2 files changed, 322 insertions, 33 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index f835be8afc..b7d2460754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
-/* This file has been explicitly broken by ryker for OpenBSD, July
- * 1, 1998. In spite of the title, there is no implementation of the
- * RSA algorithm left in this file. All these routines will return an
- * error and fail when called. They exist as stubs and can be
- * ressurected from the bit bucket by someone in the free world once
- * the RSA algorithm is no longer subject to patent problems. Eric
- * Young's original copyright is below. 
- */
 /* crypto/rsa/rsa_eay.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        if ((buf=(unsigned char *)Malloc(num)) == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
+                break;
+        case RSA_NO_PADDING:
+                i=RSA_padding_add_none(buf,num,from,flen);
+                break;
+        case RSA_SSLV23_PADDING:
+        default:
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (i <= 0) goto err;
+        if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+                RSA_blinding_on(rsa,ctx);
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
-         * when the RSA patent expires
+                ((rsa->p != NULL) &&
-         */
+                (rsa->q != NULL) &&
+                (rsa->dmp1 != NULL) &&
+                (rsa->dmq1 != NULL) &&
+                (rsa->iqmp != NULL)) )
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+        else
+                {
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+                }
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        /* put in leading 0 bytes if the number is less than the
+         * length of the modulus */
+        j=BN_num_bytes(&ret);
+        i=BN_bn2bin(&ret,&(to[num-j]));
+        for (k=0; k<(num-i); k++)
+                to[k]=0;
+        r=num;
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        if ((buf=(unsigned char *)Malloc(num)) == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        /* This check was for equality but PGP does evil things
+         * and chops off the top '0' bytes */
+        if (flen > num)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+                goto err;
+                }
+        /* make data into a big number */
+        if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-         * when the RSA patent expires
+                RSA_blinding_on(rsa,ctx);
-         */
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* do the decrypt */
+        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+                ((rsa->p != NULL) &&
+                (rsa->q != NULL) &&
+                (rsa->dmp1 != NULL) &&
+                (rsa->dmq1 != NULL) &&
+                (rsa->iqmp != NULL)) )
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+        else
+                {
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+                        goto err;
+                }
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        p=buf;
+        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
+                break;
+#ifndef NO_SHA
+        case RSA_PKCS1_OAEP_PADDING:
+                r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
+                break;
+#endif
+        case RSA_SSLV23_PADDING:
+                r=RSA_padding_check_SSLv23(to,num,buf,j,num);
+                break;
+        case RSA_NO_PADDING:
+                r=RSA_padding_check_none(to,num,buf,j,num);
+                break;
+        default:
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (r < 0)
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        buf=(unsigned char *)Malloc(num);
+        if (buf == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
-        /* Body of this routine removed for OpenBSD - will return
+        /* This check was for equality but PGP does evil things
-         * when the RSA patent expires
+         * and chops off the top '0' bytes */
-         */
+        if (flen > num)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+                goto err;
+                }
+        if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+        /* do the decrypt */
+        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+                {
+                if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
+                            goto err;
+                }
+        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+                rsa->_method_mod_n)) goto err;
+        p=buf;
+        i=BN_bn2bin(&ret,p);
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+                break;
+        case RSA_NO_PADDING:
+                r=RSA_padding_check_none(to,num,buf,i,num);
+                break;
+        default:
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (r < 0)
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
        {
        BIGNUM r1,m1;
        int ret=0;
-        BN_CTX *ctx = NULL;
+        BN_CTX *ctx;
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
        BN_init(&m1);
        BN_init(&r1);
-        if ((ctx=BN_CTX_new()) == NULL) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
-         * when the RSA patent expires
+                {
-         */
+                if (rsa->_method_mod_p == NULL)
+                        {
+                        if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
+                                if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
+                                                     ctx))
+                                        goto err;
+                        }
+                if (rsa->_method_mod_q == NULL)
+                        {
+                        if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
+                                if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
+                                                     ctx))
+                                        goto err;
+                        }
+                }
+        if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+                rsa->_method_mod_q)) goto err;
+        if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
+        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+                rsa->_method_mod_p)) goto err;
+        if (!BN_sub(r0,r0,&m1)) goto err;
+        /* This will help stop the size of r0 increasing, which does
+         * affect the multiply if it optimised for a power of 2 size */
+        if (r0->neg)
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
+        if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
+        /* If p < q it is occasionally possible for the correction of
+         * adding 'p' if r0 is negative above to leave the result still
+         * negative. This can break the private key operations: the following
+         * second correction should *always* correct this rare occurrence.
