summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c252
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c103
-rw-r--r--src/lib/libssl/crypto/shlib_version2
-rw-r--r--src/lib/libssl/shlib_version2
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_eay.c252
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_gen.c103
-rw-r--r--src/lib/libssl/ssl/shlib_version2
7 files changed, 647 insertions, 69 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index f835be8afc..b7d2460754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2/* This file has been explicitly broken by ryker for OpenBSD, July
3 * 1, 1998. In spite of the title, there is no implementation of the
4 * RSA algorithm left in this file. All these routines will return an
5 * error and fail when called. They exist as stubs and can be
6 * ressurected from the bit bucket by someone in the free world once
7 * the RSA algorithm is no longer subject to patent problems. Eric
8 * Young's original copyright is below.
9 */
10
11/* crypto/rsa/rsa_eay.c */ 1/* crypto/rsa/rsa_eay.c */
12/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13 * All rights reserved. 3 * All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
184 unsigned char *buf=NULL; 174 unsigned char *buf=NULL;
185 BN_CTX *ctx=NULL; 175 BN_CTX *ctx=NULL;
186 176
187 BN_init(&f); 177 BN_init(&f);
188 BN_init(&ret); 178 BN_init(&ret);
179
180 if ((ctx=BN_CTX_new()) == NULL) goto err;
181 num=BN_num_bytes(rsa->n);
182 if ((buf=(unsigned char *)Malloc(num)) == NULL)
183 {
184 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
185 goto err;
186 }
187
188 switch (padding)
189 {
190 case RSA_PKCS1_PADDING:
191 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
192 break;
193 case RSA_NO_PADDING:
194 i=RSA_padding_add_none(buf,num,from,flen);
195 break;
196 case RSA_SSLV23_PADDING:
197 default:
198 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
199 goto err;
200 }
201 if (i <= 0) goto err;
202
203 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
204
205 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
206 RSA_blinding_on(rsa,ctx);
207 if (rsa->flags & RSA_FLAG_BLINDING)
208 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
189 209
190 /* Body of this routine removed for OpenBSD - will return 210 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
191 * when the RSA patent expires 211 ((rsa->p != NULL) &&
192 */ 212 (rsa->q != NULL) &&
213 (rsa->dmp1 != NULL) &&
214 (rsa->dmq1 != NULL) &&
215 (rsa->iqmp != NULL)) )
216 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
217 else
218 {
219 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
220 }
221
222 if (rsa->flags & RSA_FLAG_BLINDING)
223 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
224
225 /* put in leading 0 bytes if the number is less than the
226 * length of the modulus */
227 j=BN_num_bytes(&ret);
228 i=BN_bn2bin(&ret,&(to[num-j]));
229 for (k=0; k<(num-i); k++)
230 to[k]=0;
193 231
232 r=num;
194err: 233err:
195 if (ctx != NULL) BN_CTX_free(ctx); 234 if (ctx != NULL) BN_CTX_free(ctx);
196 BN_clear_free(&ret); 235 BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
212 unsigned char *buf=NULL; 251 unsigned char *buf=NULL;
213 BN_CTX *ctx=NULL; 252 BN_CTX *ctx=NULL;
214 253
215 BN_init(&f); 254 BN_init(&f);
216 BN_init(&ret); 255 BN_init(&ret);
256 ctx=BN_CTX_new();
257 if (ctx == NULL) goto err;
258
259 num=BN_num_bytes(rsa->n);
260
261 if ((buf=(unsigned char *)Malloc(num)) == NULL)
262 {
263 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
264 goto err;
265 }
266
267 /* This check was for equality but PGP does evil things
268 * and chops off the top '0' bytes */
269 if (flen > num)
270 {
271 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
272 goto err;
273 }
274
275 /* make data into a big number */
276 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
217 277
218 /* Body of this routine removed for OpenBSD - will return 278 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
219 * when the RSA patent expires 279 RSA_blinding_on(rsa,ctx);
220 */ 280 if (rsa->flags & RSA_FLAG_BLINDING)
281 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
282
283 /* do the decrypt */
284 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
285 ((rsa->p != NULL) &&
286 (rsa->q != NULL) &&
287 (rsa->dmp1 != NULL) &&
288 (rsa->dmq1 != NULL) &&
289 (rsa->iqmp != NULL)) )
290 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
