1 files changed, 19 insertions, 11 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index e65319bda1..6db563f2a4 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -382,11 +382,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
        case RSA_PKCS1_PADDING:
                i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
                break;
+        case RSA_X931_PADDING:
+                i = RSA_padding_add_X931(buf, num, from, flen);
+                break;
        case RSA_NO_PADDING:
                i = RSA_padding_add_none(buf, num, from, flen);
                break;
        default:
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
                goto err;
        }
        if (i <= 0)
@@ -446,11 +449,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
                        goto err;
        if (padding == RSA_X931_PADDING) {
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                if (!BN_sub(f, rsa->n, ret))
-                goto err;
+                        goto err;
-        }
+                if (BN_cmp(ret, f) > 0)
+                        res = f;
-        res = ret;
+                else
+                        res = ret;
+        } else
+                res = ret;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -661,10 +667,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
            rsa->_method_mod_n))
                goto err;
-        if (padding == RSA_X931_PADDING) {
+        if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                if (!BN_sub(ret, rsa->n, ret))
-                goto err;
+                        goto err;
-        }
        p = buf;
        i = BN_bn2bin(ret, p);
@@ -673,6 +678,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
        case RSA_PKCS1_PADDING:
                r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
                break;
+        case RSA_X931_PADDING:
+                r = RSA_padding_check_X931(to, num, buf, i, num);
+                break;
        case RSA_NO_PADDING:
                r = RSA_padding_check_none(to, num, buf, i, num);
                break;

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index e65319bda1..6db563f2a4 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */	1	/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -382,11 +382,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char from, unsigned char to,
382	case RSA_PKCS1_PADDING:	382	case RSA_PKCS1_PADDING:
383	i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);	383	i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
384	break;	384	break;
		385	case RSA_X931_PADDING:
		386	i = RSA_padding_add_X931(buf, num, from, flen);
		387	break;
385	case RSA_NO_PADDING:	388	case RSA_NO_PADDING:
386	i = RSA_padding_add_none(buf, num, from, flen);	389	i = RSA_padding_add_none(buf, num, from, flen);
387	break;	390	break;
388	default:	391	default:
389	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	392	RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
390	goto err;	393	goto err;
391	}	394	}
392	if (i <= 0)	395	if (i <= 0)
@@ -446,11 +449,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char from, unsigned char to,
446	goto err;	449	goto err;
447		450
448	if (padding == RSA_X931_PADDING) {	451	if (padding == RSA_X931_PADDING) {
449	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	452	if (!BN_sub(f, rsa->n, ret))
450	goto err;	453	goto err;
451	}	454	if (BN_cmp(ret, f) > 0)
452		455	res = f;
453	res = ret;	456	else
		457	res = ret;
		458	} else
		459	res = ret;
454		460
455	/* put in leading 0 bytes if the number is less than the	461	/* put in leading 0 bytes if the number is less than the
456	* length of the modulus */	462	* length of the modulus */
@@ -661,10 +667,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char from, unsigned char to,
661	rsa->_method_mod_n))	667	rsa->_method_mod_n))
662	goto err;	668	goto err;
663		669
664	if (padding == RSA_X931_PADDING) {	670	if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
665	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	671	if (!BN_sub(ret, rsa->n, ret))
666	goto err;	672	goto err;
667	}
668		673
669	p = buf;	674	p = buf;
670	i = BN_bn2bin(ret, p);	675	i = BN_bn2bin(ret, p);
@@ -673,6 +678,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char from, unsigned char to,
673	case RSA_PKCS1_PADDING:	678	case RSA_PKCS1_PADDING:
674	r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);	679	r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
675	break;	680	break;
		681	case RSA_X931_PADDING:
		682	r = RSA_padding_check_X931(to, num, buf, i, num);
		683	break;
676	case RSA_NO_PADDING:	684	case RSA_NO_PADDING:
677	r = RSA_padding_check_none(to, num, buf, i, num);	685	r = RSA_padding_check_none(to, num, buf, i, num);
678	break;	686	break;