1 files changed, 0 insertions, 616 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 0b648138ee..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,616 +0,0 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.17 2015/06/20 01:07:25 doug Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2006.
- */
-/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <openssl/opensslconf.h>
-#include <openssl/asn1t.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-#ifndef OPENSSL_NO_CMS
-#include <openssl/cms.h>
-#endif
-#include "evp_locl.h"
-#include "rsa_locl.h"
-/* RSA pkey context structure */
-typedef struct {
-        /* Key gen parameters */
-        int nbits;
-        BIGNUM *pub_exp;
-        /* Keygen callback info */
-        int gentmp[2];
-        /* RSA padding mode */
-        int pad_mode;
-        /* message digest */
-        const EVP_MD *md;
-        /* message digest for MGF1 */
-        const EVP_MD *mgf1md;
-        /* PSS/OAEP salt length */
-        int saltlen;
-        /* Temp buffer */
-        unsigned char *tbuf;
-} RSA_PKEY_CTX;
-static int
-pkey_rsa_init(EVP_PKEY_CTX *ctx)
-{
-        RSA_PKEY_CTX *rctx;
-        rctx = malloc(sizeof(RSA_PKEY_CTX));
-        if (!rctx)
-                return 0;
-        rctx->nbits = 2048;
-        rctx->pub_exp = NULL;
-        rctx->pad_mode = RSA_PKCS1_PADDING;
-        rctx->md = NULL;
-        rctx->mgf1md = NULL;
-        rctx->tbuf = NULL;
-        rctx->saltlen = -2;
-        ctx->data = rctx;
-        ctx->keygen_info = rctx->gentmp;
-        ctx->keygen_info_count = 2;
-        return 1;
-}
-static int
-pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
-{
-        RSA_PKEY_CTX *dctx, *sctx;
-        if (!pkey_rsa_init(dst))
-                return 0;
-        sctx = src->data;
-        dctx = dst->data;
-        dctx->nbits = sctx->nbits;
-        if (sctx->pub_exp) {
-                dctx->pub_exp = BN_dup(sctx->pub_exp);
-                if (!dctx->pub_exp)
-                        return 0;
-        }
-        dctx->pad_mode = sctx->pad_mode;
-        dctx->md = sctx->md;
-        return 1;
-}
-static int
-setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
-{
-        if (ctx->tbuf)
-                return 1;
-        ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
-        if (!ctx->tbuf)
-                return 0;
-        return 1;
-}
-static void
-pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
-{
-        RSA_PKEY_CTX *rctx = ctx->data;
-        if (rctx) {
-                BN_free(rctx->pub_exp);
-                free(rctx->tbuf);
-                free(rctx);
-        }
-}
-static int
-pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
-    const unsigned char *tbs, size_t tbslen)
-{
-        int ret;
-        RSA_PKEY_CTX *rctx = ctx->data;
-        RSA *rsa = ctx->pkey->pkey.rsa;
-        if (rctx->md) {
-                if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
-                        RSAerr(RSA_F_PKEY_RSA_SIGN,
-                            RSA_R_INVALID_DIGEST_LENGTH);
-                        return -1;
-                }
-                if (rctx->pad_mode == RSA_X931_PADDING) {
-                        if (!setup_tbuf(rctx, ctx))
-                                return -1;
-                        memcpy(rctx->tbuf, tbs, tbslen);
-                        rctx->tbuf[tbslen] =
-                            RSA_X931_hash_id(EVP_MD_type(rctx->md));
-                        ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
-                            rsa, RSA_X931_PADDING);
-                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
-                        unsigned int sltmp;
-                        ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
-                            &sltmp, rsa);
-                        if (ret <= 0)
-                                return ret;
-                        ret = sltmp;
-                } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
-                        if (!setup_tbuf(rctx, ctx))
-                                return -1;
-                        if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
-                            tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
-                                return -1;
-                        ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
-                            sig, rsa, RSA_NO_PADDING);
-                } else
-                        return -1;
-        } else
-                ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
-                    rctx->pad_mode);
-        if (ret < 0)
-                return ret;
-        *siglen = ret;
-        return 1;
-}
-static int
-pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
