1 files changed, 46 insertions, 94 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 3747f1dd28..688c0d64db 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.35 2023/03/06 08:31:34 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.36 2023/04/15 18:48:52 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -187,7 +187,7 @@ static int
 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
    const unsigned char *tbs, size_t tbslen)
 {
-        int ret;
+        int ret = -1;
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
@@ -197,21 +197,11 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        return -1;
                }
-                if (rctx->pad_mode == RSA_X931_PADDING) {
+                if (rctx->pad_mode != RSA_PKCS1_PADDING &&
-                        if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
+                    rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
-                                RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
+                        return -1;
-                                return -1;
-                        }
+                if (rctx->pad_mode == RSA_PKCS1_PADDING) {
-                        if (!setup_tbuf(rctx, ctx)) {
-                                RSAerror(ERR_R_MALLOC_FAILURE);
-                                return -1;
-                        }
-                        memcpy(rctx->tbuf, tbs, tbslen);
-                        rctx->tbuf[tbslen] =
-                            RSA_X931_hash_id(EVP_MD_type(rctx->md));
-                        ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
-                            rsa, RSA_X931_PADDING);
-                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
                        unsigned int sltmp;
                        ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -227,8 +217,6 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                                return -1;
                        ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
                            sig, rsa, RSA_NO_PADDING);
-                } else {
-                        return -1;
                }
        } else {
                ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -248,36 +236,16 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
        RSA_PKEY_CTX *rctx = ctx->data;
        if (rctx->md) {
-                if (rctx->pad_mode == RSA_X931_PADDING) {
+                size_t sltmp;
-                        if (!setup_tbuf(rctx, ctx))
-                                return -1;
-                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                            ctx->pkey->pkey.rsa, RSA_X931_PADDING);
-                        if (ret < 1)
-                                return 0;
-                        ret--;
-                        if (rctx->tbuf[ret] !=
-                            RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
-                                RSAerror(RSA_R_ALGORITHM_MISMATCH);
-                                return 0;
-                        }
-                        if (ret != EVP_MD_size(rctx->md)) {
-                                RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
-                                return 0;
-                        }
-                        if (rout)
-                                memcpy(rout, rctx->tbuf, ret);
-                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
-                        size_t sltmp;
-                        ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
+                if (rctx->pad_mode != RSA_PKCS1_PADDING)
-                            rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
-                        if (ret <= 0)
-                                return 0;
-                        ret = sltmp;
-                } else {
                        return -1;
-                }
+                ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
+                    rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
+                if (ret <= 0)
+                        return 0;
+                ret = sltmp;
        } else {
                ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
                    rctx->pad_mode);
@@ -295,6 +263,7 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
        size_t rslen;
+        int ret;
        if (rctx->md) {
                if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -304,32 +273,24 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
                        RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
                        return -1;
                }
-                if (rctx->pad_mode == RSA_X931_PADDING) {
-                        if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
-                            siglen) <= 0)
-                                return 0;
-                } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
-                        int ret;
-                        if (!setup_tbuf(rctx, ctx))
+                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
-                                return -1;
-                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                            rsa, RSA_NO_PADDING);