291 else
292 {
293 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
294 goto err;
295 }
296
297 if (rsa->flags & RSA_FLAG_BLINDING)
298 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
299
300 p=buf;
301 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
302
303 switch (padding)
304 {
305 case RSA_PKCS1_PADDING:
306 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
307 break;
308#ifndef NO_SHA
309 case RSA_PKCS1_OAEP_PADDING:
310 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
311 break;
312#endif
313 case RSA_SSLV23_PADDING:
314 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
315 break;
316 case RSA_NO_PADDING:
317 r=RSA_padding_check_none(to,num,buf,j,num);
318 break;
319 default:
320 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
321 goto err;
322 }
323 if (r < 0)
324 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
221 325
222err: 326err:
223 if (ctx != NULL) BN_CTX_free(ctx); 327 if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
240 unsigned char *buf=NULL; 344 unsigned char *buf=NULL;
241 BN_CTX *ctx=NULL; 345 BN_CTX *ctx=NULL;
242 346
243 BN_init(&f); 347 BN_init(&f);
244 BN_init(&ret); 348 BN_init(&ret);
349 ctx=BN_CTX_new();
350 if (ctx == NULL) goto err;
351
352 num=BN_num_bytes(rsa->n);
353 buf=(unsigned char *)Malloc(num);
354 if (buf == NULL)
355 {
356 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
357 goto err;
358 }
245 359
246 /* Body of this routine removed for OpenBSD - will return 360 /* This check was for equality but PGP does evil things
247 * when the RSA patent expires 361 * and chops off the top '0' bytes */
248 */ 362 if (flen > num)
363 {
364 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
365 goto err;
366 }
367
368 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
369 /* do the decrypt */
370 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
371 {
372 if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
373 if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
374 goto err;
375 }
376
377 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
378 rsa->_method_mod_n)) goto err;
379
380 p=buf;
381 i=BN_bn2bin(&ret,p);
382
383 switch (padding)
384 {
385 case RSA_PKCS1_PADDING:
386 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
387 break;
388 case RSA_NO_PADDING:
389 r=RSA_padding_check_none(to,num,buf,i,num);
390 break;
391 default:
392 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
393 goto err;
394 }
395 if (r < 0)
396 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
249 397
250err: 398err:
251 if (ctx != NULL) BN_CTX_free(ctx); 399 if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
263 { 411 {
264 BIGNUM r1,m1; 412 BIGNUM r1,m1;
265 int ret=0; 413 int ret=0;
266 BN_CTX *ctx = NULL; 414 BN_CTX *ctx;
267 415
416 if ((ctx=BN_CTX_new()) == NULL) goto err;
268 BN_init(&m1); 417 BN_init(&m1);
269 BN_init(&r1); 418 BN_init(&r1);
270 if ((ctx=BN_CTX_new()) == NULL) goto err;
271 419
272 /* Body of this routine removed for OpenBSD - will return 420 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
273 * when the RSA patent expires 421 {
274 */ 422 if (rsa->_method_mod_p == NULL)
423 {
424 if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
425 if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
426 ctx))
427 goto err;
428 }
429 if (rsa->_method_mod_q == NULL)
430 {
431 if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
432 if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
433 ctx))
434 goto err;
435 }
436 }
437
438 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
439 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
440 rsa->_method_mod_q)) goto err;
441
442 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
443 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
444 rsa->_method_mod_p)) goto err;
445
446 if (!BN_sub(r0,r0,&m1)) goto err;
447 /* This will help stop the size of r0 increasing, which does
448 * affect the multiply if it optimised for a power of 2 size */
449 if (r0->neg)
450 if (!BN_add(r0,r0,rsa->p)) goto err;
451
452 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
453 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
454 /* If p < q it is occasionally possible for the correction of
455 * adding 'p' if r0 is negative above to leave the result still
456 * negative. This can break the private key operations: the following
457 * second correction should *always* correct this rare occurrence.
