summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
authordjm <>2008-09-06 12:15:56 +0000
committerdjm <>2008-09-06 12:15:56 +0000
commit5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80 (patch)
treeaba68249883aa9d2361d92eef69a81d0c4961732 /src/lib/libcrypto/rsa
parentf6198d4d0ab97685dc56be2d48715ed39fcc74b9 (diff)
downloadopenbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.tar.gz
openbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.tar.bz2
openbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.zip
import of OpenSSL 0.9.8h
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h96
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c8
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c4
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c560
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c23
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c160
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c130
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c38
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c10
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c21
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c2
13 files changed, 768 insertions, 388 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 0b639cd37f..6b5e4f8a9a 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -64,25 +64,25 @@
64#ifndef OPENSSL_NO_BIO 64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h> 65#include <openssl/bio.h>
66#endif 66#endif
67#include <openssl/bn.h>
68#include <openssl/crypto.h> 67#include <openssl/crypto.h>
69#include <openssl/ossl_typ.h> 68#include <openssl/ossl_typ.h>
69#ifndef OPENSSL_NO_DEPRECATED
70#include <openssl/bn.h>
71#endif
70 72
71#ifdef OPENSSL_NO_RSA 73#ifdef OPENSSL_NO_RSA
72#error RSA is disabled. 74#error RSA is disabled.
73#endif 75#endif
74 76
75#if defined(OPENSSL_FIPS)
76#define FIPS_RSA_SIZE_T int
77#endif
78
79#ifdef __cplusplus 77#ifdef __cplusplus
80extern "C" { 78extern "C" {
81#endif 79#endif
82 80
83typedef struct rsa_st RSA; 81/* Declared already in ossl_typ.h */
82/* typedef struct rsa_st RSA; */
83/* typedef struct rsa_meth_st RSA_METHOD; */
84 84
85typedef struct rsa_meth_st 85struct rsa_meth_st
86 { 86 {
87 const char *name; 87 const char *name;
88 int (*rsa_pub_enc)(int flen,const unsigned char *from, 88 int (*rsa_pub_enc)(int flen,const unsigned char *from,
@@ -97,7 +97,7 @@ typedef struct rsa_meth_st
97 int (*rsa_priv_dec)(int flen,const unsigned char *from, 97 int (*rsa_priv_dec)(int flen,const unsigned char *from,
98 unsigned char *to, 98 unsigned char *to,
99 RSA *rsa,int padding); 99 RSA *rsa,int padding);
100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */ 100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
102 const BIGNUM *m, BN_CTX *ctx, 102 const BIGNUM *m, BN_CTX *ctx,
103 BN_MONT_CTX *m_ctx); /* Can be null */ 103 BN_MONT_CTX *m_ctx); /* Can be null */
@@ -118,8 +118,12 @@ typedef struct rsa_meth_st
118 int (*rsa_verify)(int dtype, 118 int (*rsa_verify)(int dtype,
119 const unsigned char *m, unsigned int m_length, 119 const unsigned char *m, unsigned int m_length,
120 unsigned char *sigbuf, unsigned int siglen, const RSA *rsa); 120 unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
121 121/* If this callback is NULL, the builtin software RSA key-gen will be used. This
122 } RSA_METHOD; 122 * is for behavioural compatibility whilst the code gets rewired, but one day
123 * it would be nice to assume there are no such things as "builtin software"
124 * implementations. */
125 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
126 };
123 127
124struct rsa_st 128struct rsa_st
125 { 129 {
@@ -152,8 +156,20 @@ struct rsa_st
152 * NULL */ 156 * NULL */
153 char *bignum_data; 157 char *bignum_data;
154 BN_BLINDING *blinding; 158 BN_BLINDING *blinding;
159 BN_BLINDING *mt_blinding;
155 }; 160 };
156 161
162#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
163# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
164#endif
165
166#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
167# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
168#endif
169#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
170# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
171#endif
172
157#define RSA_3 0x3L 173#define RSA_3 0x3L
158#define RSA_F4 0x10001L 174#define RSA_F4 0x10001L
159 175
@@ -179,13 +195,27 @@ struct rsa_st
179 * default (ignoring RSA_FLAG_BLINDING), 195 * default (ignoring RSA_FLAG_BLINDING),
180 * but other engines might not need it 196 * but other engines might not need it
181 */ 197 */
182#define RSA_FLAG_NO_EXP_CONSTTIME 0x0100 /* new with 0.9.7h; the built-in RSA 198#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
199 * implementation now uses constant time
200 * operations by default in private key operations,
201 * e.g., constant time modular exponentiation,
202 * modular inverse without leaking branches,
203 * division without leaking branches. This
204 * flag disables these constant time
205 * operations and results in faster RSA
206 * private key operations.
207 */
208#ifndef OPENSSL_NO_DEPRECATED
209#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
210 /* new with 0.9.7h; the built-in RSA
183 * implementation now uses constant time 211 * implementation now uses constant time
184 * modular exponentiation for secret exponents 212 * modular exponentiation for secret exponents
185 * by default. This flag causes the 213 * by default. This flag causes the
186 * faster variable sliding window method to 214 * faster variable sliding window method to
187 * be used for all exponents. 215 * be used for all exponents.
188 */ 216 */
217#endif
218
189 219
190#define RSA_PKCS1_PADDING 1 220#define RSA_PKCS1_PADDING 1
191#define RSA_SSLV23_PADDING 2 221#define RSA_SSLV23_PADDING 2
@@ -201,18 +231,17 @@ struct rsa_st
201RSA * RSA_new(void); 231RSA * RSA_new(void);
202RSA * RSA_new_method(ENGINE *engine); 232RSA * RSA_new_method(ENGINE *engine);
203int RSA_size(const RSA *); 233int RSA_size(const RSA *);
234
235/* Deprecated version */
236#ifndef OPENSSL_NO_DEPRECATED
204RSA * RSA_generate_key(int bits, unsigned long e,void 237RSA * RSA_generate_key(int bits, unsigned long e,void
205 (*callback)(int,int,void *),void *cb_arg); 238 (*callback)(int,int,void *),void *cb_arg);
239#endif /* !defined(OPENSSL_NO_DEPRECATED) */
240
241/* New version */
242int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
243
206int RSA_check_key(const RSA *); 244int RSA_check_key(const RSA *);
207#ifdef OPENSSL_FIPS
208int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
209 void (*cb)(int, int, void *), void *cb_arg,
210 const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
211 const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
212 const BIGNUM *e);
213RSA *RSA_X931_generate_key(int bits, const BIGNUM *e,
214 void (*cb)(int,int,void *), void *cb_arg);
215#endif
216 /* next 4 return -1 on error */ 245 /* next 4 return -1 on error */
217int RSA_public_encrypt(int flen, const unsigned char *from, 246int RSA_public_encrypt(int flen, const unsigned char *from,
218 unsigned char *to, RSA *rsa,int padding); 247 unsigned char *to, RSA *rsa,int padding);
@@ -252,11 +281,19 @@ int RSA_print_fp(FILE *fp, const RSA *r,int offset);
252int RSA_print(BIO *bp, const RSA *r,int offset); 281int RSA_print(BIO *bp, const RSA *r,int offset);
253#endif 282#endif
254 283
255int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey); 284int i2d_RSA_NET(const RSA *a, unsigned char **pp,
256RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey); 285 int (*cb)(char *buf, int len, const char *prompt, int verify),
286 int sgckey);
287RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
288 int (*cb)(char *buf, int len, const char *prompt, int verify),
289 int sgckey);
257 290
258int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)()); 291int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
259RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)()); 292 int (*cb)(char *buf, int len, const char *prompt,
293 int verify));
294RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
295 int (*cb)(char *buf, int len, const char *prompt,
296 int verify));
260 297
261/* The following 2 functions sign and verify a X509_SIG ASN1 object 298/* The following 2 functions sign and verify a X509_SIG ASN1 object