+         * This will *never* happen with OpenSSL generated keys because
+         * they ensure p > q [steve]
+         */
+        if (r0->neg)
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
+        if (!BN_add(r0,&r1,&m1)) goto err;
+        ret=1;
 err:
        BN_clear_free(&m1);
        BN_clear_free(&r1);
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index b1ee5d8dce..95e636d3f0 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -74,11 +74,108 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
        if (ctx == NULL) goto err;
        ctx2=BN_CTX_new();
        if (ctx2 == NULL) goto err;
+        BN_CTX_start(ctx);
+        r0 = BN_CTX_get(ctx);
+        r1 = BN_CTX_get(ctx);
+        r2 = BN_CTX_get(ctx);
+        r3 = BN_CTX_get(ctx);
+        if (r3 == NULL) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        bitsp=(bits+1)/2;
-         * when the RSA patent expires
+        bitsq=bits-bitsp;
-         */
+        rsa=RSA_new();
+        if (rsa == NULL) goto err;
+        /* set e */ 
+        rsa->e=BN_new();
+        if (rsa->e == NULL) goto err;
+#if 1
+        /* The problem is when building with 8, 16, or 32 BN_ULONG,
+         * unsigned long can be larger */
+        for (i=0; i<sizeof(unsigned long)*8; i++)
+                {
+                if (e_value & (1<<i))
+                        BN_set_bit(rsa->e,i);
+                }
+#else
+        if (!BN_set_word(rsa->e,e_value)) goto err;
+#endif
+        /* generate p and q */
+        for (;;)
+                {
+                rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
+                if (rsa->p == NULL) goto err;
+                if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
+                if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
+                if (BN_is_one(r1)) break;
+                if (callback != NULL) callback(2,n++,cb_arg);
+                BN_free(rsa->p);
+                }
+        if (callback != NULL) callback(3,0,cb_arg);
+        for (;;)
+                {
+                rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
+                if (rsa->q == NULL) goto err;
+                if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
+                if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
+                if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
+                        break;
+                if (callback != NULL) callback(2,n++,cb_arg);
+                BN_free(rsa->q);
+                }
+        if (callback != NULL) callback(3,1,cb_arg);
+        if (BN_cmp(rsa->p,rsa->q) < 0)
+                {
+                tmp=rsa->p;
+                rsa->p=rsa->q;
+                rsa->q=tmp;
+                }
+        /* calculate n */
+        rsa->n=BN_new();
+        if (rsa->n == NULL) goto err;
+        if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
+        /* calculate d */
+        if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;        /* p-1 */
+        if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;        /* q-1 */
+        if (!BN_mul(r0,r1,r2,ctx)) goto err;    /* (p-1)(q-1) */
+/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
+/*      for (;;)
+                {
+                if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
+                if (BN_is_one(r3)) break;
+                if (1)
+                        {
+                        if (!BN_add_word(rsa->e,2L)) goto err;
+                        continue;
+                        }
+                RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
+                goto err;
+                }
+*/
+        rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2);     /* d */
+        if (rsa->d == NULL) goto err;
+        /* calculate d mod (p-1) */
+        rsa->dmp1=BN_new();
+        if (rsa->dmp1 == NULL) goto err;
+        if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
+        /* calculate d mod (q-1) */
+        rsa->dmq1=BN_new();
+        if (rsa->dmq1 == NULL) goto err;
+        if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
+        /* calculate inverse of q mod p */
+        rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
+        if (rsa->iqmp == NULL) goto err;
+        ok=1;
 err:
        if (ok == -1)
                {

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index f835be8afc..b7d2460754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2	/* This file has been explicitly broken by ryker for OpenBSD, July
3	* 1, 1998. In spite of the title, there is no implementation of the
4	* RSA algorithm left in this file. All these routines will return an
5	* error and fail when called. They exist as stubs and can be
6	* ressurected from the bit bucket by someone in the free world once
7	* the RSA algorithm is no longer subject to patent problems. Eric
8	* Young's original copyright is below.