-                        if (ret <= 0)
-                                return 0;
-                        ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
-                            rctx->mgf1md, rctx->tbuf, rctx->saltlen);
-                        if (ret <= 0)
-                                return 0;
-                        return 1;
-                } else {
                        return -1;
-                }
-        } else {
-                int ret;
                if (!setup_tbuf(rctx, ctx))
                        return -1;
+                ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                    rsa, RSA_NO_PADDING);
+                if (ret <= 0)
+                        return 0;
+                ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
+                    rctx->mgf1md, rctx->tbuf, rctx->saltlen);
+                if (ret <= 0)
+                        return 0;
+                return 1;
+        } else {
+                if (!setup_tbuf(rctx, ctx))
+                        return -1;
                if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
                    rctx->pad_mode)) <= 0)
@@ -404,34 +365,27 @@ check_padding_md(const EVP_MD *md, int padding)
        if (md == NULL)
                return 1;
-        if (padding == RSA_NO_PADDING) {
+        if (padding == RSA_NO_PADDING || padding == RSA_X931_PADDING) {
-                RSAerror(RSA_R_INVALID_PADDING_MODE);
+                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
                return 0;
        }
-        if (padding == RSA_X931_PADDING) {
+        /* List of all supported RSA digests. */
-                if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
+        switch(EVP_MD_type(md)) {
-                        RSAerror(RSA_R_INVALID_X931_DIGEST);
+        case NID_sha1:
-                        return 0;
+        case NID_sha224:
-                }
+        case NID_sha256:
-        } else {
+        case NID_sha384:
-                /* List of all supported RSA digests. */
+        case NID_sha512:
-                switch(EVP_MD_type(md)) {
+        case NID_md5:
-                case NID_sha1:
+        case NID_md5_sha1:
-                case NID_sha224:
+        case NID_md4:
-                case NID_sha256:
+        case NID_ripemd160:
-                case NID_sha384:
+                return 1;
-                case NID_sha512:
-                case NID_md5:
-                case NID_md5_sha1:
-                case NID_md4:
-                case NID_ripemd160:
-                        return 1;
-                default:
+        default:
-                        RSAerror(RSA_R_INVALID_DIGEST);
+                RSAerror(RSA_R_INVALID_DIGEST);
-                        return 0;
+                return 0;
-                }
        }
        return 1;
@@ -637,8 +591,6 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                        pm = RSA_PKCS1_OAEP_PADDING;
                else if (!strcmp(value, "oaep"))
                        pm = RSA_PKCS1_OAEP_PADDING;
-                else if (!strcmp(value, "x931"))
-                        pm = RSA_X931_PADDING;
                else if (!strcmp(value, "pss"))
                        pm = RSA_PKCS1_PSS_PADDING;
                else {

diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 3747f1dd28..688c0d64db 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.35 2023/03/06 08:31:34 tb Exp $ */	1	/* $OpenBSD: rsa_pmeth.c,v 1.36 2023/04/15 18:48:52 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -187,7 +187,7 @@ static int
187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,	187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
188	const unsigned char *tbs, size_t tbslen)	188	const unsigned char *tbs, size_t tbslen)
189	{	189	{
190	int ret;	190	int ret = -1;
191	RSA_PKEY_CTX *rctx = ctx->data;	191	RSA_PKEY_CTX *rctx = ctx->data;
192	RSA *rsa = ctx->pkey->pkey.rsa;	192	RSA *rsa = ctx->pkey->pkey.rsa;
193		193
@@ -197,21 +197,11 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
197	return -1;	197	return -1;
198	}	198	}
199		199
200	if (rctx->pad_mode == RSA_X931_PADDING) {	200	if (rctx->pad_mode != RSA_PKCS1_PADDING &&
201	if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {	201	rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
202	RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);	202	return -1;
203	return -1;	203
204	}	204	if (rctx->pad_mode == RSA_PKCS1_PADDING) {
205	if (!setup_tbuf(rctx, ctx)) {
206	RSAerror(ERR_R_MALLOC_FAILURE);
207	return -1;
208	}
209	memcpy(rctx->tbuf, tbs, tbslen);
210	rctx->tbuf[tbslen] =
211	RSA_X931_hash_id(EVP_MD_type(rctx->md));
212	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
213	rsa, RSA_X931_PADDING);
214	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
215	unsigned int sltmp;	205	unsigned int sltmp;
216		206
217	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,	207	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -227,8 +217,6 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
227	return -1;	217	return -1;
228	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,	218	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
229	sig, rsa, RSA_NO_PADDING);	219	sig, rsa, RSA_NO_PADDING);
230	} else {
231	return -1;
232	}	220	}
233	} else {	221	} else {