262 * inside PKCS#1 padded RSA encryption */ 299 * inside PKCS#1 padded RSA encryption */
@@ -276,6 +313,7 @@ int RSA_verify_ASN1_OCTET_STRING(int type,
276 313
277int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 314int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
278void RSA_blinding_off(RSA *rsa); 315void RSA_blinding_off(RSA *rsa);
316BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
279 317
280int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen, 318int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
281 const unsigned char *f,int fl); 319 const unsigned char *f,int fl);
@@ -331,14 +369,21 @@ void ERR_load_RSA_strings(void);
331 369
332/* Function codes. */ 370/* Function codes. */
333#define RSA_F_MEMORY_LOCK 100 371#define RSA_F_MEMORY_LOCK 100
372#define RSA_F_RSA_BUILTIN_KEYGEN 129
334#define RSA_F_RSA_CHECK_KEY 123 373#define RSA_F_RSA_CHECK_KEY 123
335#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101 374#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
336#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102 375#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
337#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 376#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
338#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104 377#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
339#define RSA_F_RSA_GENERATE_KEY 105 378#define RSA_F_RSA_GENERATE_KEY 105
379#define RSA_F_RSA_MEMORY_LOCK 130
340#define RSA_F_RSA_NEW_METHOD 106 380#define RSA_F_RSA_NEW_METHOD 106
341#define RSA_F_RSA_NULL 124 381#define RSA_F_RSA_NULL 124
382#define RSA_F_RSA_NULL_MOD_EXP 131
383#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
384#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
385#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
386#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
342#define RSA_F_RSA_PADDING_ADD_NONE 107 387#define RSA_F_RSA_PADDING_ADD_NONE 107
343#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 388#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
344#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 389#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
@@ -354,6 +399,7 @@ void ERR_load_RSA_strings(void);
354#define RSA_F_RSA_PADDING_CHECK_X931 128 399#define RSA_F_RSA_PADDING_CHECK_X931 128
355#define RSA_F_RSA_PRINT 115 400#define RSA_F_RSA_PRINT 115
356#define RSA_F_RSA_PRINT_FP 116 401#define RSA_F_RSA_PRINT_FP 116
402#define RSA_F_RSA_SETUP_BLINDING 136
357#define RSA_F_RSA_SIGN 117 403#define RSA_F_RSA_SIGN 117
358#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 404#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
359#define RSA_F_RSA_VERIFY 119 405#define RSA_F_RSA_VERIFY 119
@@ -386,6 +432,8 @@ void ERR_load_RSA_strings(void);
386#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 432#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
387#define RSA_R_KEY_SIZE_TOO_SMALL 120 433#define RSA_R_KEY_SIZE_TOO_SMALL 120
388#define RSA_R_LAST_OCTET_INVALID 134 434#define RSA_R_LAST_OCTET_INVALID 134
435#define RSA_R_MODULUS_TOO_LARGE 105
436#define RSA_R_NO_PUBLIC_EXPONENT 140
389#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 437#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
390#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 438#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
391#define RSA_R_OAEP_DECODING_ERROR 121 439#define RSA_R_OAEP_DECODING_ERROR 121
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index 1455a7e0e4..bbbf26d50e 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -63,10 +63,10 @@
63#include <openssl/asn1t.h> 63#include <openssl/asn1t.h>
64 64
65static ASN1_METHOD method={ 65static ASN1_METHOD method={
66 (int (*)()) i2d_RSAPrivateKey, 66 (I2D_OF(void)) i2d_RSAPrivateKey,
67 (char *(*)())d2i_RSAPrivateKey, 67 (D2I_OF(void)) d2i_RSAPrivateKey,
68 (char *(*)())RSA_new, 68 (void *(*)(void)) RSA_new,
69 (void (*)()) RSA_free}; 69 (void (*)(void *)) RSA_free};
70 70
71ASN1_METHOD *RSAPrivateKey_asn1_meth(void) 71ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
72 { 72 {
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index 002f2cb487..9d848db8c6 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -75,7 +75,7 @@ int RSA_check_key(const RSA *key)
75 } 75 }
76 76
77 /* p prime? */ 77 /* p prime? */
78 r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL); 78 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
79 if (r != 1) 79 if (r != 1)
80 { 80 {
81 ret = r; 81 ret = r;
@@ -85,7 +85,7 @@ int RSA_check_key(const RSA *key)
85 } 85 }
86 86
87 /* q prime? */ 87 /* q prime? */
88 r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL); 88 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
89 if (r != 1) 89 if (r != 1)
90 { 90 {
91 ret = r; 91 ret = r;
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
new file mode 100644
index 0000000000..a859ded987
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_depr.c
@@ -0,0 +1,101 @@
1/* crypto/rsa/rsa_depr.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61#include "cryptlib.h"
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64
65#ifdef OPENSSL_NO_DEPRECATED
66
67static void *dummy=&dummy;
68
69#else
70
71RSA *RSA_generate_key(int bits, unsigned long e_value,
72 void (*callback)(int,int,void *), void *cb_arg)
73 {
74 BN_GENCB cb;
75 int i;
76 RSA *rsa = RSA_new();
77 BIGNUM *e = BN_new();
78
79 if(!rsa || !e) goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i=0; i<(int)sizeof(unsigned long)*8; i++)
84 {
85 if (e_value & (1UL<<i))
86 if (BN_set_bit(e,i) == 0)
87 goto err;
88 }
89
90 BN_GENCB_set_old(&cb, callback, cb_arg);
91
92 if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
93 BN_free(e);
94 return rsa;
95 }
96err:
97 if(e) BN_free(e);
98 if(rsa) RSA_free(rsa);
99 return 0;
100 }
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index be4ac96ce3..ffadaab9a4 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -115,7 +115,7 @@
115#include <openssl/rsa.h> 115#include <openssl/rsa.h>
116#include <openssl/rand.h> 116#include <openssl/rand.h>
117 117
118#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) 118#ifndef RSA_NULL
119 119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding); 121 unsigned char *to, RSA *rsa,int padding);
@@ -125,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding); 125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding); 127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa); 129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa); 130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={ 131static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -141,7 +141,8 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
141 0, /* flags */ 141 0, /* flags */
142 NULL, 142 NULL,
143 0, /* rsa_sign */ 143 0, /* rsa_sign */
144 0 /* rsa_verify */ 144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
145 }; 146 };
146 147
147const RSA_METHOD *RSA_PKCS1_SSLeay(void) 148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -149,19 +150,53 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 return(&rsa_pkcs1_eay_meth); 150 return(&rsa_pkcs1_eay_meth);
150 } 151 }
151 152
153/* Usage example;
154 * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
155 */
156#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
157 if ((pre_cond) && ((method_mod) == NULL) && \
158 !BN_MONT_CTX_set_locked(&(method_mod), \
159 CRYPTO_LOCK_RSA, \
160 (m), (ctx))) \
161 err_instr
162
152static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 163static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
153 unsigned char *to, RSA *rsa, int padding) 164 unsigned char *to, RSA *rsa, int padding)
154 { 165 {
155 BIGNUM f,ret; 166 BIGNUM *f,*ret;
156 int i,j,k,num=0,r= -1; 167 int i,j,k,num=0,r= -1;
157 unsigned char *buf=NULL; 168 unsigned char *buf=NULL;
158 BN_CTX *ctx=NULL; 169 BN_CTX *ctx=NULL;
159 170
160 BN_init(&f); 171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
161 BN_init(&ret); 172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
174 return -1;
175 }
176
177 if (BN_ucmp(rsa->n, rsa->e) <= 0)
178 {
179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
180 return -1;
181 }
182
183 /* for large moduli, enforce exponent limit */
184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
185 {
186 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