-    const unsigned char *sig, size_t siglen)
-{
-        int ret;
-        RSA_PKEY_CTX *rctx = ctx->data;
-        if (rctx->md) {
-                if (rctx->pad_mode == RSA_X931_PADDING) {
-                        if (!setup_tbuf(rctx, ctx))
-                                return -1;
-                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                            ctx->pkey->pkey.rsa, RSA_X931_PADDING);
-                        if (ret < 1)
-                                return 0;
-                        ret--;
-                        if (rctx->tbuf[ret] !=
-                                RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
-                                RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
-                                    RSA_R_ALGORITHM_MISMATCH);
-                                return 0;
-                        }
-                        if (ret != EVP_MD_size(rctx->md)) {
-                                RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
-                                    RSA_R_INVALID_DIGEST_LENGTH);
-                                return 0;
-                        }
-                        if (rout)
-                                memcpy(rout, rctx->tbuf, ret);
-                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
-                        size_t sltmp;
-                        ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
-                            rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
-                        if (ret <= 0)
-                                return 0;
-                        ret = sltmp;
-                } else
-                        return -1;
-        } else
-                ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
-                    rctx->pad_mode);
-        if (ret < 0)
-                return ret;
-        *routlen = ret;
-        return 1;
-}
-static int
-pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
-    const unsigned char *tbs, size_t tbslen)
-{
-        RSA_PKEY_CTX *rctx = ctx->data;
-        RSA *rsa = ctx->pkey->pkey.rsa;
-        size_t rslen;
-        if (rctx->md) {
-                if (rctx->pad_mode == RSA_PKCS1_PADDING)
-                        return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
-                            sig, siglen, rsa);
-                if (rctx->pad_mode == RSA_X931_PADDING) {
-                        if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
-                            siglen) <= 0)
-                                return 0;
-                } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
-                        int ret;
-                        if (!setup_tbuf(rctx, ctx))
-                                return -1;
-                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                            rsa, RSA_NO_PADDING);
-                        if (ret <= 0)
-                                return 0;
-                        ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
-                            rctx->mgf1md, rctx->tbuf, rctx->saltlen);
-                        if (ret <= 0)
-                                return 0;
-                        return 1;
-                } else
-                        return -1;
-        } else {
-                if (!setup_tbuf(rctx, ctx))
-                        return -1;
-                rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
-                    rctx->pad_mode);
-                if (rslen == 0)
-                        return 0;
-        }
-        if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
-                return 0;
-        return 1;
-}
-static int
-pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
-    const unsigned char *in, size_t inlen)
-{
-        int ret;
-        RSA_PKEY_CTX *rctx = ctx->data;
-        ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
-            rctx->pad_mode);
-        if (ret < 0)
-                return ret;
-        *outlen = ret;
-        return 1;
-}
-static int
-pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
-    const unsigned char *in, size_t inlen)
-{
-        int ret;
-        RSA_PKEY_CTX *rctx = ctx->data;
-        ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
-            rctx->pad_mode);
-        if (ret < 0)
-                return ret;
-        *outlen = ret;
-        return 1;
-}
-static int
-check_padding_md(const EVP_MD *md, int padding)
-{
-        if (!md)
-                return 1;
-        if (padding == RSA_NO_PADDING) {
-                RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
-                return 0;
-        }
-        if (padding == RSA_X931_PADDING) {