234	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,	222	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -248,36 +236,16 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX ctx, unsigned char rout, size_t *routlen,
248	RSA_PKEY_CTX *rctx = ctx->data;	236	RSA_PKEY_CTX *rctx = ctx->data;
249		237
250	if (rctx->md) {	238	if (rctx->md) {
251	if (rctx->pad_mode == RSA_X931_PADDING) {	239	size_t sltmp;
252	if (!setup_tbuf(rctx, ctx))
253	return -1;
254	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
255	ctx->pkey->pkey.rsa, RSA_X931_PADDING);
256	if (ret < 1)
257	return 0;
258	ret--;
259	if (rctx->tbuf[ret] !=
260	RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
261	RSAerror(RSA_R_ALGORITHM_MISMATCH);
262	return 0;
263	}
264	if (ret != EVP_MD_size(rctx->md)) {
265	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
266	return 0;
267	}
268	if (rout)
269	memcpy(rout, rctx->tbuf, ret);
270	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
271	size_t sltmp;
272		240
273	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,	241	if (rctx->pad_mode != RSA_PKCS1_PADDING)
274	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
275	if (ret <= 0)
276	return 0;
277	ret = sltmp;
278	} else {
279	return -1;	242	return -1;
280	}	243
		244	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
		245	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
		246	if (ret <= 0)
		247	return 0;
		248	ret = sltmp;
281	} else {	249	} else {
282	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,	250	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
283	rctx->pad_mode);	251	rctx->pad_mode);
@@ -295,6 +263,7 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
295	RSA_PKEY_CTX *rctx = ctx->data;	263	RSA_PKEY_CTX *rctx = ctx->data;
296	RSA *rsa = ctx->pkey->pkey.rsa;	264	RSA *rsa = ctx->pkey->pkey.rsa;
297	size_t rslen;	265	size_t rslen;
		266	int ret;
298		267
299	if (rctx->md) {	268	if (rctx->md) {
300	if (rctx->pad_mode == RSA_PKCS1_PADDING)	269	if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -304,32 +273,24 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
304	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);	273	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
305	return -1;	274	return -1;
306	}	275	}
307	if (rctx->pad_mode == RSA_X931_PADDING) {
308	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
309	siglen) <= 0)
310	return 0;
311	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
312	int ret;
313		276
314	if (!setup_tbuf(rctx, ctx))	277	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
315	return -1;
316	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
317	rsa, RSA_NO_PADDING);
318	if (ret <= 0)
319	return 0;
320	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
321	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
322	if (ret <= 0)
323	return 0;
324	return 1;
325	} else {
326	return -1;	278	return -1;
327	}
328	} else {
329	int ret;
330		279
331	if (!setup_tbuf(rctx, ctx))	280	if (!setup_tbuf(rctx, ctx))
332	return -1;	281	return -1;
		282	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
		283	rsa, RSA_NO_PADDING);
		284	if (ret <= 0)
		285	return 0;
		286	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
		287	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
		288	if (ret <= 0)
		289	return 0;
		290	return 1;
		291	} else {
		292	if (!setup_tbuf(rctx, ctx))
		293	return -1;
333		294
334	if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,	295	if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
335	rctx->pad_mode)) <= 0)	296	rctx->pad_mode)) <= 0)
@@ -404,34 +365,27 @@ check_padding_md(const EVP_MD *md, int padding)
404	if (md == NULL)	365	if (md == NULL)
405	return 1;	366	return 1;
406		367
407	if (padding == RSA_NO_PADDING) {	368	if (padding == RSA_NO_PADDING \|\| padding == RSA_X931_PADDING) {
408	RSAerror(RSA_R_INVALID_PADDING_MODE);	369	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
409	return 0;	370	return 0;
410	}	371	}
411		372
412	if (padding == RSA_X931_PADDING) {	373	/* List of all supported RSA digests. */
413	if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {	374	switch(EVP_MD_type(md)) {
414	RSAerror(RSA_R_INVALID_X931_DIGEST);	375	case NID_sha1:
415	return 0;	376	case NID_sha224:
416	}	377	case NID_sha256:
417	} else {	378	case NID_sha384:
418	/* List of all supported RSA digests. */	379	case NID_sha512:
419	switch(EVP_MD_type(md)) {	380	case NID_md5:
420	case NID_sha1:	381	case NID_md5_sha1:
421	case NID_sha224:	382	case NID_md4:
422	case NID_sha256:	383	case NID_ripemd160:
423	case NID_sha384:	384	return 1;
424	case NID_sha512:
425	case NID_md5:
426	case NID_md5_sha1:
427	case NID_md4:
428	case NID_ripemd160:
429	return 1;
430		385
431	default:	386	default:
432	RSAerror(RSA_R_INVALID_DIGEST);	387	RSAerror(RSA_R_INVALID_DIGEST);
433	return 0;	388	return 0;
434	}
435	}	389	}
436		390
437	return 1;	391	return 1;
@@ -637,8 +591,6 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
637	pm = RSA_PKCS1_OAEP_PADDING;	591	pm = RSA_PKCS1_OAEP_PADDING;
638	else if (!strcmp(value, "oaep"))	592	else if (!strcmp(value, "oaep"))
639	pm = RSA_PKCS1_OAEP_PADDING;	593	pm = RSA_PKCS1_OAEP_PADDING;
640	else if (!strcmp(value, "x931"))
641	pm = RSA_X931_PADDING;
642	else if (!strcmp(value, "pss"))	594	else if (!strcmp(value, "pss"))
643	pm = RSA_PKCS1_PSS_PADDING;	595	pm = RSA_PKCS1_PSS_PADDING;
644	else {	596	else {