187 {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
189 return -1;
190 }
191 }
192
162 if ((ctx=BN_CTX_new()) == NULL) goto err; 193 if ((ctx=BN_CTX_new()) == NULL) goto err;
194 BN_CTX_start(ctx);
195 f = BN_CTX_get(ctx);
196 ret = BN_CTX_get(ctx);
163 num=BN_num_bytes(rsa->n); 197 num=BN_num_bytes(rsa->n);
164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 198 buf = OPENSSL_malloc(num);
199 if (!f || !ret || !buf)
165 { 200 {
166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
167 goto err; 202 goto err;
@@ -189,37 +224,34 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
189 } 224 }
190 if (i <= 0) goto err; 225 if (i <= 0) goto err;
191 226
192 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 227 if (BN_bin2bn(buf,num,f) == NULL) goto err;
193 228
194 if (BN_ucmp(&f, rsa->n) >= 0) 229 if (BN_ucmp(f, rsa->n) >= 0)
195 { 230 {
196 /* usually the padding functions would catch this */ 231 /* usually the padding functions would catch this */
197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
198 goto err; 233 goto err;
199 } 234 }
200 235
201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 236 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
202 {
203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
204 CRYPTO_LOCK_RSA, rsa->n, ctx))
205 goto err;
206 }
207 237
208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 238 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
209 rsa->_method_mod_n)) goto err; 239 rsa->_method_mod_n)) goto err;
210 240
211 /* put in leading 0 bytes if the number is less than the 241 /* put in leading 0 bytes if the number is less than the
212 * length of the modulus */ 242 * length of the modulus */
213 j=BN_num_bytes(&ret); 243 j=BN_num_bytes(ret);
214 i=BN_bn2bin(&ret,&(to[num-j])); 244 i=BN_bn2bin(ret,&(to[num-j]));
215 for (k=0; k<(num-i); k++) 245 for (k=0; k<(num-i); k++)
216 to[k]=0; 246 to[k]=0;
217 247
218 r=num; 248 r=num;
219err: 249err:
220 if (ctx != NULL) BN_CTX_free(ctx); 250 if (ctx != NULL)
221 BN_clear_free(&f); 251 {
222 BN_clear_free(&ret); 252 BN_CTX_end(ctx);
253 BN_CTX_free(ctx);
254 }
223 if (buf != NULL) 255 if (buf != NULL)
224 { 256 {
225 OPENSSL_cleanse(buf,num); 257 OPENSSL_cleanse(buf,num);
@@ -228,76 +260,115 @@ err:
228 return(r); 260 return(r);
229 } 261 }
230 262
231static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 263static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
232 { 264{
233 int ret = 1; 265 BN_BLINDING *ret;
234 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 266 int got_write_lock = 0;
235 /* Check again inside the lock - the macro's check is racey */
236 if(rsa->blinding == NULL)
237 ret = RSA_blinding_on(rsa, ctx);
238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
239 return ret;
240 }
241 267
242#define BLINDING_HELPER(rsa, ctx, err_instr) \ 268 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
243 do { \
244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
245 ((rsa)->blinding == NULL) && \
246 !rsa_eay_blinding(rsa, ctx)) \
247 err_instr \
248 } while(0)
249 269
250static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 270 if (rsa->blinding == NULL)
251 { 271 {
252 BIGNUM *A, *Ai; 272 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
253 BN_BLINDING *ret = NULL; 273 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
274 got_write_lock = 1;
254 275
255 /* added in OpenSSL 0.9.6j and 0.9.7b */ 276 if (rsa->blinding == NULL)
277 rsa->blinding = RSA_setup_blinding(rsa, ctx);
278 }
256 279
257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 280 ret = rsa->blinding;
258 * this should be placed in a new function of its own, but for reasons 281 if (ret == NULL)
259 * of binary compatibility can't */ 282 goto err;
260 283
261 BN_CTX_start(ctx); 284 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
262 A = BN_CTX_get(ctx);
263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
264 { 285 {
265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 286 /* rsa->blinding is ours! */
266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 287
267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 288 *local = 1;
268 } 289 }
269 else 290 else
270 { 291 {
271 if (!BN_rand_range(A,rsa->n)) goto err; 292 /* resort to rsa->mt_blinding instead */
293
294 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
295 * that the BN_BLINDING is shared, meaning that accesses
296 * require locks, and that the blinding factor must be
297 * stored outside the BN_BLINDING
298 */
299
300 if (rsa->mt_blinding == NULL)
301 {
302 if (!got_write_lock)
303 {
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
306 got_write_lock = 1;
307 }
308
309 if (rsa->mt_blinding == NULL)
310 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
311 }
312 ret = rsa->mt_blinding;
272 } 313 }
273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
274 314
275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 315 err:
276 goto err; 316 if (got_write_lock)
277 ret = BN_BLINDING_new(A,Ai,rsa->n); 317 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
278 BN_free(Ai); 318 else
279err: 319 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
280 BN_CTX_end(ctx);
281 return ret; 320 return ret;
282 } 321}
322
323static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
324 BIGNUM *r, BN_CTX *ctx)
325{
326 if (local)
327 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
328 else
329 {
330 int ret;
331 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
332 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
333 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
334 return ret;
335 }
336}
337
338static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
339 BIGNUM *r, BN_CTX *ctx)
340{
341 if (local)
342 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
343 else
344 {
345 int ret;
346 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
347 ret = BN_BLINDING_invert_ex(f, r, b, ctx);
348 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
349 return ret;
350 }
351}
283 352
284/* signing */ 353/* signing */
285static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 354static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
286 unsigned char *to, RSA *rsa, int padding) 355 unsigned char *to, RSA *rsa, int padding)
287 { 356 {
288 BIGNUM f,ret, *res; 357 BIGNUM *f, *ret, *br, *res;
289 int i,j,k,num=0,r= -1; 358 int i,j,k,num=0,r= -1;
290 unsigned char *buf=NULL; 359 unsigned char *buf=NULL;
291 BN_CTX *ctx=NULL; 360 BN_CTX *ctx=NULL;
292 int local_blinding = 0; 361 int local_blinding = 0;
293 BN_BLINDING *blinding = NULL; 362 BN_BLINDING *blinding = NULL;
294 363
295 BN_init(&f);
296 BN_init(&ret);
297
298 if ((ctx=BN_CTX_new()) == NULL) goto err; 364 if ((ctx=BN_CTX_new()) == NULL) goto err;
299 num=BN_num_bytes(rsa->n); 365 BN_CTX_start(ctx);
300 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 366 f = BN_CTX_get(ctx);
367 br = BN_CTX_get(ctx);
368 ret = BN_CTX_get(ctx);
369 num = BN_num_bytes(rsa->n);
370 buf = OPENSSL_malloc(num);
371 if(!f || !ret || !buf)
301 { 372 {
302 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 373 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
303 goto err; 374 goto err;
@@ -308,6 +379,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
308 case RSA_PKCS1_PADDING: 379 case RSA_PKCS1_PADDING:
309 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 380 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
310 break; 381 break;
382 case RSA_X931_PADDING:
383 i=RSA_padding_add_X931(buf,num,from,flen);
384 break;
311 case RSA_NO_PADDING: 385 case RSA_NO_PADDING:
312 i=RSA_padding_add_none(buf,num,from,flen); 386 i=RSA_padding_add_none(buf,num,from,flen);
313 break; 387 break;
@@ -318,26 +392,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
318 } 392 }
319 if (i <= 0) goto err; 393 if (i <= 0) goto err;
320 394
321 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 395 if (BN_bin2bn(buf,num,f) == NULL) goto err;
322 396
323 if (BN_ucmp(&f, rsa->n) >= 0) 397 if (BN_ucmp(f, rsa->n) >= 0)
324 { 398 {
325 /* usually the padding functions would catch this */ 399 /* usually the padding functions would catch this */
326 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
327 goto err; 401 goto err;
328 } 402 }
329 403
330 BLINDING_HELPER(rsa, ctx, goto err;);
331 blinding = rsa->blinding;
332
333 /* Now unless blinding is disabled, 'blinding' is non-NULL.