-                if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
-                        RSAerr(RSA_F_CHECK_PADDING_MD,
-                            RSA_R_INVALID_X931_DIGEST);
-                        return 0;
-                }
-                return 1;
-        }
-        return 1;
-}
-static int
-pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-        RSA_PKEY_CTX *rctx = ctx->data;
-        switch (type) {
-        case EVP_PKEY_CTRL_RSA_PADDING:
-                if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
-                        if (!check_padding_md(rctx->md, p1))
-                                return 0;
-                        if (p1 == RSA_PKCS1_PSS_PADDING) {
-                                if (!(ctx->operation &
-                                    (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
-                                        goto bad_pad;
-                                if (!rctx->md)
-                                        rctx->md = EVP_sha1();
-                        }
-                        if (p1 == RSA_PKCS1_OAEP_PADDING) {
-                                if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
-                                        goto bad_pad;
-                                if (!rctx->md)
-                                        rctx->md = EVP_sha1();
-                        }
-                        rctx->pad_mode = p1;
-                        return 1;
-                }
-bad_pad:
-                RSAerr(RSA_F_PKEY_RSA_CTRL,
-                    RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
-                return -2;
-        case EVP_PKEY_CTRL_GET_RSA_PADDING:
-                *(int *)p2 = rctx->pad_mode;
-                return 1;
-        case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
-        case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
-                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
-                        RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
-                        return -2;
-                }
-                if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
-                        *(int *)p2 = rctx->saltlen;
-                else {
-                        if (p1 < -2)
-                                return -2;
-                        rctx->saltlen = p1;
-                }
-                return 1;
-        case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
-                if (p1 < 256) {
-                        RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
-                        return -2;
-                }
-                rctx->nbits = p1;
-                return 1;
-        case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
-                if (!p2)
-                        return -2;
-                rctx->pub_exp = p2;
-                return 1;
-        case EVP_PKEY_CTRL_MD:
-                if (!check_padding_md(p2, rctx->pad_mode))
-                        return 0;
-                rctx->md = p2;
-                return 1;
-        case EVP_PKEY_CTRL_RSA_MGF1_MD:
-        case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
-                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
-                        RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
-                        return -2;
-                }
-                if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
-                        if (rctx->mgf1md)
-                                *(const EVP_MD **)p2 = rctx->mgf1md;
-                        else
-                                *(const EVP_MD **)p2 = rctx->md;
-                } else
-                        rctx->mgf1md = p2;
-                return 1;
-        case EVP_PKEY_CTRL_DIGESTINIT:
-        case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
-        case EVP_PKEY_CTRL_PKCS7_DECRYPT:
-        case EVP_PKEY_CTRL_PKCS7_SIGN:
-                return 1;
-#ifndef OPENSSL_NO_CMS
-        case EVP_PKEY_CTRL_CMS_DECRYPT:
-                {
-                        X509_ALGOR *alg = NULL;
-                        ASN1_OBJECT *encalg = NULL;
-                        if (p2)
-                                CMS_RecipientInfo_ktri_get0_algs(p2, NULL,
-                                    NULL, &alg);
-                        if (alg)
-                                X509_ALGOR_get0(&encalg, NULL, NULL, alg);
-                        if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
-                                rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
-                }
-                /* FALLTHROUGH */
-        case EVP_PKEY_CTRL_CMS_ENCRYPT:
-        case EVP_PKEY_CTRL_CMS_SIGN:
-                return 1;
-#endif
-        case EVP_PKEY_CTRL_PEER_KEY:
-                RSAerr(RSA_F_PKEY_RSA_CTRL,
-                    RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
-                return -2;
-        default:
-                return -2;
-        }
-}
-static int
-pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
-{
-        long lval;
-        char *ep;
-        if (!value) {
-                RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
-                return 0;
-        }
-        if (!strcmp(type, "rsa_padding_mode")) {
-                int pm;
-                if (!strcmp(value, "pkcs1"))
-                        pm = RSA_PKCS1_PADDING;
-                else if (!strcmp(value, "sslv23"))
-                        pm = RSA_SSLV23_PADDING;
-                else if (!strcmp(value, "none"))
-                        pm = RSA_NO_PADDING;
-                else if (!strcmp(value, "oeap"))
-                        pm = RSA_PKCS1_OAEP_PADDING;
-                else if (!strcmp(value, "oaep"))
-                        pm = RSA_PKCS1_OAEP_PADDING;
-                else if (!strcmp(value, "x931"))
-                        pm = RSA_X931_PADDING;
-                else if (!strcmp(value, "pss"))
-                        pm = RSA_PKCS1_PSS_PADDING;
-                else {
-                        RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
-                            RSA_R_UNKNOWN_PADDING_TYPE);
-                        return -2;
-                }
-                return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
-        }
-        if (!strcmp(type, "rsa_pss_saltlen")) {
-                int saltlen;
-                errno = 0;
-                lval = strtol(value, &ep, 10);
-                if (value[0] == '\0' || *ep != '\0')
-                        goto not_a_number;
-                if ((errno == ERANGE &&
-                    (lval == LONG_MAX || lval == LONG_MIN)) ||
-                    (lval > INT_MAX || lval < INT_MIN))
-                        goto out_of_range;
-                saltlen = lval;
-                return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
-        }
-        if (!strcmp(type, "rsa_keygen_bits")) {
-                int nbits;
-                errno = 0;
-                lval = strtol(value, &ep, 10);
-                if (value[0] == '\0' || *ep != '\0')
-                        goto not_a_number;
-                if ((errno == ERANGE &&
-                    (lval == LONG_MAX || lval == LONG_MIN)) ||
-                    (lval > INT_MAX || lval < INT_MIN))
-                        goto out_of_range;
-                nbits = lval;
-                return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
-        }
-        if (!strcmp(type, "rsa_keygen_pubexp")) {
-                int ret;
-                BIGNUM *pubexp = NULL;
-                if (!BN_asc2bn(&pubexp, value))
-                        return 0;
-                ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
-                if (ret <= 0)
-                        BN_free(pubexp);
-                return ret;
-        }
-not_a_number:
-out_of_range:
-        return -2;
-}
-static int
-pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-        RSA *rsa = NULL;
-        RSA_PKEY_CTX *rctx = ctx->data;
-        BN_GENCB *pcb, cb;
-        int ret;
-        if (!rctx->pub_exp) {
-                rctx->pub_exp = BN_new();
-                if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
-                        return 0;
-        }
-        rsa = RSA_new();
-        if (!rsa)
-                return 0;
-        if (ctx->pkey_gencb) {
-                pcb = &cb;
-                evp_pkey_set_cb_translate(pcb, ctx);
-        } else
-                pcb = NULL;
-        ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
-        if (ret > 0)
-                EVP_PKEY_assign_RSA(pkey, rsa);
-        else
-                RSA_free(rsa);
-        return ret;
-}
-const EVP_PKEY_METHOD rsa_pkey_meth = {
-        .pkey_id = EVP_PKEY_RSA,
-        .flags = EVP_PKEY_FLAG_AUTOARGLEN,
-        .init = pkey_rsa_init,
-        .copy = pkey_rsa_copy,
-        .cleanup = pkey_rsa_cleanup,
-        .keygen = pkey_rsa_keygen,
-        .sign = pkey_rsa_sign,
-        .verify = pkey_rsa_verify,
-        .verify_recover = pkey_rsa_verifyrecover,
-        .encrypt = pkey_rsa_encrypt,
-        .decrypt = pkey_rsa_decrypt,
-        .ctrl = pkey_rsa_ctrl,
-        .ctrl_str = pkey_rsa_ctrl_str
-};

diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c deleted file mode 100644 index 0b648138ee..0000000000 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ /dev/null
@@ -1,616 +0,0 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.17 2015/06/20 01:07:25 doug Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.