458 * This will *never* happen with OpenSSL generated keys because
459 * they ensure p > q [steve]
460 */
461 if (r0->neg)
462 if (!BN_add(r0,r0,rsa->p)) goto err;
463 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
464 if (!BN_add(r0,&r1,&m1)) goto err;
465
466 ret=1;
275err: 467err:
276 BN_clear_free(&m1); 468 BN_clear_free(&m1);
277 BN_clear_free(&r1); 469 BN_clear_free(&r1);
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index b1ee5d8dce..95e636d3f0 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -74,11 +74,108 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
74 if (ctx == NULL) goto err; 74 if (ctx == NULL) goto err;
75 ctx2=BN_CTX_new(); 75 ctx2=BN_CTX_new();
76 if (ctx2 == NULL) goto err; 76 if (ctx2 == NULL) goto err;
77 BN_CTX_start(ctx);
78 r0 = BN_CTX_get(ctx);
79 r1 = BN_CTX_get(ctx);
80 r2 = BN_CTX_get(ctx);
81 r3 = BN_CTX_get(ctx);
82 if (r3 == NULL) goto err;
77 83
78 /* Body of this routine removed for OpenBSD - will return 84 bitsp=(bits+1)/2;
79 * when the RSA patent expires 85 bitsq=bits-bitsp;
80 */ 86 rsa=RSA_new();
87 if (rsa == NULL) goto err;
81 88
89 /* set e */
90 rsa->e=BN_new();
91 if (rsa->e == NULL) goto err;
92
93#if 1
94 /* The problem is when building with 8, 16, or 32 BN_ULONG,
95 * unsigned long can be larger */
96 for (i=0; i<sizeof(unsigned long)*8; i++)
97 {
98 if (e_value & (1<<i))
99 BN_set_bit(rsa->e,i);
100 }
101#else
102 if (!BN_set_word(rsa->e,e_value)) goto err;
103#endif
104
105 /* generate p and q */
106 for (;;)
107 {
108 rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
109 if (rsa->p == NULL) goto err;
110 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
111 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
112 if (BN_is_one(r1)) break;
113 if (callback != NULL) callback(2,n++,cb_arg);
114 BN_free(rsa->p);
115 }
116 if (callback != NULL) callback(3,0,cb_arg);
117 for (;;)
118 {
119 rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
120 if (rsa->q == NULL) goto err;
121 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
122 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
123 if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
124 break;
125 if (callback != NULL) callback(2,n++,cb_arg);
126 BN_free(rsa->q);
127 }
128 if (callback != NULL) callback(3,1,cb_arg);
129 if (BN_cmp(rsa->p,rsa->q) < 0)
130 {
131 tmp=rsa->p;
132 rsa->p=rsa->q;
133 rsa->q=tmp;
134 }
135
136 /* calculate n */
137 rsa->n=BN_new();
138 if (rsa->n == NULL) goto err;
139 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
140
141 /* calculate d */
142 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
143 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
144 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
145
146/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
147/* for (;;)
148 {
149 if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
150 if (BN_is_one(r3)) break;
151
152 if (1)
153 {
154 if (!BN_add_word(rsa->e,2L)) goto err;
155 continue;
156 }
157 RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
158 goto err;
159 }
160*/
161 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
162 if (rsa->d == NULL) goto err;
163
164 /* calculate d mod (p-1) */
165 rsa->dmp1=BN_new();
166 if (rsa->dmp1 == NULL) goto err;
167 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
168
169 /* calculate d mod (q-1) */
170 rsa->dmq1=BN_new();
171 if (rsa->dmq1 == NULL) goto err;
172 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
173
174 /* calculate inverse of q mod p */
175 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
176 if (rsa->iqmp == NULL) goto err;
177
178 ok=1;
82err: 179err:
83 if (ok == -1) 180 if (ok == -1)
84 { 181 {
diff --git a/src/lib/libssl/crypto/shlib_version b/src/lib/libssl/crypto/shlib_version
index ba5a3fee58..c87e1c60d4 100644
--- a/src/lib/libssl/crypto/shlib_version
+++ b/src/lib/libssl/crypto/shlib_version
@@ -1,2 +1,2 @@
1major=2 1major=2
2minor=2 2minor=4
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index ba5a3fee58..c87e1c60d4 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,2 +1,2 @@
1major=2 1major=2
2minor=2 2minor=4
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index f835be8afc..b7d2460754 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2/* This file has been explicitly broken by ryker for OpenBSD, July
3 * 1, 1998. In spite of the title, there is no implementation of the
4 * RSA algorithm left in this file. All these routines will return an
5 * error and fail when called. They exist as stubs and can be
6 * ressurected from the bit bucket by someone in the free world once
7 * the RSA algorithm is no longer subject to patent problems. Eric
8 * Young's original copyright is below.