334 * But the BN_BLINDING object may be owned by some other thread
335 * (we don't want to keep it constant and we don't want to use
336 * lots of locking to avoid race conditions, so only a single
337 * thread can use it; other threads have to use local blinding
338 * factors) */
339 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 404 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
340 { 405 {
406 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
341 if (blinding == NULL) 407 if (blinding == NULL)
342 { 408 {
343 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 409 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -346,20 +412,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
346 } 412 }
347 413
348 if (blinding != NULL) 414 if (blinding != NULL)
349 { 415 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
350 if (blinding->thread_id != CRYPTO_thread_id()) 416 goto err;
351 {
352 /* we need a local one-time blinding factor */
353
354 blinding = setup_blinding(rsa, ctx);
355 if (blinding == NULL)
356 goto err;
357 local_blinding = 1;
358 }
359 }
360
361 if (blinding)
362 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
363 417
364 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 418 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
365 ((rsa->p != NULL) && 419 ((rsa->p != NULL) &&
@@ -368,37 +422,42 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
368 (rsa->dmq1 != NULL) && 422 (rsa->dmq1 != NULL) &&
369 (rsa->iqmp != NULL)) ) 423 (rsa->iqmp != NULL)) )
370 { 424 {
371 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
372 } 426 }
373 else 427 else
374 { 428 {
375 BIGNUM local_d; 429 BIGNUM local_d;
376 BIGNUM *d = NULL; 430 BIGNUM *d = NULL;
377 431
378 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
379 { 433 {
380 BN_init(&local_d); 434 BN_init(&local_d);
381 d = &local_d; 435 d = &local_d;
382 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 436 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
383 } 437 }
384 else 438 else
385 d = rsa->d; 439 d= rsa->d;
386 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; 440
441 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
442
443 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
444 rsa->_method_mod_n)) goto err;
387 } 445 }
388 446
389 if (blinding) 447 if (blinding)
390 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 448 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
449 goto err;
391 450
392 if (padding == RSA_X931_PADDING) 451 if (padding == RSA_X931_PADDING)
393 { 452 {
394 BN_sub(&f, rsa->n, &ret); 453 BN_sub(f, rsa->n, ret);
395 if (BN_cmp(&ret, &f)) 454 if (BN_cmp(ret, f))
396 res = &f; 455 res = f;
397 else 456 else
398 res = &ret; 457 res = ret;
399 } 458 }
400 else 459 else
401 res = &ret; 460 res = ret;
402 461
403 /* put in leading 0 bytes if the number is less than the 462 /* put in leading 0 bytes if the number is less than the
404 * length of the modulus */ 463 * length of the modulus */
@@ -409,11 +468,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
409 468
410 r=num; 469 r=num;
411err: 470err:
412 if (ctx != NULL) BN_CTX_free(ctx); 471 if (ctx != NULL)
413 BN_clear_free(&ret); 472 {
414 BN_clear_free(&f); 473 BN_CTX_end(ctx);
415 if (local_blinding) 474 BN_CTX_free(ctx);
416 BN_BLINDING_free(blinding); 475 }
417 if (buf != NULL) 476 if (buf != NULL)
418 { 477 {
419 OPENSSL_cleanse(buf,num); 478 OPENSSL_cleanse(buf,num);
@@ -425,7 +484,7 @@ err:
425static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
426 unsigned char *to, RSA *rsa, int padding) 485 unsigned char *to, RSA *rsa, int padding)
427 { 486 {
428 BIGNUM f,ret; 487 BIGNUM *f, *ret, *br;
429 int j,num=0,r= -1; 488 int j,num=0,r= -1;
430 unsigned char *p; 489 unsigned char *p;
431 unsigned char *buf=NULL; 490 unsigned char *buf=NULL;
@@ -433,14 +492,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
433 int local_blinding = 0; 492 int local_blinding = 0;
434 BN_BLINDING *blinding = NULL; 493 BN_BLINDING *blinding = NULL;
435 494
436 BN_init(&f); 495 if((ctx = BN_CTX_new()) == NULL) goto err;
437 BN_init(&ret); 496 BN_CTX_start(ctx);
438 ctx=BN_CTX_new(); 497 f = BN_CTX_get(ctx);
439 if (ctx == NULL) goto err; 498 br = BN_CTX_get(ctx);
440 499 ret = BN_CTX_get(ctx);
441 num=BN_num_bytes(rsa->n); 500 num = BN_num_bytes(rsa->n);
442 501 buf = OPENSSL_malloc(num);
443 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 502 if(!f || !ret || !buf)
444 { 503 {
445 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 504 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
446 goto err; 505 goto err;
@@ -455,25 +514,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
455 } 514 }
456 515
457 /* make data into a big number */ 516 /* make data into a big number */
458 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 517 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
459 518
460 if (BN_ucmp(&f, rsa->n) >= 0) 519 if (BN_ucmp(f, rsa->n) >= 0)
461 { 520 {
462 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 521 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
463 goto err; 522 goto err;
464 } 523 }
465 524
466 BLINDING_HELPER(rsa, ctx, goto err;);
467 blinding = rsa->blinding;
468
469 /* Now unless blinding is disabled, 'blinding' is non-NULL.
470 * But the BN_BLINDING object may be owned by some other thread
471 * (we don't want to keep it constant and we don't want to use
472 * lots of locking to avoid race conditions, so only a single
473 * thread can use it; other threads have to use local blinding
474 * factors) */
475 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 525 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
476 { 526 {
527 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
477 if (blinding == NULL) 528 if (blinding == NULL)
478 { 529 {
479 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -482,20 +533,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
482 } 533 }
483 534
484 if (blinding != NULL) 535 if (blinding != NULL)
485 { 536 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
486 if (blinding->thread_id != CRYPTO_thread_id()) 537 goto err;
487 {
488 /* we need a local one-time blinding factor */
489
490 blinding = setup_blinding(rsa, ctx);
491 if (blinding == NULL)
492 goto err;
493 local_blinding = 1;
494 }
495 }
496
497 if (blinding)
498 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
499 538
500 /* do the decrypt */ 539 /* do the decrypt */
501 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 540 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -505,29 +544,33 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
505 (rsa->dmq1 != NULL) && 544 (rsa->dmq1 != NULL) &&
506 (rsa->iqmp != NULL)) ) 545 (rsa->iqmp != NULL)) )
507 { 546 {
508 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 547 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
509 } 548 }
510 else 549 else
511 { 550 {
512 BIGNUM local_d; 551 BIGNUM local_d;
513 BIGNUM *d = NULL; 552 BIGNUM *d = NULL;
514 553
515 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 554 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
516 { 555 {
517 d = &local_d; 556 d = &local_d;
518 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 557 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
519 } 558 }
520 else 559 else
521 d = rsa->d; 560 d = rsa->d;
522 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) 561
523 goto err; 562 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
563 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
564 rsa->_method_mod_n))
565 goto err;
524 } 566 }
525 567
526 if (blinding) 568 if (blinding)
527 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 569 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
570 goto err;
528 571
529 p=buf; 572 p=buf;
530 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 573 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
531 574
532 switch (padding) 575 switch (padding)
533 { 576 {
@@ -553,11 +596,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
553 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 596 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
554 597
555err: 598err:
556 if (ctx != NULL) BN_CTX_free(ctx); 599 if (ctx != NULL)
557 BN_clear_free(&f); 600 {
558 BN_clear_free(&ret); 601 BN_CTX_end(ctx);
559 if (local_blinding) 602 BN_CTX_free(ctx);
560 BN_BLINDING_free(blinding); 603 }
561 if (buf != NULL) 604 if (buf != NULL)
562 { 605 {
563 OPENSSL_cleanse(buf,num); 606 OPENSSL_cleanse(buf,num);
@@ -570,20 +613,41 @@ err:
570static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 613static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
571 unsigned char *to, RSA *rsa, int padding) 614 unsigned char *to, RSA *rsa, int padding)
572 { 615 {
573 BIGNUM f,ret; 616 BIGNUM *f,*ret;
574 int i,num=0,r= -1; 617 int i,num=0,r= -1;
575 unsigned char *p; 618 unsigned char *p;
576 unsigned char *buf=NULL; 619 unsigned char *buf=NULL;
577 BN_CTX *ctx=NULL; 620 BN_CTX *ctx=NULL;
578 621
579 BN_init(&f); 622 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
580 BN_init(&ret); 623 {
581 ctx=BN_CTX_new(); 624 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
582 if (ctx == NULL) goto err; 625 return -1;
626 }
583 627
628 if (BN_ucmp(rsa->n, rsa->e) <= 0)
629 {
630 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
