diff options
| author | tb <> | 2023-04-15 18:48:52 +0000 |
|---|---|---|
| committer | tb <> | 2023-04-15 18:48:52 +0000 |
| commit | 0d8d33f95bb60ebc48034e0510af8a3adb7c1afa (patch) | |
| tree | c5e041fba224aef85a1fe53c56b348d8e8b0cf1d /src | |
| parent | dd4d11ff3980719420626572b001eadad7632ea5 (diff) | |
| download | openbsd-0d8d33f95bb60ebc48034e0510af8a3adb7c1afa.tar.gz openbsd-0d8d33f95bb60ebc48034e0510af8a3adb7c1afa.tar.bz2 openbsd-0d8d33f95bb60ebc48034e0510af8a3adb7c1afa.zip | |
Stop supporting the long-retired X9.31 standard
This isolates the three API functions from the library so they can be
easily removed and any attempt to use RSA_X931_PADDING mode will now
result in an error.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 30 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_pmeth.c | 140 |
2 files changed, 57 insertions, 113 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index b307a8bd88..e65319bda1 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_eay.c,v 1.58 2023/04/05 11:31:38 tb Exp $ */ | 1 | /* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -382,14 +382,11 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 382 | case RSA_PKCS1_PADDING: | 382 | case RSA_PKCS1_PADDING: |
| 383 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); | 383 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); |
| 384 | break; | 384 | break; |
| 385 | case RSA_X931_PADDING: | ||
| 386 | i = RSA_padding_add_X931(buf, num, from, flen); | ||
| 387 | break; | ||
| 388 | case RSA_NO_PADDING: | 385 | case RSA_NO_PADDING: |
| 389 | i = RSA_padding_add_none(buf, num, from, flen); | 386 | i = RSA_padding_add_none(buf, num, from, flen); |
| 390 | break; | 387 | break; |
| 391 | default: | 388 | default: |
| 392 | RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); | 389 | RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
| 393 | goto err; | 390 | goto err; |
| 394 | } | 391 | } |
| 395 | if (i <= 0) | 392 | if (i <= 0) |
| @@ -449,14 +446,11 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 449 | goto err; | 446 | goto err; |
| 450 | 447 | ||
| 451 | if (padding == RSA_X931_PADDING) { | 448 | if (padding == RSA_X931_PADDING) { |
| 452 | if (!BN_sub(f, rsa->n, ret)) | 449 | RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
| 453 | goto err; | 450 | goto err; |
| 454 | if (BN_cmp(ret, f) > 0) | 451 | } |
| 455 | res = f; | 452 | |
| 456 | else | 453 | res = ret; |
| 457 | res = ret; | ||
| 458 | } else | ||
| 459 | res = ret; | ||
| 460 | 454 | ||
| 461 | /* put in leading 0 bytes if the number is less than the | 455 | /* put in leading 0 bytes if the number is less than the |
| 462 | * length of the modulus */ | 456 | * length of the modulus */ |
| @@ -667,9 +661,10 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 667 | rsa->_method_mod_n)) | 661 | rsa->_method_mod_n)) |
| 668 | goto err; | 662 | goto err; |
| 669 | 663 | ||
| 670 | if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) | 664 | if (padding == RSA_X931_PADDING) { |
| 671 | if (!BN_sub(ret, rsa->n, ret)) | 665 | RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
| 672 | goto err; | 666 | goto err; |
| 667 | } | ||
| 673 | 668 | ||
| 674 | p = buf; | 669 | p = buf; |
| 675 | i = BN_bn2bin(ret, p); | 670 | i = BN_bn2bin(ret, p); |
| @@ -678,9 +673,6 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 678 | case RSA_PKCS1_PADDING: | 673 | case RSA_PKCS1_PADDING: |
| 679 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); | 674 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); |
| 680 | break; | 675 | break; |
| 681 | case RSA_X931_PADDING: | ||
| 682 | r = RSA_padding_check_X931(to, num, buf, i, num); | ||
| 683 | break; | ||
| 684 | case RSA_NO_PADDING: | 676 | case RSA_NO_PADDING: |
| 685 | r = RSA_padding_check_none(to, num, buf, i, num); | 677 | r = RSA_padding_check_none(to, num, buf, i, num); |
| 686 | break; | 678 | break; |
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 3747f1dd28..688c0d64db 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_pmeth.c,v 1.35 2023/03/06 08:31:34 tb Exp $ */ | 1 | /* $OpenBSD: rsa_pmeth.c,v 1.36 2023/04/15 18:48:52 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2006. | 3 | * project 2006. |
| 4 | */ | 4 | */ |
| @@ -187,7 +187,7 @@ static int | |||