9	*/
10
11	/* crypto/rsa/rsa_eay.c */	1	/* crypto/rsa/rsa_eay.c */
12	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13	* All rights reserved.	3	* All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
184	unsigned char *buf=NULL;	174	unsigned char *buf=NULL;
185	BN_CTX *ctx=NULL;	175	BN_CTX *ctx=NULL;
186		176
187	BN_init(&f);	177	BN_init(&f);
188	BN_init(&ret);	178	BN_init(&ret);
		179
		180	if ((ctx=BN_CTX_new()) == NULL) goto err;
		181	num=BN_num_bytes(rsa->n);
		182	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		183	{
		184	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		185	goto err;
		186	}
		187
		188	switch (padding)
		189	{
		190	case RSA_PKCS1_PADDING:
		191	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		192	break;
		193	case RSA_NO_PADDING:
		194	i=RSA_padding_add_none(buf,num,from,flen);
		195	break;
		196	case RSA_SSLV23_PADDING:
		197	default:
		198	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		199	goto err;
		200	}
		201	if (i <= 0) goto err;
		202
		203	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
		204
		205	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		206	RSA_blinding_on(rsa,ctx);
		207	if (rsa->flags & RSA_FLAG_BLINDING)
		208	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
189		209
190	/* Body of this routine removed for OpenBSD - will return	210	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
191	* when the RSA patent expires	211	((rsa->p != NULL) &&
192	*/	212	(rsa->q != NULL) &&
		213	(rsa->dmp1 != NULL) &&
		214	(rsa->dmq1 != NULL) &&
		215	(rsa->iqmp != NULL)) )
		216	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
		217	else
		218	{
		219	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		220	}
		221
		222	if (rsa->flags & RSA_FLAG_BLINDING)
		223	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
		224
		225	/* put in leading 0 bytes if the number is less than the
		226	* length of the modulus */
		227	j=BN_num_bytes(&ret);
		228	i=BN_bn2bin(&ret,&(to[num-j]));
		229	for (k=0; k<(num-i); k++)
		230	to[k]=0;
193		231
		232	r=num;
194	err:	233	err:
195	if (ctx != NULL) BN_CTX_free(ctx);	234	if (ctx != NULL) BN_CTX_free(ctx);
196	BN_clear_free(&ret);	235	BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
212	unsigned char *buf=NULL;	251	unsigned char *buf=NULL;
213	BN_CTX *ctx=NULL;	252	BN_CTX *ctx=NULL;
214		253
215	BN_init(&f);	254	BN_init(&f);
216	BN_init(&ret);	255	BN_init(&ret);
		256	ctx=BN_CTX_new();
		257	if (ctx == NULL) goto err;
		258
		259	num=BN_num_bytes(rsa->n);
		260
		261	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		262	{
		263	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		264	goto err;
		265	}
		266
		267	/* This check was for equality but PGP does evil things
		268	* and chops off the top '0' bytes */
		269	if (flen > num)
		270	{
		271	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		272	goto err;
		273	}
		274
		275	/* make data into a big number */
		276	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
217		277
218	/* Body of this routine removed for OpenBSD - will return	278	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
219	* when the RSA patent expires	279	RSA_blinding_on(rsa,ctx);
220	*/	280	if (rsa->flags & RSA_FLAG_BLINDING)
		281	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
		282
		283	/* do the decrypt */
		284	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
		285	((rsa->p != NULL) &&
		286	(rsa->q != NULL) &&
		287	(rsa->dmp1 != NULL) &&
		288	(rsa->dmq1 != NULL) &&
		289	(rsa->iqmp != NULL)) )
		290	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
		291	else
		292	{
		293	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
		294	goto err;
		295	}
		296
		297	if (rsa->flags & RSA_FLAG_BLINDING)
		298	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
		299
		300	p=buf;
		301	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
		302
		303	switch (padding)
		304	{
		305	case RSA_PKCS1_PADDING:
		306	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		307	break;
		308	#ifndef NO_SHA
		309	case RSA_PKCS1_OAEP_PADDING:
		310	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