4	*/
5	/* ====================================================================
6	* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* licensing@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <limits.h>
60	#include <stdio.h>
61	#include <string.h>
62
63	#include <openssl/opensslconf.h>
64
65	#include <openssl/asn1t.h>
66	#include <openssl/bn.h>
67	#include <openssl/err.h>
68	#include <openssl/evp.h>
69	#include <openssl/rsa.h>
70	#include <openssl/x509.h>
71
72	#ifndef OPENSSL_NO_CMS
73	#include <openssl/cms.h>
74	#endif
75
76	#include "evp_locl.h"
77	#include "rsa_locl.h"
78
79	/* RSA pkey context structure */
80
81	typedef struct {
82	/* Key gen parameters */
83	int nbits;
84	BIGNUM *pub_exp;
85	/* Keygen callback info */
86	int gentmp[2];
87	/* RSA padding mode */
88	int pad_mode;
89	/* message digest */
90	const EVP_MD *md;
91	/* message digest for MGF1 */
92	const EVP_MD *mgf1md;
93	/* PSS/OAEP salt length */
94	int saltlen;
95	/* Temp buffer */
96	unsigned char *tbuf;
97	} RSA_PKEY_CTX;
98
99	static int
100	pkey_rsa_init(EVP_PKEY_CTX *ctx)
101	{
102	RSA_PKEY_CTX *rctx;
103
104	rctx = malloc(sizeof(RSA_PKEY_CTX));
105	if (!rctx)
106	return 0;
107	rctx->nbits = 2048;
108	rctx->pub_exp = NULL;
109	rctx->pad_mode = RSA_PKCS1_PADDING;
110	rctx->md = NULL;
111	rctx->mgf1md = NULL;
112	rctx->tbuf = NULL;
113
114	rctx->saltlen = -2;
115
116	ctx->data = rctx;
117	ctx->keygen_info = rctx->gentmp;
118	ctx->keygen_info_count = 2;
119
120	return 1;
121	}
122
123	static int
124	pkey_rsa_copy(EVP_PKEY_CTX dst, EVP_PKEY_CTX src)
125	{
126	RSA_PKEY_CTX dctx, sctx;
127
128	if (!pkey_rsa_init(dst))
129	return 0;
130	sctx = src->data;
131	dctx = dst->data;
132	dctx->nbits = sctx->nbits;
133	if (sctx->pub_exp) {
134	dctx->pub_exp = BN_dup(sctx->pub_exp);
135	if (!dctx->pub_exp)
136	return 0;
137	}
138	dctx->pad_mode = sctx->pad_mode;
139	dctx->md = sctx->md;
140	return 1;
141	}
142
143	static int
144	setup_tbuf(RSA_PKEY_CTX ctx, EVP_PKEY_CTX pk)
145	{
146	if (ctx->tbuf)
147	return 1;
148	ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
149	if (!ctx->tbuf)
150	return 0;
151	return 1;
152	}
153
154	static void
155	pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156	{
157	RSA_PKEY_CTX *rctx = ctx->data;
158
159	if (rctx) {
160	BN_free(rctx->pub_exp);
161	free(rctx->tbuf);
162	free(rctx);
163	}
164	}
165
166	static int
167	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
168	const unsigned char *tbs, size_t tbslen)
169	{
170	int ret;
171	RSA_PKEY_CTX *rctx = ctx->data;
172	RSA *rsa = ctx->pkey->pkey.rsa;
173
174	if (rctx->md) {
175	if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
176	RSAerr(RSA_F_PKEY_RSA_SIGN,
177	RSA_R_INVALID_DIGEST_LENGTH);
178	return -1;
179	}
180
181	if (rctx->pad_mode == RSA_X931_PADDING) {
182	if (!setup_tbuf(rctx, ctx))
183	return -1;
184	memcpy(rctx->tbuf, tbs, tbslen);
185	rctx->tbuf[tbslen] =
186	RSA_X931_hash_id(EVP_MD_type(rctx->md));
187	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
188	rsa, RSA_X931_PADDING);
189	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
190	unsigned int sltmp;
191
192	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
193	&sltmp, rsa);
194	if (ret <= 0)
195	return ret;
196	ret = sltmp;
197	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
198	if (!setup_tbuf(rctx, ctx))
199	return -1;
200	if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
201	tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