| 187 | pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | 187 | pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, |
| 188 | const unsigned char *tbs, size_t tbslen) | 188 | const unsigned char *tbs, size_t tbslen) |
| 189 | { | 189 | { |
| 190 | int ret; | 190 | int ret = -1; |
| 191 | RSA_PKEY_CTX *rctx = ctx->data; | 191 | RSA_PKEY_CTX *rctx = ctx->data; |
| 192 | RSA *rsa = ctx->pkey->pkey.rsa; | 192 | RSA *rsa = ctx->pkey->pkey.rsa; |
| 193 | 193 | ||
| @@ -197,21 +197,11 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |||
| 197 | return -1; | 197 | return -1; |
| 198 | } | 198 | } |
| 199 | 199 | ||
| 200 | if (rctx->pad_mode == RSA_X931_PADDING) { | 200 | if (rctx->pad_mode != RSA_PKCS1_PADDING && |
| 201 | if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { | 201 | rctx->pad_mode != RSA_PKCS1_PSS_PADDING) |
| 202 | RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); | 202 | return -1; |
| 203 | return -1; | 203 | |
| 204 | } | 204 | if (rctx->pad_mode == RSA_PKCS1_PADDING) { |
| 205 | if (!setup_tbuf(rctx, ctx)) { | ||
| 206 | RSAerror(ERR_R_MALLOC_FAILURE); | ||
| 207 | return -1; | ||
| 208 | } | ||
| 209 | memcpy(rctx->tbuf, tbs, tbslen); | ||
| 210 | rctx->tbuf[tbslen] = | ||
| 211 | RSA_X931_hash_id(EVP_MD_type(rctx->md)); | ||
| 212 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig, | ||
| 213 | rsa, RSA_X931_PADDING); | ||
| 214 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | ||
| 215 | unsigned int sltmp; | 205 | unsigned int sltmp; |
| 216 | 206 | ||
| 217 | ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, | 207 | ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, |
| @@ -227,8 +217,6 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |||
| 227 | return -1; | 217 | return -1; |
| 228 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, | 218 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, |
| 229 | sig, rsa, RSA_NO_PADDING); | 219 | sig, rsa, RSA_NO_PADDING); |
| 230 | } else { | ||
| 231 | return -1; | ||
| 232 | } | 220 | } |
| 233 | } else { | 221 | } else { |
| 234 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, | 222 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, |
| @@ -248,36 +236,16 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, | |||
| 248 | RSA_PKEY_CTX *rctx = ctx->data; | 236 | RSA_PKEY_CTX *rctx = ctx->data; |
| 249 | 237 | ||
| 250 | if (rctx->md) { | 238 | if (rctx->md) { |
| 251 | if (rctx->pad_mode == RSA_X931_PADDING) { | 239 | size_t sltmp; |
| 252 | if (!setup_tbuf(rctx, ctx)) | ||
| 253 | return -1; | ||
| 254 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | ||
| 255 | ctx->pkey->pkey.rsa, RSA_X931_PADDING); | ||
| 256 | if (ret < 1) | ||
| 257 | return 0; | ||
| 258 | ret--; | ||
| 259 | if (rctx->tbuf[ret] != | ||
| 260 | RSA_X931_hash_id(EVP_MD_type(rctx->md))) { | ||
| 261 | RSAerror(RSA_R_ALGORITHM_MISMATCH); | ||
| 262 | return 0; | ||
| 263 | } | ||
| 264 | if (ret != EVP_MD_size(rctx->md)) { | ||
| 265 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); | ||
| 266 | return 0; | ||
| 267 | } | ||
| 268 | if (rout) | ||
| 269 | memcpy(rout, rctx->tbuf, ret); | ||
| 270 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | ||
| 271 | size_t sltmp; | ||
| 272 | 240 | ||
| 273 | ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0, | 241 | if (rctx->pad_mode != RSA_PKCS1_PADDING) |
| 274 | rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa); | ||
| 275 | if (ret <= 0) | ||
| 276 | return 0; | ||
| 277 | ret = sltmp; | ||
| 278 | } else { | ||
| 279 | return -1; | 242 | return -1; |
| 280 | } | 243 | |
| 244 | ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0, | ||
| 245 | rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa); | ||
| 246 | if (ret <= 0) | ||
| 247 | return 0; | ||
| 248 | ret = sltmp; | ||
| 281 | } else { | 249 | } else { |
| 282 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, | 250 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, |
| 283 | rctx->pad_mode); | 251 | rctx->pad_mode); |
| @@ -295,6 +263,7 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, | |||
| 295 | RSA_PKEY_CTX *rctx = ctx->data; | 263 | RSA_PKEY_CTX *rctx = ctx->data; |
| 296 | RSA *rsa = ctx->pkey->pkey.rsa; | 264 | RSA *rsa = ctx->pkey->pkey.rsa; |
| 297 | size_t rslen; | 265 | size_t rslen; |
| 266 | int ret; | ||