		311	break;
		312	#endif
		313	case RSA_SSLV23_PADDING:
		314	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		315	break;
		316	case RSA_NO_PADDING:
		317	r=RSA_padding_check_none(to,num,buf,j,num);
		318	break;
		319	default:
		320	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		321	goto err;
		322	}
		323	if (r < 0)
		324	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
221		325
222	err:	326	err:
223	if (ctx != NULL) BN_CTX_free(ctx);	327	if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
240	unsigned char *buf=NULL;	344	unsigned char *buf=NULL;
241	BN_CTX *ctx=NULL;	345	BN_CTX *ctx=NULL;
242		346
243	BN_init(&f);	347	BN_init(&f);
244	BN_init(&ret);	348	BN_init(&ret);
		349	ctx=BN_CTX_new();
		350	if (ctx == NULL) goto err;
		351
		352	num=BN_num_bytes(rsa->n);
		353	buf=(unsigned char *)Malloc(num);
		354	if (buf == NULL)
		355	{
		356	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		357	goto err;
		358	}
245		359
246	/* Body of this routine removed for OpenBSD - will return	360	/* This check was for equality but PGP does evil things
247	* when the RSA patent expires	361	* and chops off the top '0' bytes */
248	*/	362	if (flen > num)
		363	{
		364	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		365	goto err;
		366	}
		367
		368	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
		369	/* do the decrypt */
		370	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		371	{
		372	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
		373	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
		374	goto err;
		375	}
		376
		377	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		378	rsa->_method_mod_n)) goto err;
		379
		380	p=buf;
		381	i=BN_bn2bin(&ret,p);
		382
		383	switch (padding)
		384	{
		385	case RSA_PKCS1_PADDING:
		386	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		387	break;
		388	case RSA_NO_PADDING:
		389	r=RSA_padding_check_none(to,num,buf,i,num);
		390	break;
		391	default:
		392	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		393	goto err;
		394	}
		395	if (r < 0)
		396	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
249		397
250	err:	398	err:
251	if (ctx != NULL) BN_CTX_free(ctx);	399	if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM I, RSA *rsa)
263	{	411	{
264	BIGNUM r1,m1;	412	BIGNUM r1,m1;
265	int ret=0;	413	int ret=0;
266	BN_CTX *ctx = NULL;	414	BN_CTX *ctx;
267		415
		416	if ((ctx=BN_CTX_new()) == NULL) goto err;
268	BN_init(&m1);	417	BN_init(&m1);
269	BN_init(&r1);	418	BN_init(&r1);
270	if ((ctx=BN_CTX_new()) == NULL) goto err;
271		419
272	/* Body of this routine removed for OpenBSD - will return	420	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
273	* when the RSA patent expires	421	{
274	*/	422	if (rsa->_method_mod_p == NULL)
		423	{
		424	if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
		425	if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
		426	ctx))
		427	goto err;
		428	}
		429	if (rsa->_method_mod_q == NULL)
		430	{
		431	if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
		432	if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
		433	ctx))
		434	goto err;
		435	}
		436	}
		437
		438	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
		439	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		440	rsa->_method_mod_q)) goto err;
		441
		442	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
		443	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		444	rsa->_method_mod_p)) goto err;
		445
		446	if (!BN_sub(r0,r0,&m1)) goto err;
		447	/* This will help stop the size of r0 increasing, which does
		448	* affect the multiply if it optimised for a power of 2 size */
		449	if (r0->neg)
		450	if (!BN_add(r0,r0,rsa->p)) goto err;
		451
		452	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
		453	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
		454	/* If p < q it is occasionally possible for the correction of
		455	* adding 'p' if r0 is negative above to leave the result still
		456	* negative. This can break the private key operations: the following
		457	* second correction should always correct this rare occurrence.