9 */
10
11/* crypto/rsa/rsa_eay.c */ 1/* crypto/rsa/rsa_eay.c */
12/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13 * All rights reserved. 3 * All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
184 unsigned char *buf=NULL; 174 unsigned char *buf=NULL;
185 BN_CTX *ctx=NULL; 175 BN_CTX *ctx=NULL;
186 176
187 BN_init(&f); 177 BN_init(&f);
188 BN_init(&ret); 178 BN_init(&ret);
179
180 if ((ctx=BN_CTX_new()) == NULL) goto err;
181 num=BN_num_bytes(rsa->n);
182 if ((buf=(unsigned char *)Malloc(num)) == NULL)
183 {
184 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
185 goto err;
186 }
187
188 switch (padding)
189 {
190 case RSA_PKCS1_PADDING:
191 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
192 break;
193 case RSA_NO_PADDING:
194 i=RSA_padding_add_none(buf,num,from,flen);
195 break;
196 case RSA_SSLV23_PADDING:
197 default:
198 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
199 goto err;
200 }
201 if (i <= 0) goto err;
202
203 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
204
205 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
206 RSA_blinding_on(rsa,ctx);
207 if (rsa->flags & RSA_FLAG_BLINDING)
208 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
189 209
190 /* Body of this routine removed for OpenBSD - will return 210 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
191 * when the RSA patent expires 211 ((rsa->p != NULL) &&
192 */ 212 (rsa->q != NULL) &&
213 (rsa->dmp1 != NULL) &&
214 (rsa->dmq1 != NULL) &&
215 (rsa->iqmp != NULL)) )
216 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
217 else
218 {
219 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
220 }
221
222 if (rsa->flags & RSA_FLAG_BLINDING)
223 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
224
225 /* put in leading 0 bytes if the number is less than the
226 * length of the modulus */
227 j=BN_num_bytes(&ret);
228 i=BN_bn2bin(&ret,&(to[num-j]));
229 for (k=0; k<(num-i); k++)
230 to[k]=0;
193 231
232 r=num;
194err: 233err:
195 if (ctx != NULL) BN_CTX_free(ctx); 234 if (ctx != NULL) BN_CTX_free(ctx);
196 BN_clear_free(&ret); 235 BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
212 unsigned char *buf=NULL; 251 unsigned char *buf=NULL;
213 BN_CTX *ctx=NULL; 252 BN_CTX *ctx=NULL;
214 253
215 BN_init(&f); 254 BN_init(&f);
216 BN_init(&ret); 255 BN_init(&ret);
256 ctx=BN_CTX_new();
257 if (ctx == NULL) goto err;
258
259 num=BN_num_bytes(rsa->n);
260
261 if ((buf=(unsigned char *)Malloc(num)) == NULL)
262 {
263 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
264 goto err;
265 }
266
267 /* This check was for equality but PGP does evil things
268 * and chops off the top '0' bytes */
269 if (flen > num)
270 {
271 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
272 goto err;
273 }
274
275 /* make data into a big number */
276 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
217 277
218 /* Body of this routine removed for OpenBSD - will return 278 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
219 * when the RSA patent expires 279 RSA_blinding_on(rsa,ctx);
220 */ 280 if (rsa->flags & RSA_FLAG_BLINDING)
281 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
282
283 /* do the decrypt */
284 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
285 ((rsa->p != NULL) &&
286 (rsa->q != NULL) &&
287 (rsa->dmp1 != NULL) &&
288 (rsa->dmq1 != NULL) &&
289 (rsa->iqmp != NULL)) )
290 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
291 else
292 {
293 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
294 goto err;
295 }
296
297 if (rsa->flags & RSA_FLAG_BLINDING)
298 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
299
300 p=buf;
301 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
302
303 switch (padding)
304 {
305 case RSA_PKCS1_PADDING:
306 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
307 break;
308#ifndef NO_SHA
309 case RSA_PKCS1_OAEP_PADDING:
310 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