631 return -1;
632 }
633
634 /* for large moduli, enforce exponent limit */
635 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
636 {
637 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
638 {
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
640 return -1;
641 }
642 }
643
644 if((ctx = BN_CTX_new()) == NULL) goto err;
645 BN_CTX_start(ctx);
646 f = BN_CTX_get(ctx);
647 ret = BN_CTX_get(ctx);
584 num=BN_num_bytes(rsa->n); 648 num=BN_num_bytes(rsa->n);
585 buf=(unsigned char *)OPENSSL_malloc(num); 649 buf = OPENSSL_malloc(num);
586 if (buf == NULL) 650 if(!f || !ret || !buf)
587 { 651 {
588 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 652 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
589 goto err; 653 goto err;
@@ -597,37 +661,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
597 goto err; 661 goto err;
598 } 662 }
599 663
600 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 664 if (BN_bin2bn(from,flen,f) == NULL) goto err;
601 665
602 if (BN_ucmp(&f, rsa->n) >= 0) 666 if (BN_ucmp(f, rsa->n) >= 0)
603 { 667 {
604 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 668 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
605 goto err; 669 goto err;
606 } 670 }
607 671
608 /* do the decrypt */ 672 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
609
610 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
611 {
612 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
613 CRYPTO_LOCK_RSA, rsa->n, ctx))
614 goto err;
615 }
616 673
617 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 674 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
618 rsa->_method_mod_n)) goto err; 675 rsa->_method_mod_n)) goto err;
619 676
620 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) 677 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
621 BN_sub(&ret, rsa->n, &ret); 678 BN_sub(ret, rsa->n, ret);
622 679
623 p=buf; 680 p=buf;
624 i=BN_bn2bin(&ret,p); 681 i=BN_bn2bin(ret,p);
625 682
626 switch (padding) 683 switch (padding)
627 { 684 {
628 case RSA_PKCS1_PADDING: 685 case RSA_PKCS1_PADDING:
629 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 686 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
630 break; 687 break;
688 case RSA_X931_PADDING:
689 r=RSA_padding_check_X931(to,num,buf,i,num);
690 break;
631 case RSA_NO_PADDING: 691 case RSA_NO_PADDING:
632 r=RSA_padding_check_none(to,num,buf,i,num); 692 r=RSA_padding_check_none(to,num,buf,i,num);
633 break; 693 break;
@@ -639,9 +699,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
640 700
641err: 701err:
642 if (ctx != NULL) BN_CTX_free(ctx); 702 if (ctx != NULL)
643 BN_clear_free(&f); 703 {
644 BN_clear_free(&ret); 704 BN_CTX_end(ctx);
705 BN_CTX_free(ctx);
706 }
645 if (buf != NULL) 707 if (buf != NULL)
646 { 708 {
647 OPENSSL_cleanse(buf,num); 709 OPENSSL_cleanse(buf,num);
@@ -650,59 +712,111 @@ err:
650 return(r); 712 return(r);
651 } 713 }
652 714
653static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 715static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
654 { 716 {
655 BIGNUM r1,m1,vrfy; 717 BIGNUM *r1,*m1,*vrfy;
656 BIGNUM local_dmp1, local_dmq1; 718 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
657 BIGNUM *dmp1, *dmq1; 719 BIGNUM *dmp1,*dmq1,*c,*pr1;
658 int ret=0; 720 int ret=0;
659 BN_CTX *ctx;
660 721
661 BN_init(&m1); 722 BN_CTX_start(ctx);
662 BN_init(&r1); 723 r1 = BN_CTX_get(ctx);
663 BN_init(&vrfy); 724 m1 = BN_CTX_get(ctx);
664 if ((ctx=BN_CTX_new()) == NULL) goto err; 725 vrfy = BN_CTX_get(ctx);
726
727 {
728 BIGNUM local_p, local_q;
729 BIGNUM *p = NULL, *q = NULL;
730
731 /* Make sure BN_mod_inverse in Montgomery intialization uses the
732 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
733 */
734 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
735 {
736 BN_init(&local_p);
737 p = &local_p;
738 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
739
740 BN_init(&local_q);
741 q = &local_q;
742 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
743 }
744 else
745 {
746 p = rsa->p;
747 q = rsa->q;
748 }
749
750 MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
751 MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
752 }
753
754 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
665 755
666 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 756 /* compute I mod q */
757 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
667 { 758 {
668 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 759 c = &local_c;
669 CRYPTO_LOCK_RSA, rsa->p, ctx)) 760 BN_with_flags(c, I, BN_FLG_CONSTTIME);
670 goto err; 761 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
671 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 762 }
672 CRYPTO_LOCK_RSA, rsa->q, ctx)) 763 else
673 goto err; 764 {
765 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
674 } 766 }
675 767
676 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 768 /* compute r1^dmq1 mod q */
677 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
678 { 770 {
679 dmq1 = &local_dmq1; 771 dmq1 = &local_dmq1;
680 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 772 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
681 } 773 }
682 else 774 else
683 dmq1 = rsa->dmq1; 775 dmq1 = rsa->dmq1;
684 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, 776 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
685 rsa->_method_mod_q)) goto err; 777 rsa->_method_mod_q)) goto err;
686 778
687 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 779 /* compute I mod p */
688 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
781 {
782 c = &local_c;
783 BN_with_flags(c, I, BN_FLG_CONSTTIME);
784 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
785 }
786 else
787 {
788 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
789 }
790
791 /* compute r1^dmp1 mod p */
792 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
689 { 793 {
690 dmp1 = &local_dmp1; 794 dmp1 = &local_dmp1;
691 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 795 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
692 } 796 }
693 else 797 else
694 dmp1 = rsa->dmp1; 798 dmp1 = rsa->dmp1;
695 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, 799 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
696 rsa->_method_mod_p)) goto err; 800 rsa->_method_mod_p)) goto err;
697 801
698 if (!BN_sub(r0,r0,&m1)) goto err; 802 if (!BN_sub(r0,r0,m1)) goto err;
699 /* This will help stop the size of r0 increasing, which does 803 /* This will help stop the size of r0 increasing, which does
700 * affect the multiply if it optimised for a power of 2 size */ 804 * affect the multiply if it optimised for a power of 2 size */
701 if (r0->neg) 805 if (BN_is_negative(r0))
702 if (!BN_add(r0,r0,rsa->p)) goto err; 806 if (!BN_add(r0,r0,rsa->p)) goto err;
703 807
704 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 808 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
705 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 809
810 /* Turn BN_FLG_CONSTTIME flag on before division operation */
811 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
812 {
813 pr1 = &local_r1;
814 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
815 }
816 else
817 pr1 = r1;
818 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
819
706 /* If p < q it is occasionally possible for the correction of 820 /* If p < q it is occasionally possible for the correction of
707 * adding 'p' if r0 is negative above to leave the result still 821 * adding 'p' if r0 is negative above to leave the result still
708 * negative. This can break the private key operations: the following 822 * negative. This can break the private key operations: the following
@@ -710,23 +824,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
710 * This will *never* happen with OpenSSL generated keys because 824 * This will *never* happen with OpenSSL generated keys because
711 * they ensure p > q [steve] 825 * they ensure p > q [steve]
712 */ 826 */
713 if (r0->neg) 827 if (BN_is_negative(r0))
714 if (!BN_add(r0,r0,rsa->p)) goto err; 828 if (!BN_add(r0,r0,rsa->p)) goto err;
715 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 829 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
716 if (!BN_add(r0,&r1,&m1)) goto err; 830 if (!BN_add(r0,r1,m1)) goto err;
717 831
718 if (rsa->e && rsa->n) 832 if (rsa->e && rsa->n)
719 { 833 {
720 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 834 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
721 /* If 'I' was greater than (or equal to) rsa->n, the operation 835 /* If 'I' was greater than (or equal to) rsa->n, the operation
722 * will be equivalent to using 'I mod n'. However, the result of 836 * will be equivalent to using 'I mod n'. However, the result of
723 * the verify will *always* be less than 'n' so we don't check 837 * the verify will *always* be less than 'n' so we don't check
724 * for absolute equality, just congruency. */ 838 * for absolute equality, just congruency. */
725 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 839 if (!BN_sub(vrfy, vrfy, I)) goto err;
726 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 840 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
727 if (vrfy.neg) 841 if (BN_is_negative(vrfy))
728 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 842 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