		458	* This will never happen with OpenSSL generated keys because
		459	* they ensure p > q [steve]
		460	*/
		461	if (r0->neg)
		462	if (!BN_add(r0,r0,rsa->p)) goto err;
		463	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
		464	if (!BN_add(r0,&r1,&m1)) goto err;
		465
		466	ret=1;
275	err:	467	err:
276	BN_clear_free(&m1);	468	BN_clear_free(&m1);
277	BN_clear_free(&r1);	469	BN_clear_free(&r1);


diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index b1ee5d8dce..95e636d3f0 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -74,11 +74,108 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
74	if (ctx == NULL) goto err;	74	if (ctx == NULL) goto err;
75	ctx2=BN_CTX_new();	75	ctx2=BN_CTX_new();
76	if (ctx2 == NULL) goto err;	76	if (ctx2 == NULL) goto err;
		77	BN_CTX_start(ctx);
		78	r0 = BN_CTX_get(ctx);
		79	r1 = BN_CTX_get(ctx);
		80	r2 = BN_CTX_get(ctx);
		81	r3 = BN_CTX_get(ctx);
		82	if (r3 == NULL) goto err;
77		83
78	/* Body of this routine removed for OpenBSD - will return	84	bitsp=(bits+1)/2;
79	* when the RSA patent expires	85	bitsq=bits-bitsp;
80	*/	86	rsa=RSA_new();
		87	if (rsa == NULL) goto err;
81		88
		89	/* set e */
		90	rsa->e=BN_new();
		91	if (rsa->e == NULL) goto err;
		92
		93	#if 1
		94	/* The problem is when building with 8, 16, or 32 BN_ULONG,
		95	* unsigned long can be larger */
		96	for (i=0; i<sizeof(unsigned long)*8; i++)
		97	{
		98	if (e_value & (1<<i))
		99	BN_set_bit(rsa->e,i);
		100	}
		101	#else
		102	if (!BN_set_word(rsa->e,e_value)) goto err;
		103	#endif
		104
		105	/* generate p and q */
		106	for (;;)
		107	{
		108	rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
		109	if (rsa->p == NULL) goto err;
		110	if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
		111	if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
		112	if (BN_is_one(r1)) break;
		113	if (callback != NULL) callback(2,n++,cb_arg);
		114	BN_free(rsa->p);
		115	}
		116	if (callback != NULL) callback(3,0,cb_arg);
		117	for (;;)
		118	{
		119	rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
		120	if (rsa->q == NULL) goto err;
		121	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
		122	if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
		123	if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
		124	break;
		125	if (callback != NULL) callback(2,n++,cb_arg);
		126	BN_free(rsa->q);
		127	}
		128	if (callback != NULL) callback(3,1,cb_arg);
		129	if (BN_cmp(rsa->p,rsa->q) < 0)
		130	{
		131	tmp=rsa->p;
		132	rsa->p=rsa->q;
		133	rsa->q=tmp;
		134	}
		135
		136	/* calculate n */
		137	rsa->n=BN_new();
		138	if (rsa->n == NULL) goto err;
		139	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
		140
		141	/* calculate d */
		142	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
		143	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
		144	if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
		145
		146	/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
		147	/* for (;;)
		148	{
		149	if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
		150	if (BN_is_one(r3)) break;
		151
		152	if (1)
		153	{
		154	if (!BN_add_word(rsa->e,2L)) goto err;
		155	continue;
		156	}
		157	RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
		158	goto err;
		159	}
		160	*/
		161	rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
		162	if (rsa->d == NULL) goto err;
		163
		164	/* calculate d mod (p-1) */
		165	rsa->dmp1=BN_new();
		166	if (rsa->dmp1 == NULL) goto err;
		167	if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
		168
		169	/* calculate d mod (q-1) */
		170	rsa->dmq1=BN_new();
		171	if (rsa->dmq1 == NULL) goto err;
		172	if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
		173
		174	/* calculate inverse of q mod p */
		175	rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
		176	if (rsa->iqmp == NULL) goto err;
		177
		178	ok=1;
82	err:	179	err:
83	if (ok == -1)	180	if (ok == -1)
84	{	181	{