| 298 | 267 | ||
| 299 | if (rctx->md) { | 268 | if (rctx->md) { |
| 300 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | 269 | if (rctx->pad_mode == RSA_PKCS1_PADDING) |
| @@ -304,32 +273,24 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, | |||
| 304 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); | 273 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); |
| 305 | return -1; | 274 | return -1; |
| 306 | } | 275 | } |
| 307 | if (rctx->pad_mode == RSA_X931_PADDING) { | ||
| 308 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, | ||
| 309 | siglen) <= 0) | ||
| 310 | return 0; | ||
| 311 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | ||
| 312 | int ret; | ||
| 313 | 276 | ||
| 314 | if (!setup_tbuf(rctx, ctx)) | 277 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) |
| 315 | return -1; | ||
| 316 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | ||
| 317 | rsa, RSA_NO_PADDING); | ||
| 318 | if (ret <= 0) | ||
| 319 | return 0; | ||
| 320 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, | ||
| 321 | rctx->mgf1md, rctx->tbuf, rctx->saltlen); | ||
| 322 | if (ret <= 0) | ||
| 323 | return 0; | ||
| 324 | return 1; | ||
| 325 | } else { | ||
| 326 | return -1; | 278 | return -1; |
| 327 | } | ||
| 328 | } else { | ||
| 329 | int ret; | ||
| 330 | 279 | ||
| 331 | if (!setup_tbuf(rctx, ctx)) | 280 | if (!setup_tbuf(rctx, ctx)) |
| 332 | return -1; | 281 | return -1; |
| 282 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | ||
| 283 | rsa, RSA_NO_PADDING); | ||
| 284 | if (ret <= 0) | ||
| 285 | return 0; | ||
| 286 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, | ||
| 287 | rctx->mgf1md, rctx->tbuf, rctx->saltlen); | ||
| 288 | if (ret <= 0) | ||
| 289 | return 0; | ||
| 290 | return 1; | ||
| 291 | } else { | ||
| 292 | if (!setup_tbuf(rctx, ctx)) | ||
| 293 | return -1; | ||
| 333 | 294 | ||
| 334 | if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, | 295 | if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, |
| 335 | rctx->pad_mode)) <= 0) | 296 | rctx->pad_mode)) <= 0) |
| @@ -404,34 +365,27 @@ check_padding_md(const EVP_MD *md, int padding) | |||
| 404 | if (md == NULL) | 365 | if (md == NULL) |
| 405 | return 1; | 366 | return 1; |
| 406 | 367 | ||
| 407 | if (padding == RSA_NO_PADDING) { | 368 | if (padding == RSA_NO_PADDING || padding == RSA_X931_PADDING) { |
| 408 | RSAerror(RSA_R_INVALID_PADDING_MODE); | 369 | RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
| 409 | return 0; | 370 | return 0; |
| 410 | } | 371 | } |
| 411 | 372 | ||
| 412 | if (padding == RSA_X931_PADDING) { | 373 | /* List of all supported RSA digests. */ |
| 413 | if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) { | 374 | switch(EVP_MD_type(md)) { |
| 414 | RSAerror(RSA_R_INVALID_X931_DIGEST); | 375 | case NID_sha1: |
| 415 | return 0; | 376 | case NID_sha224: |
| 416 | } | 377 | case NID_sha256: |
| 417 | } else { | 378 | case NID_sha384: |
| 418 | /* List of all supported RSA digests. */ | 379 | case NID_sha512: |
| 419 | switch(EVP_MD_type(md)) { | 380 | case NID_md5: |
| 420 | case NID_sha1: | 381 | case NID_md5_sha1: |
| 421 | case NID_sha224: | 382 | case NID_md4: |
| 422 | case NID_sha256: | 383 | case NID_ripemd160: |
| 423 | case NID_sha384: | 384 | return 1; |
| 424 | case NID_sha512: | ||
| 425 | case NID_md5: | ||
| 426 | case NID_md5_sha1: | ||
| 427 | case NID_md4: | ||
| 428 | case NID_ripemd160: | ||
| 429 | return 1; | ||
| 430 | 385 | ||
| 431 | default: | 386 | default: |
| 432 | RSAerror(RSA_R_INVALID_DIGEST); | 387 | RSAerror(RSA_R_INVALID_DIGEST); |
| 433 | return 0; | 388 | return 0; |
| 434 | } | ||
| 435 | } | 389 | } |
| 436 | 390 | ||
| 437 | return 1; | 391 | return 1; |
| @@ -637,8 +591,6 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) | |||
| 637 | pm = RSA_PKCS1_OAEP_PADDING; | 591 | pm = RSA_PKCS1_OAEP_PADDING; |
| 638 | else if (!strcmp(value, "oaep")) | 592 | else if (!strcmp(value, "oaep")) |
| 639 | pm = RSA_PKCS1_OAEP_PADDING; | 593 | pm = RSA_PKCS1_OAEP_PADDING; |
| 640 | else if (!strcmp(value, "x931")) | ||
| 641 | pm = RSA_X931_PADDING; | ||
| 642 | else if (!strcmp(value, "pss")) | 594 | else if (!strcmp(value, "pss")) |
| 643 | pm = RSA_PKCS1_PSS_PADDING; | 595 | pm = RSA_PKCS1_PSS_PADDING; |
| 644 | else { | 596 | else { |