202	return -1;
203	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
204	sig, rsa, RSA_NO_PADDING);
205	} else
206	return -1;
207	} else
208	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
209	rctx->pad_mode);
210	if (ret < 0)
211	return ret;
212	*siglen = ret;
213	return 1;
214	}
215
216	static int
217	pkey_rsa_verifyrecover(EVP_PKEY_CTX ctx, unsigned char rout, size_t *routlen,
218	const unsigned char *sig, size_t siglen)
219	{
220	int ret;
221	RSA_PKEY_CTX *rctx = ctx->data;
222
223	if (rctx->md) {
224	if (rctx->pad_mode == RSA_X931_PADDING) {
225	if (!setup_tbuf(rctx, ctx))
226	return -1;
227	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
228	ctx->pkey->pkey.rsa, RSA_X931_PADDING);
229	if (ret < 1)
230	return 0;
231	ret--;
232	if (rctx->tbuf[ret] !=
233	RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
234	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
235	RSA_R_ALGORITHM_MISMATCH);
236	return 0;
237	}
238	if (ret != EVP_MD_size(rctx->md)) {
239	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
240	RSA_R_INVALID_DIGEST_LENGTH);
241	return 0;
242	}
243	if (rout)
244	memcpy(rout, rctx->tbuf, ret);
245	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
246	size_t sltmp;
247
248	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
249	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
250	if (ret <= 0)
251	return 0;
252	ret = sltmp;
253	} else
254	return -1;
255	} else
256	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
257	rctx->pad_mode);
258	if (ret < 0)
259	return ret;
260	*routlen = ret;
261	return 1;
262	}
263
264	static int
265	pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
266	const unsigned char *tbs, size_t tbslen)
267	{
268	RSA_PKEY_CTX *rctx = ctx->data;
269	RSA *rsa = ctx->pkey->pkey.rsa;
270	size_t rslen;
271
272	if (rctx->md) {
273	if (rctx->pad_mode == RSA_PKCS1_PADDING)
274	return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
275	sig, siglen, rsa);
276	if (rctx->pad_mode == RSA_X931_PADDING) {
277	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
278	siglen) <= 0)
279	return 0;
280	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
281	int ret;
282
283	if (!setup_tbuf(rctx, ctx))
284	return -1;
285	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
286	rsa, RSA_NO_PADDING);
287	if (ret <= 0)
288	return 0;
289	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
290	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
291	if (ret <= 0)
292	return 0;
293	return 1;
294	} else
295	return -1;
296	} else {
297	if (!setup_tbuf(rctx, ctx))
298	return -1;
299	rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
300	rctx->pad_mode);
301	if (rslen == 0)
302	return 0;
303	}
304
305	if (rslen != tbslen \|\| memcmp(tbs, rctx->tbuf, rslen))
306	return 0;
307
308	return 1;
309	}
310
311	static int
312	pkey_rsa_encrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,
313	const unsigned char *in, size_t inlen)
314	{
315	int ret;
316	RSA_PKEY_CTX *rctx = ctx->data;
317
318	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
319	rctx->pad_mode);
320	if (ret < 0)
321	return ret;
322	*outlen = ret;
323	return 1;
324	}
325
326	static int
327	pkey_rsa_decrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,
328	const unsigned char *in, size_t inlen)
329	{
330	int ret;
331	RSA_PKEY_CTX *rctx = ctx->data;
332
333	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
334	rctx->pad_mode);
