 133 }
123 maskedDBLen = emLen - hLen - 1; 134 maskedDBLen = emLen - hLen - 1;
@@ -125,10 +136,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
125 DB = OPENSSL_malloc(maskedDBLen); 136 DB = OPENSSL_malloc(maskedDBLen);
126 if (!DB) 137 if (!DB)
127 { 138 {
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); 139 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
129 goto err; 140 goto err;
130 } 141 }
131 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) 142 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
132 goto err; 143 goto err;
133 for (i = 0; i < maskedDBLen; i++) 144 for (i = 0; i < maskedDBLen; i++)
134 DB[i] ^= EM[i]; 145 DB[i] ^= EM[i];
@@ -137,25 +148,28 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
137 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 148 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
138 if (DB[i++] != 0x1) 149 if (DB[i++] != 0x1)
139 { 150 {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); 151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
141 goto err; 152 goto err;
142 } 153 }
143 if (sLen >= 0 && (maskedDBLen - i) != sLen) 154 if (sLen >= 0 && (maskedDBLen - i) != sLen)
144 { 155 {
145 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 156 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
146 goto err; 157 goto err;
147 } 158 }
148 EVP_MD_CTX_init(&ctx); 159 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
149 EVP_DigestInit_ex(&ctx, Hash, NULL); 160 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
150 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 161 || !EVP_DigestUpdate(&ctx, mHash, hLen))
151 EVP_DigestUpdate(&ctx, mHash, hLen); 162 goto err;
152 if (maskedDBLen - i) 163 if (maskedDBLen - i)
153 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); 164 {
154 EVP_DigestFinal(&ctx, H_, NULL); 165 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
155 EVP_MD_CTX_cleanup(&ctx); 166 goto err;
167 }
168 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
169 goto err;
156 if (memcmp(H_, H, hLen)) 170 if (memcmp(H_, H, hLen))
157 { 171 {
158 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); 172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
159 ret = 0; 173 ret = 0;
160 } 174 }
161 else 175 else
@@ -164,6 +178,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
164 err: 178 err:
165 if (DB) 179 if (DB)
166 OPENSSL_free(DB); 180 OPENSSL_free(DB);
181 EVP_MD_CTX_cleanup(&ctx);
167 182
168 return ret; 183 return ret;
169 184
@@ -173,12 +188,22 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
173 const unsigned char *mHash, 188 const unsigned char *mHash,
174 const EVP_MD *Hash, int sLen) 189 const EVP_MD *Hash, int sLen)
175 { 190 {
191 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
192 }
193
194int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
195 const unsigned char *mHash,
196 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
197 {
176 int i; 198 int i;
177 int ret = 0; 199 int ret = 0;
178 int hLen, maskedDBLen, MSBits, emLen; 200 int hLen, maskedDBLen, MSBits, emLen;
179 unsigned char *H, *salt = NULL, *p; 201 unsigned char *H, *salt = NULL, *p;
180 EVP_MD_CTX ctx; 202 EVP_MD_CTX ctx;
181 203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
182 hLen = EVP_MD_size(Hash); 207 hLen = EVP_MD_size(Hash);
183 if (hLen < 0) 208 if (hLen < 0)
184 goto err; 209 goto err;
@@ -192,7 +217,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
192 else if (sLen == -2) sLen = -2; 217 else if (sLen == -2) sLen = -2;
193 else if (sLen < -2) 218 else if (sLen < -2)
194 { 219 {
195 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 220 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
196 goto err; 221 goto err;
197 } 222 }
198 223
@@ -209,8 +234,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
209 } 234 }
210 else if (emLen < (hLen + sLen + 2)) 235 else if (emLen < (hLen + sLen + 2))
211 { 236 {
212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
213 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
214 goto err; 238 goto err;
215 } 239 }
216 if (sLen > 0) 240 if (sLen > 0)
@@ -218,8 +242,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
218 salt = OPENSSL_malloc(sLen); 242 salt = OPENSSL_malloc(sLen);
219 if (!salt) 243 if (!salt)
220 { 244 {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 245 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
222 ERR_R_MALLOC_FAILURE);
223 goto err; 246 goto err;
224 } 247 }
225 if (RAND_bytes(salt, sLen) <= 0) 248 if (RAND_bytes(salt, sLen) <= 0)
@@ -228,16 +251,18 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
228 maskedDBLen = emLen - hLen - 1; 251 maskedDBLen = emLen - hLen - 1;
229 H = EM + maskedDBLen; 252 H = EM + maskedDBLen;
230 EVP_MD_CTX_init(&ctx); 253 EVP_MD_CTX_init(&ctx);
231 EVP_DigestInit_ex(&ctx, Hash, NULL); 254 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
232 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 255 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
233 EVP_DigestUpdate(&ctx, mHash, hLen); 256 || !EVP_DigestUpdate(&ctx, mHash, hLen))
234 if (sLen) 257 goto err;
235 EVP_DigestUpdate(&ctx, salt, sLen); 258 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
236 EVP_DigestFinal(&ctx, H, NULL); 259 goto err;
260 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
261 goto err;
237 EVP_MD_CTX_cleanup(&ctx); 262 EVP_MD_CTX_cleanup(&ctx);
238 263
239 /* Generate dbMask in place then perform XOR on it */ 264 /* Generate dbMask in place then perform XOR on it */
240 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) 265 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
241 goto err; 266 goto err;
242 267
243 p = EM; 268 p = EM;
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 0be4ec7fb0..b6f6037ae0 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -77,6 +77,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77 const unsigned char *s = NULL; 77 const unsigned char *s = NULL;
78 X509_ALGOR algor; 78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 79 ASN1_OCTET_STRING digest;
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83 {
84 RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85 return 0;
86 }
87#endif
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 88 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
81 { 89 {
82 return rsa->meth->rsa_sign(type, m, m_len, 90 return rsa->meth->rsa_sign(type, m, m_len,
@@ -153,6 +161,15 @@ int int_rsa_verify(int dtype, const unsigned char *m,
153 unsigned char *s; 161 unsigned char *s;
154 X509_SIG *sig=NULL; 162 X509_SIG *sig=NULL;
155 163
164#ifdef OPENSSL_FIPS
165 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167 {
168 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169 return 0;
170 }
171#endif
172
156 if (siglen != (unsigned int)RSA_size(rsa)) 173 if (siglen != (unsigned int)RSA_size(rsa))
157 { 174 {
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 175 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
@@ -182,6 +199,22 @@ int int_rsa_verify(int dtype, const unsigned char *m,
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 199 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
183 200
184 if (i <= 0) goto err; 201 if (i <= 0) goto err;
202 /* Oddball MDC2 case: signature can be OCTET STRING.
203 * check for correct tag and length octets.
204 */
205 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10)
206 {
207 if (rm)
208 {
209 memcpy(rm, s + 2, 16);
210 *prm_len = 16;
211 ret = 1;
212 }
213 else if(memcmp(m, s + 2, 16))
214 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
215 else
216 ret = 1;
217 }
185 218
186 /* Special case: SSL signature */ 219 /* Special case: SSL signature */
187 if(dtype == NID_md5_sha1) { 220 if(dtype == NID_md5_sha1) {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-09 03:31:49 +0000