729 if (!BN_is_zero(&vrfy)) 843 if (!BN_is_zero(vrfy))
730 { 844 {
731 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 845 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
732 * miscalculated CRT output, just do a raw (slower) 846 * miscalculated CRT output, just do a raw (slower)
@@ -735,22 +849,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
735 BIGNUM local_d; 849 BIGNUM local_d;
736 BIGNUM *d = NULL; 850 BIGNUM *d = NULL;
737 851
738 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 852 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
739 { 853 {
740 d = &local_d; 854 d = &local_d;
741 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 855 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
742 } 856 }
743 else 857 else
744 d = rsa->d; 858 d = rsa->d;
745 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; 859 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
860 rsa->_method_mod_n)) goto err;
746 } 861 }
747 } 862 }
748 ret=1; 863 ret=1;
749err: 864err:
750 BN_clear_free(&m1); 865 BN_CTX_end(ctx);
751 BN_clear_free(&r1);
752 BN_clear_free(&vrfy);
753 BN_CTX_free(ctx);
754 return(ret); 866 return(ret);
755 } 867 }
756 868
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 2ec4b30ff7..fe3ba1b44b 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -71,14 +71,21 @@
71static ERR_STRING_DATA RSA_str_functs[]= 71static ERR_STRING_DATA RSA_str_functs[]=
72 { 72 {
73{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"}, 73{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
74{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
74{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, 75{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
75{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"}, 76{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
76{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"}, 77{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
77{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, 78{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
78{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, 79{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
79{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"}, 80{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
81{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
80{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"}, 82{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
81{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"}, 83{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
84{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
85{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
86{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
87{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
88{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
82{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, 89{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
83{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, 90{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
84{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, 91{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
@@ -94,6 +101,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
94{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, 101{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
95{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, 102{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
96{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, 103{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
104{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
97{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, 105{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
98{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, 106{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
99{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, 107{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
@@ -129,20 +137,22 @@ static ERR_STRING_DATA RSA_str_reasons[]=
129{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, 137{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
130{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, 138{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
131{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, 139{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
140{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
141{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
132{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, 142{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
133{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, 143{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
134{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, 144{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
135{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
136{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, 145{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
137{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, 146{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
138{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, 147{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
139{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, 148{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
149{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
150{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
140{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"}, 151{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
141{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, 152{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
142{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"}, 153{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
143{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"}, 154{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
144{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, 155{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
145{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
146{0,NULL} 156{0,NULL}
147 }; 157 };
148 158
@@ -150,15 +160,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
150 160
151void ERR_load_RSA_strings(void) 161void ERR_load_RSA_strings(void)
152 { 162 {
153 static int init=1; 163#ifndef OPENSSL_NO_ERR
154 164
155 if (init) 165 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL)
156 { 166 {
157 init=0;
158#ifndef OPENSSL_NO_ERR
159 ERR_load_strings(0,RSA_str_functs); 167 ERR_load_strings(0,RSA_str_functs);
160 ERR_load_strings(0,RSA_str_reasons); 168 ERR_load_strings(0,RSA_str_reasons);
161#endif
162
163 } 169 }
170#endif
164 } 171 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index dd1422cc98..767f7ab682 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -56,26 +56,42 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
59#include <stdio.h> 65#include <stdio.h>
60#include <time.h> 66#include <time.h>
61#include "cryptlib.h" 67#include "cryptlib.h"
62#include <openssl/bn.h> 68#include <openssl/bn.h>
63#include <openssl/rsa.h> 69#include <openssl/rsa.h>
64 70
65#ifndef OPENSSL_FIPS 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
66 72
67RSA *RSA_generate_key(int bits, unsigned long e_value, 73/* NB: this wrapper would normally be placed in rsa_lib.c and the static
68 void (*callback)(int,int,void *), void *cb_arg) 74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 {
80 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 }
84
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
69 { 86 {
70 RSA *rsa=NULL;
71 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; 87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
72 int bitsp,bitsq,ok= -1,n=0,i; 88 BIGNUM local_r0,local_d,local_p;
73 BN_CTX *ctx=NULL,*ctx2=NULL; 89 BIGNUM *pr0,*d,*p;
90 int bitsp,bitsq,ok= -1,n=0;
91 BN_CTX *ctx=NULL;
74 92
75 ctx=BN_CTX_new(); 93 ctx=BN_CTX_new();
76 if (ctx == NULL) goto err; 94 if (ctx == NULL) goto err;
77 ctx2=BN_CTX_new();
78 if (ctx2 == NULL) goto err;
79 BN_CTX_start(ctx); 95 BN_CTX_start(ctx);
80 r0 = BN_CTX_get(ctx); 96 r0 = BN_CTX_get(ctx);
81 r1 = BN_CTX_get(ctx); 97 r1 = BN_CTX_get(ctx);
@@ -85,49 +101,58 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
85 101
86 bitsp=(bits+1)/2; 102 bitsp=(bits+1)/2;
87 bitsq=bits-bitsp; 103 bitsq=bits-bitsp;
88 rsa=RSA_new();
89 if (rsa == NULL) goto err;
90 104
91 /* set e */ 105 /* We need the RSA components non-NULL */
92 rsa->e=BN_new(); 106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
93 if (rsa->e == NULL) goto err; 107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
94 114
95#if 1 115 BN_copy(rsa->e, e_value);
96 /* The problem is when building with 8, 16, or 32 BN_ULONG,
97 * unsigned long can be larger */
98 for (i=0; i<sizeof(unsigned long)*8; i++)
99 {
100 if (e_value & (1UL<<i))
101 BN_set_bit(rsa->e,i);
102 }
103#else
104 if (!BN_set_word(rsa->e,e_value)) goto err;
105#endif
106 116
107 /* generate p and q */ 117 /* generate p and q */
108 for (;;) 118 for (;;)
109 { 119 {
110 rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg); 120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