335	if (ret < 0)
336	return ret;
337	*outlen = ret;
338	return 1;
339	}
340
341	static int
342	check_padding_md(const EVP_MD *md, int padding)
343	{
344	if (!md)
345	return 1;
346
347	if (padding == RSA_NO_PADDING) {
348	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
349	return 0;
350	}
351
352	if (padding == RSA_X931_PADDING) {
353	if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
354	RSAerr(RSA_F_CHECK_PADDING_MD,
355	RSA_R_INVALID_X931_DIGEST);
356	return 0;
357	}
358	return 1;
359	}
360
361	return 1;
362	}
363
364	static int
365	pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
366	{
367	RSA_PKEY_CTX *rctx = ctx->data;
368
369	switch (type) {
370	case EVP_PKEY_CTRL_RSA_PADDING:
371	if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
372	if (!check_padding_md(rctx->md, p1))
373	return 0;
374	if (p1 == RSA_PKCS1_PSS_PADDING) {
375	if (!(ctx->operation &
376	(EVP_PKEY_OP_SIGN \| EVP_PKEY_OP_VERIFY)))
377	goto bad_pad;
378	if (!rctx->md)
379	rctx->md = EVP_sha1();
380	}
381	if (p1 == RSA_PKCS1_OAEP_PADDING) {
382	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
383	goto bad_pad;
384	if (!rctx->md)
385	rctx->md = EVP_sha1();
386	}
387	rctx->pad_mode = p1;
388	return 1;
389	}
390	bad_pad:
391	RSAerr(RSA_F_PKEY_RSA_CTRL,
392	RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
393	return -2;
394
395	case EVP_PKEY_CTRL_GET_RSA_PADDING:
396	(int )p2 = rctx->pad_mode;
397	return 1;
398
399	case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
400	case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
401	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
402	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
403	return -2;
404	}
405	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
406	(int )p2 = rctx->saltlen;
407	else {
408	if (p1 < -2)
409	return -2;
410	rctx->saltlen = p1;
411	}
412	return 1;
413
414	case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
415	if (p1 < 256) {
416	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
417	return -2;
418	}
419	rctx->nbits = p1;
420	return 1;
421
422	case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
423	if (!p2)
424	return -2;
425	rctx->pub_exp = p2;
426	return 1;
427
428	case EVP_PKEY_CTRL_MD:
429	if (!check_padding_md(p2, rctx->pad_mode))
430	return 0;
431	rctx->md = p2;
432	return 1;
433
434	case EVP_PKEY_CTRL_RSA_MGF1_MD:
435	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
436	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
437	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
438	return -2;
439	}
440	if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
441	if (rctx->mgf1md)
442	(const EVP_MD *)p2 = rctx->mgf1md;
443	else
444	(const EVP_MD *)p2 = rctx->md;
445	} else
446	rctx->mgf1md = p2;
447	return 1;
448
449	case EVP_PKEY_CTRL_DIGESTINIT:
450	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
451	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
452	case EVP_PKEY_CTRL_PKCS7_SIGN:
453	return 1;
454	#ifndef OPENSSL_NO_CMS
455	case EVP_PKEY_CTRL_CMS_DECRYPT:
456	{
457	X509_ALGOR *alg = NULL;
458	ASN1_OBJECT *encalg = NULL;
459
460	if (p2)
461	CMS_RecipientInfo_ktri_get0_algs(p2, NULL,
462	NULL, &alg);
463	if (alg)
464	X509_ALGOR_get0(&encalg, NULL, NULL, alg);
465	if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
466	rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
467	}
468	/* FALLTHROUGH */
469
470	case EVP_PKEY_CTRL_CMS_ENCRYPT:
471	case EVP_PKEY_CTRL_CMS_SIGN:
472	return 1;
473	#endif
474	case EVP_PKEY_CTRL_PEER_KEY:
475	RSAerr(RSA_F_PKEY_RSA_CTRL,
476	RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
477	return -2;
478
479	default:
480	return -2;
481	}
482	}
483
484	static int
485	pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
486	{
487	long lval;
488	char *ep;
489
490	if (!value) {
491	RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
492	return 0;
493	}
494	if (!strcmp(type, "rsa_padding_mode")) {
495	int pm;
496	if (!strcmp(value, "pkcs1"))
497	pm = RSA_PKCS1_PADDING;
498	else if (!strcmp(value, "sslv23"))
499	pm = RSA_SSLV23_PADDING;
500	else if (!strcmp(value, "none"))
501	pm = RSA_NO_PADDING;
502	else if (!strcmp(value, "oeap"))
503	pm = RSA_PKCS1_OAEP_PADDING;
504	else if (!strcmp(value, "oaep"))
505	pm = RSA_PKCS1_OAEP_PADDING;
506	else if (!strcmp(value, "x931"))
507	pm = RSA_X931_PADDING;
508	else if (!strcmp(value, "pss"))
509	pm = RSA_PKCS1_PSS_PADDING;
510	else {
511	RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
512	RSA_R_UNKNOWN_PADDING_TYPE);
513	return -2;
514	}
515	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
516	}
517
518	if (!strcmp(type, "rsa_pss_saltlen")) {
519	int saltlen;
520
521	errno = 0;
522	lval = strtol(value, &ep, 10);
523	if (value[0] == '\0' \|\| *ep != '\0')
524	goto not_a_number;
525	if ((errno == ERANGE &&
526	(lval == LONG_MAX \|\| lval == LONG_MIN)) \|\|
527	(lval > INT_MAX \|\| lval < INT_MIN))
528	goto out_of_range;
529	saltlen = lval;
530	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
531	}
532
533	if (!strcmp(type, "rsa_keygen_bits")) {
534	int nbits;
535
536	errno = 0;
537	lval = strtol(value, &ep, 10);
538	if (value[0] == '\0' \|\| *ep != '\0')
539	goto not_a_number;
540	if ((errno == ERANGE &&
541	(lval == LONG_MAX \|\| lval == LONG_MIN)) \|\|
542	(lval > INT_MAX \|\| lval < INT_MIN))
543	goto out_of_range;
544	nbits = lval;
545	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
546	}
547
548	if (!strcmp(type, "rsa_keygen_pubexp")) {
549	int ret;
550	BIGNUM *pubexp = NULL;
551
552	if (!BN_asc2bn(&pubexp, value))
553	return 0;
554	ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
555	if (ret <= 0)
556	BN_free(pubexp);
557	return ret;
558	}
559
560	not_a_number:
561	out_of_range:
562	return -2;
563	}
564
565	static int
566	pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
567	{
568	RSA *rsa = NULL;
569	RSA_PKEY_CTX *rctx = ctx->data;
570	BN_GENCB *pcb, cb;
571	int ret;
572
573	if (!rctx->pub_exp) {
574	rctx->pub_exp = BN_new();
575	if (!rctx->pub_exp \|\| !BN_set_word(rctx->pub_exp, RSA_F4))
576	return 0;
577	}
578	rsa = RSA_new();
579	if (!rsa)
580	return 0;
581	if (ctx->pkey_gencb) {
582	pcb = &cb;
583	evp_pkey_set_cb_translate(pcb, ctx);
584	} else
585	pcb = NULL;
586	ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
587	if (ret > 0)
588	EVP_PKEY_assign_RSA(pkey, rsa);
589	else
590	RSA_free(rsa);
591	return ret;
592	}
593
594	const EVP_PKEY_METHOD rsa_pkey_meth = {
595	.pkey_id = EVP_PKEY_RSA,
596	.flags = EVP_PKEY_FLAG_AUTOARGLEN,
597
598	.init = pkey_rsa_init,
599	.copy = pkey_rsa_copy,
600	.cleanup = pkey_rsa_cleanup,
601
602	.keygen = pkey_rsa_keygen,
603
604	.sign = pkey_rsa_sign,
605
606	.verify = pkey_rsa_verify,
607
608	.verify_recover = pkey_rsa_verifyrecover,
609
610	.encrypt = pkey_rsa_encrypt,
611
612	.decrypt = pkey_rsa_decrypt,
613
614	.ctrl = pkey_rsa_ctrl,
615	.ctrl_str = pkey_rsa_ctrl_str
616	};