311 break;
312#endif
313 case RSA_SSLV23_PADDING:
314 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
315 break;
316 case RSA_NO_PADDING:
317 r=RSA_padding_check_none(to,num,buf,j,num);
318 break;
319 default:
320 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
321 goto err;
322 }
323 if (r < 0)
324 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
221 325
222err: 326err:
223 if (ctx != NULL) BN_CTX_free(ctx); 327 if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
240 unsigned char *buf=NULL; 344 unsigned char *buf=NULL;
241 BN_CTX *ctx=NULL; 345 BN_CTX *ctx=NULL;
242 346
243 BN_init(&f); 347 BN_init(&f);
244 BN_init(&ret); 348 BN_init(&ret);
349 ctx=BN_CTX_new();
350 if (ctx == NULL) goto err;
351
352 num=BN_num_bytes(rsa->n);
353 buf=(unsigned char *)Malloc(num);
354 if (buf == NULL)
355 {
356 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
357 goto err;
358 }
245 359
246 /* Body of this routine removed for OpenBSD - will return 360 /* This check was for equality but PGP does evil things
247 * when the RSA patent expires 361 * and chops off the top '0' bytes */
248 */ 362 if (flen > num)
363 {
364 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
365 goto err;
366 }
367
368 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
369 /* do the decrypt */
370 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
371 {
372 if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
373 if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
374 goto err;
375 }
376
377 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
378 rsa->_method_mod_n)) goto err;
379
380 p=buf;
381 i=BN_bn2bin(&ret,p);
382
383 switch (padding)
384 {
385 case RSA_PKCS1_PADDING:
386 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
387 break;
388 case RSA_NO_PADDING:
389 r=RSA_padding_check_none(to,num,buf,i,num);
390 break;
391 default:
392 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
393 goto err;
394 }
395 if (r < 0)
396 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
249 397
250err: 398err:
251 if (ctx != NULL) BN_CTX_free(ctx); 399 if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
263 { 411 {
264 BIGNUM r1,m1; 412 BIGNUM r1,m1;
265 int ret=0; 413 int ret=0;
266 BN_CTX *ctx = NULL; 414 BN_CTX *ctx;
267 415
416 if ((ctx=BN_CTX_new()) == NULL) goto err;
268 BN_init(&m1); 417 BN_init(&m1);
269 BN_init(&r1); 418 BN_init(&r1);
270 if ((ctx=BN_CTX_new()) == NULL) goto err;
271 419
272 /* Body of this routine removed for OpenBSD - will return 420 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
273 * when the RSA patent expires 421 {
274 */ 422 if (rsa->_method_mod_p == NULL)
423 {
424 if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
425 if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
426 ctx))
427 goto err;
428 }
429 if (rsa->_method_mod_q == NULL)
430 {
431 if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
432 if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
433 ctx))
434 goto err;
435 }
436 }
437
438 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
439 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
440 rsa->_method_mod_q)) goto err;
441
442 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
443 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
444 rsa->_method_mod_p)) goto err;
445
446 if (!BN_sub(r0,r0,&m1)) goto err;
447 /* This will help stop the size of r0 increasing, which does
448 * affect the multiply if it optimised for a power of 2 size */
449 if (r0->neg)
450 if (!BN_add(r0,r0,rsa->p)) goto err;
451
452 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
453 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
454 /* If p < q it is occasionally possible for the correction of
455 * adding 'p' if r0 is negative above to leave the result still
456 * negative. This can break the private key operations: the following
457 * second correction should *always* correct this rare occurrence.