111 if (rsa->p == NULL) goto err; 121 goto err;
112 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; 122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
113 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; 123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
114 if (BN_is_one(r1)) break; 124 if (BN_is_one(r1)) break;
115 if (callback != NULL) callback(2,n++,cb_arg); 125 if(!BN_GENCB_call(cb, 2, n++))
116 BN_free(rsa->p); 126 goto err;
117 } 127 }
118 if (callback != NULL) callback(3,0,cb_arg); 128 if(!BN_GENCB_call(cb, 3, 0))
129 goto err;
119 for (;;) 130 for (;;)
120 { 131 {
121 rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg); 132 /* When generating ridiculously small keys, we can get stuck
122 if (rsa->q == NULL) goto err; 133 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */
135 unsigned int degenerate = 0;
136 do
137 {
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
139 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
141 if(degenerate == 3)
142 {
143 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
145 goto err;
146 }
123 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; 147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
124 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; 148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
125 if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0)) 149 if (BN_is_one(r1))
126 break; 150 break;
127 if (callback != NULL) callback(2,n++,cb_arg); 151 if(!BN_GENCB_call(cb, 2, n++))
128 BN_free(rsa->q); 152 goto err;
129 } 153 }
130 if (callback != NULL) callback(3,1,cb_arg); 154 if(!BN_GENCB_call(cb, 3, 1))
155 goto err;
131 if (BN_cmp(rsa->p,rsa->q) < 0) 156 if (BN_cmp(rsa->p,rsa->q) < 0)
132 { 157 {
133 tmp=rsa->p; 158 tmp=rsa->p;
@@ -136,66 +161,59 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
136 } 161 }
137 162
138 /* calculate n */ 163 /* calculate n */
139 rsa->n=BN_new();
140 if (rsa->n == NULL) goto err;
141 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; 164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
142 165
143 /* calculate d */ 166 /* calculate d */
144 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ 167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
145 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ 168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
146 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ 169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
147 170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
148/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
149/* for (;;)
150 { 171 {
151 if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err; 172 pr0 = &local_r0;
152 if (BN_is_one(r3)) break; 173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 }
175 else
176 pr0 = r0;
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
153 178
154 if (1) 179 /* set up d for correct BN_FLG_CONSTTIME flag */
155 { 180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
156 if (!BN_add_word(rsa->e,2L)) goto err; 181 {
157 continue; 182 d = &local_d;
158 } 183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
159 RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
160 goto err;
161 } 184 }
162*/ 185 else
163 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ 186 d = rsa->d;
164 if (rsa->d == NULL) goto err;
165 187
166 /* calculate d mod (p-1) */ 188 /* calculate d mod (p-1) */
167 rsa->dmp1=BN_new(); 189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
168 if (rsa->dmp1 == NULL) goto err;
169 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
170 190
171 /* calculate d mod (q-1) */ 191 /* calculate d mod (q-1) */
172 rsa->dmq1=BN_new(); 192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
173 if (rsa->dmq1 == NULL) goto err;
174 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
175 193
176 /* calculate inverse of q mod p */ 194 /* calculate inverse of q mod p */
177 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); 195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
178 if (rsa->iqmp == NULL) goto err; 196 {
197 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 }
200 else
201 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
179 203
180 ok=1; 204 ok=1;
181err: 205err:
182 if (ok == -1) 206 if (ok == -1)
183 { 207 {
184 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN); 208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
185 ok=0; 209 ok=0;
186 } 210 }
187 if (ctx != NULL) 211 if (ctx != NULL)
188 BN_CTX_end(ctx);
189 BN_CTX_free(ctx);
190 BN_CTX_free(ctx2);
191
192 if (!ok)
193 { 212 {
194 if (rsa != NULL) RSA_free(rsa); 213 BN_CTX_end(ctx);
195 return(NULL); 214 BN_CTX_free(ctx);
196 } 215 }
197 else 216
198 return(rsa); 217 return ok;
199 } 218 }
200 219
201#endif
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index e4d622851e..104aa4c1f2 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,7 +67,7 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
71 71
72static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth=NULL;
73 73
@@ -179,6 +179,7 @@ RSA *RSA_new_method(ENGINE *engine)
179 ret->_method_mod_p=NULL; 179 ret->_method_mod_p=NULL;
180 ret->_method_mod_q=NULL; 180 ret->_method_mod_q=NULL;
181 ret->blinding=NULL; 181 ret->blinding=NULL;
182 ret->mt_blinding=NULL;
182 ret->bignum_data=NULL; 183 ret->bignum_data=NULL;
183 ret->flags=ret->meth->flags; 184 ret->flags=ret->meth->flags;
184 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); 185 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
@@ -232,6 +233,7 @@ void RSA_free(RSA *r)
232 if (r->dmq1 != NULL) BN_clear_free(r->dmq1); 233 if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
233 if (r->iqmp != NULL) BN_clear_free(r->iqmp); 234 if (r->iqmp != NULL) BN_clear_free(r->iqmp);
234 if (r->blinding != NULL) BN_BLINDING_free(r->blinding); 235 if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
236 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
235 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data); 237 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
236 OPENSSL_free(r); 238 OPENSSL_free(r);
237 } 239 }
@@ -314,59 +316,117 @@ void RSA_blinding_off(RSA *rsa)
314 rsa->flags |= RSA_FLAG_NO_BLINDING; 316 rsa->flags |= RSA_FLAG_NO_BLINDING;
315 } 317 }
316 318
317int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) 319int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
318 { 320 {
319 BIGNUM *A,*Ai = NULL;
320 BN_CTX *ctx;
321 int ret=0; 321 int ret=0;
322 322
323 if (p_ctx == NULL) 323 if (rsa->blinding != NULL)
324 RSA_blinding_off(rsa);
325
326 rsa->blinding = RSA_setup_blinding(rsa, ctx);
327 if (rsa->blinding == NULL)
328 goto err;
329
330 rsa->flags |= RSA_FLAG_BLINDING;
331 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
332 ret=1;
333err:
334 return(ret);
335 }
336
337static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
338 const BIGNUM *q, BN_CTX *ctx)
339{
340 BIGNUM *ret = NULL, *r0, *r1, *r2;
341
342 if (d == NULL || p == NULL || q == NULL)
343 return NULL;
344
345 BN_CTX_start(ctx);
346 r0 = BN_CTX_get(ctx);
347 r1 = BN_CTX_get(ctx);
348 r2 = BN_CTX_get(ctx);
349 if (r2 == NULL)
350 goto err;
351
352 if (!BN_sub(r1, p, BN_value_one())) goto err;
353 if (!BN_sub(r2, q, BN_value_one())) goto err;
354 if (!BN_mul(r0, r1, r2, ctx)) goto err;
355
356 ret = BN_mod_inverse(NULL, d, r0, ctx);
357err:
358 BN_CTX_end(ctx);
359 return ret;
360}
361
362BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
363{
364 BIGNUM local_n;
365 BIGNUM *e,*n;
366 BN_CTX *ctx;
367 BN_BLINDING *ret = NULL;
368
369 if (in_ctx == NULL)
324 { 370 {
325 if ((ctx=BN_CTX_new()) == NULL) goto err; 371 if ((ctx = BN_CTX_new()) == NULL) return 0;
326 } 372 }
327 else 373 else
328 ctx=p_ctx; 374 ctx = in_ctx;
329 375
330 /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */ 376 BN_CTX_start(ctx);
331 if (rsa->blinding != NULL) 377 e = BN_CTX_get(ctx);
378 if (e == NULL)
332 { 379 {
333 BN_BLINDING_free(rsa->blinding); 380 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
334 rsa->blinding = NULL; 381 goto err;
335 } 382 }
336 383
337 /* NB: similar code appears in setup_blinding (rsa_eay.c); 384 if (rsa->e == NULL)
338 * this should be placed in a new function of its own, but for reasons 385 {
339 * of binary compatibility can't */ 386 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
390 goto err;
391 }
392 }
393 else
394 e = rsa->e;
340 395
341 BN_CTX_start(ctx); 396
342 A = BN_CTX_get(ctx);
343 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 397 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
344 { 398 {
345 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 399 /* if PRNG is not properly seeded, resort to secret
346 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 400 * exponent as unpredictable seed */
347 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 401 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
348 } 402 }
349 else 403
404 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
350 { 405 {
351 if (!BN_rand_range(A,rsa->n)) goto err; 406 /* Set BN_FLG_CONSTTIME flag */
407 n = &local_n;
408 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
352 } 409 }
353 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; 410 else
411 n = rsa->n;
354 412