458 * This will *never* happen with OpenSSL generated keys because
459 * they ensure p > q [steve]
460 */
461 if (r0->neg)
462 if (!BN_add(r0,r0,rsa->p)) goto err;
463 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
464 if (!BN_add(r0,&r1,&m1)) goto err;
465
466 ret=1;
275err: 467err:
276 BN_clear_free(&m1); 468 BN_clear_free(&m1);
277 BN_clear_free(&r1); 469 BN_clear_free(&r1);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_gen.c b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
index b1ee5d8dce..95e636d3f0 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -74,11 +74,108 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
74 if (ctx == NULL) goto err; 74 if (ctx == NULL) goto err;
75 ctx2=BN_CTX_new(); 75 ctx2=BN_CTX_new();
76 if (ctx2 == NULL) goto err; 76 if (ctx2 == NULL) goto err;
77 BN_CTX_start(ctx);
78 r0 = BN_CTX_get(ctx);
79 r1 = BN_CTX_get(ctx);
80 r2 = BN_CTX_get(ctx);
81 r3 = BN_CTX_get(ctx);
82 if (r3 == NULL) goto err;
77 83
78 /* Body of this routine removed for OpenBSD - will return 84 bitsp=(bits+1)/2;
79 * when the RSA patent expires 85 bitsq=bits-bitsp;
80 */ 86 rsa=RSA_new();
87 if (rsa == NULL) goto err;
81 88
89 /* set e */
90 rsa->e=BN_new();
91 if (rsa->e == NULL) goto err;
92
93#if 1
94 /* The problem is when building with 8, 16, or 32 BN_ULONG,
95 * unsigned long can be larger */
96 for (i=0; i<sizeof(unsigned long)*8; i++)
97 {
98 if (e_value & (1<<i))
99 BN_set_bit(rsa->e,i);
100 }
101#else
102 if (!BN_set_word(rsa->e,e_value)) goto err;
103#endif
104
105 /* generate p and q */
106 for (;;)
107 {
108 rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
109 if (rsa->p == NULL) goto err;
110 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
111 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
112 if (BN_is_one(r1)) break;
113 if (callback != NULL) callback(2,n++,cb_arg);
114 BN_free(rsa->p);
115 }
116 if (callback != NULL) callback(3,0,cb_arg);
117 for (;;)
118 {
119 rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
120 if (rsa->q == NULL) goto err;
121 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
122 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
123 if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
124 break;
125 if (callback != NULL) callback(2,n++,cb_arg);
126 BN_free(rsa->q);
127 }
128 if (callback != NULL) callback(3,1,cb_arg);
129 if (BN_cmp(rsa->p,rsa->q) < 0)
130 {
131 tmp=rsa->p;
132 rsa->p=rsa->q;
133 rsa->q=tmp;
134 }
135
136 /* calculate n */
137 rsa->n=BN_new();
138 if (rsa->n == NULL) goto err;
139 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
140
141 /* calculate d */
142 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
143 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
144 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
145
146/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
147/* for (;;)
148 {
149 if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
150 if (BN_is_one(r3)) break;
151
152 if (1)
153 {
154 if (!BN_add_word(rsa->e,2L)) goto err;
155 continue;
156 }
157 RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
158 goto err;
159 }
160*/
161 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
162 if (rsa->d == NULL) goto err;
163
164 /* calculate d mod (p-1) */
165 rsa->dmp1=BN_new();
166 if (rsa->dmp1 == NULL) goto err;
167 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
168
169 /* calculate d mod (q-1) */
170 rsa->dmq1=BN_new();
171 if (rsa->dmq1 == NULL) goto err;
172 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
173
174 /* calculate inverse of q mod p */
175 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
176 if (rsa->iqmp == NULL) goto err;
177
178 ok=1;
82err: 179err:
83 if (ok == -1) 180 if (ok == -1)
84 { 181 {
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
index ba5a3fee58..c87e1c60d4 100644
--- a/src/lib/libssl/ssl/shlib_version
+++ b/src/lib/libssl/ssl/shlib_version
@@ -1,2 +1,2 @@
1major=2 1major=2
2minor=2 2minor=4
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 23:26:32 +0000