355 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 413 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
414 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
415 if (ret == NULL)
416 {
417 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
356 goto err; 418 goto err;
357 if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; 419 }
358 /* to make things thread-safe without excessive locking, 420 BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());
359 * rsa->blinding will be used just by the current thread: */
360 rsa->blinding->thread_id = CRYPTO_thread_id();
361 rsa->flags |= RSA_FLAG_BLINDING;
362 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
363 ret=1;
364err: 421err:
365 if (Ai != NULL) BN_free(Ai);
366 BN_CTX_end(ctx); 422 BN_CTX_end(ctx);
367 if (ctx != p_ctx) BN_CTX_free(ctx); 423 if (in_ctx == NULL)
368 return(ret); 424 BN_CTX_free(ctx);
369 } 425 if(rsa->e == NULL)
426 BN_free(e);
427
428 return ret;
429}
370 430
371int RSA_memory_lock(RSA *r) 431int RSA_memory_lock(RSA *r)
372 { 432 {
@@ -389,7 +449,7 @@ int RSA_memory_lock(RSA *r)
389 j+= (*t[i])->top; 449 j+= (*t[i])->top;
390 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL) 450 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
391 { 451 {
392 RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE); 452 RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
393 return(0); 453 return(0);
394 } 454 }
395 bn=(BIGNUM *)p; 455 bn=(BIGNUM *)p;
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index d43ecaca63..3652677a99 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -28,6 +28,9 @@
28#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h> 29#include <openssl/sha.h>
30 30
31int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
31int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
32 const unsigned char *from, int flen, 35 const unsigned char *from, int flen,
33 const unsigned char *param, int plen) 36 const unsigned char *param, int plen)
@@ -73,13 +76,11 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
73 20); 76 20);
74#endif 77#endif
75 78
76 PKCS1_MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH, 79 MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
77 EVP_sha1());
78 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 80 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
79 db[i] ^= dbmask[i]; 81 db[i] ^= dbmask[i];
80 82
81 PKCS1_MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH, 83 MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
82 EVP_sha1());
83 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 84 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
84 seed[i] ^= seedmask[i]; 85 seed[i] ^= seedmask[i];
85 86
@@ -95,6 +96,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
95 const unsigned char *maskeddb; 96 const unsigned char *maskeddb;
96 int lzero; 97 int lzero;
97 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; 98 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
99 unsigned char *padded_from;
98 int bad = 0; 100 int bad = 0;
99 101
100 if (--num < 2 * SHA_DIGEST_LENGTH + 1) 102 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
@@ -105,8 +107,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
105 lzero = num - flen; 107 lzero = num - flen;
106 if (lzero < 0) 108 if (lzero < 0)
107 { 109 {
108 /* lzero == -1 */
109
110 /* signalling this error immediately after detection might allow 110 /* signalling this error immediately after detection might allow
111 * for side-channel attacks (e.g. timing if 'plen' is huge 111 * for side-channel attacks (e.g. timing if 'plen' is huge
112 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal 112 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
@@ -114,22 +114,30 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
114 * so we use a 'bad' flag */ 114 * so we use a 'bad' flag */
115 bad = 1; 115 bad = 1;
116 lzero = 0; 116 lzero = 0;
117 flen = num; /* don't overflow the memcpy to padded_from */
117 } 118 }
118 maskeddb = from - lzero + SHA_DIGEST_LENGTH;
119 119
120 dblen = num - SHA_DIGEST_LENGTH; 120 dblen = num - SHA_DIGEST_LENGTH;
121 db = OPENSSL_malloc(dblen); 121 db = OPENSSL_malloc(dblen + num);
122 if (db == NULL) 122 if (db == NULL)
123 { 123 {
124 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 124 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
125 return -1; 125 return -1;
126 } 126 }
127 127
128 PKCS1_MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen, EVP_sha1()); 128 /* Always do this zero-padding copy (even when lzero == 0)
129 for (i = lzero; i < SHA_DIGEST_LENGTH; i++) 129 * to avoid leaking timing info about the value of lzero. */
130 seed[i] ^= from[i - lzero]; 130 padded_from = db + dblen;
131 memset(padded_from, 0, lzero);
132 memcpy(padded_from + lzero, from, flen);
133
134 maskeddb = padded_from + SHA_DIGEST_LENGTH;
135
136 MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
137 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
138 seed[i] ^= padded_from[i];
131 139
132 PKCS1_MGF1(db, dblen, seed, SHA_DIGEST_LENGTH, EVP_sha1()); 140 MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
133 for (i = 0; i < dblen; i++) 141 for (i = 0; i < dblen; i++)
134 db[i] ^= maskeddb[i]; 142 db[i] ^= maskeddb[i];
135 143
@@ -142,13 +150,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
142 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) 150 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
143 if (db[i] != 0x00) 151 if (db[i] != 0x00)
144 break; 152 break;
145 if (db[i] != 0x01 || i++ >= dblen) 153 if (i == dblen || db[i] != 0x01)
146 goto decoding_err; 154 goto decoding_err;
147 else 155 else
148 { 156 {
149 /* everything looks OK */ 157 /* everything looks OK */
150 158
151 mlen = dblen - i; 159 mlen = dblen - ++i;
152 if (tlen < mlen) 160 if (tlen < mlen)
153 { 161 {
154 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); 162 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index 2815628f5f..e19d18c5b9 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -64,7 +64,11 @@
64#include <openssl/rand.h> 64#include <openssl/rand.h>
65#include <openssl/sha.h> 65#include <openssl/sha.h>
66 66
67const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69#if defined(_MSC_VER) && defined(_ARM_)
70#pragma optimize("g", off)
71#endif
68 72
69int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
70 const EVP_MD *Hash, const unsigned char *EM, int sLen) 74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
@@ -259,3 +263,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
259 return ret; 263 return ret;
260 264
261 } 265 }
266
267#if defined(_MSC_VER)
268#pragma optimize("",on)
269#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 24fc94835e..f98e0a80a6 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -107,7 +107,8 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
107 RSA *rsa) 107 RSA *rsa)
108 { 108 {
109 int i,ret=0; 109 int i,ret=0;
110 unsigned char *p,*s; 110 unsigned char *s;
111 const unsigned char *p;
111 ASN1_OCTET_STRING *sig=NULL; 112 ASN1_OCTET_STRING *sig=NULL;
112 113
113 if (siglen != (unsigned int)RSA_size(rsa)) 114 if (siglen != (unsigned int)RSA_size(rsa))
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index cee09eccb1..71aabeea1b 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -146,7 +146,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
146 unsigned char *sigbuf, unsigned int siglen, RSA *rsa) 146 unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
147 { 147 {
148 int i,ret=0,sigtype; 148 int i,ret=0,sigtype;
149 unsigned char *p,*s; 149 unsigned char *s;
150 X509_SIG *sig=NULL; 150 X509_SIG *sig=NULL;
151 151
152 if (siglen != (unsigned int)RSA_size(rsa)) 152 if (siglen != (unsigned int)RSA_size(rsa))
@@ -181,10 +181,27 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
181 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 181 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
182 else ret = 1; 182 else ret = 1;
183 } else { 183 } else {
184 p=s; 184 const unsigned char *p=s;
185 sig=d2i_X509_SIG(NULL,&p,(long)i); 185 sig=d2i_X509_SIG(NULL,&p,(long)i);
186 186
187 if (sig == NULL) goto err; 187 if (sig == NULL) goto err;
188
189 /* Excess data can be used to create forgeries */
190 if(p != s+i)
191 {
192 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
193 goto err;
194 }
195
196 /* Parameters to the signature algorithm can also be used to
197 create forgeries */
198 if(sig->algor->parameter
199 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
200 {
201 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
202 goto err;
203 }
204
188 sigtype=OBJ_obj2nid(sig->algor->algorithm); 205 sigtype=OBJ_obj2nid(sig->algor->algorithm);
189 206
190 207
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
index df3c45f802..e918654176 100644
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -105,7 +105,7 @@ int RSA_padding_add_X931(unsigned char *to, int tlen,
105int RSA_padding_check_X931(unsigned char *to, int tlen, 105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num) 106 const unsigned char *from, int flen, int num)
107 { 107 {
108 int i,j; 108 int i = 0,j;
109 const unsigned char *p; 109 const unsigned char *p;
110 110
111 p=from; 111 p=from;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-28 13:14:51 +0000