1 files changed, 101 insertions, 53 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 8e06365566..429524d73d 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.37 2023/04/25 15:48:48 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -187,7 +187,7 @@ static int
 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
    const unsigned char *tbs, size_t tbslen)
 {
-        int ret = -1;
+        int ret;
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
@@ -197,11 +197,21 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        return -1;
                }
-                if (rctx->pad_mode != RSA_PKCS1_PADDING &&
+                if (rctx->pad_mode == RSA_X931_PADDING) {
-                    rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
+                        if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
-                        return -1;
+                                RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
+                                return -1;
-                if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+                        }
+                        if (!setup_tbuf(rctx, ctx)) {
+                                RSAerror(ERR_R_MALLOC_FAILURE);
+                                return -1;
+                        }
+                        memcpy(rctx->tbuf, tbs, tbslen);
+                        rctx->tbuf[tbslen] =
+                            RSA_X931_hash_id(EVP_MD_type(rctx->md));
+                        ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
+                            rsa, RSA_X931_PADDING);
+                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
                        unsigned int sltmp;
                        ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -217,6 +227,8 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                                return -1;
                        ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
                            sig, rsa, RSA_NO_PADDING);
+                } else {
+                        return -1;
                }
        } else {
                ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -236,16 +248,36 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
        RSA_PKEY_CTX *rctx = ctx->data;
        if (rctx->md) {
-                size_t sltmp;
+                if (rctx->pad_mode == RSA_X931_PADDING) {
+                        if (!setup_tbuf(rctx, ctx))
+                                return -1;
+                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                            ctx->pkey->pkey.rsa, RSA_X931_PADDING);
+                        if (ret < 1)
+                                return 0;
+                        ret--;
+                        if (rctx->tbuf[ret] !=
+                            RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
+                                RSAerror(RSA_R_ALGORITHM_MISMATCH);
+                                return 0;
+                        }
+                        if (ret != EVP_MD_size(rctx->md)) {
+                                RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
+                                return 0;
+                        }
+                        if (rout)
+                                memcpy(rout, rctx->tbuf, ret);
+                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+                        size_t sltmp;
-                if (rctx->pad_mode != RSA_PKCS1_PADDING)
+                        ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
+                            rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
+                        if (ret <= 0)
+                                return 0;
+                        ret = sltmp;
+                } else {
                        return -1;
+                }
-                ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
-                    rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
-                if (ret <= 0)
-                        return 0;
-                ret = sltmp;
        } else {
                ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
                    rctx->pad_mode);
@@ -263,7 +295,6 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
        size_t rslen;
-        int ret;
        if (rctx->md) {
                if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -273,22 +304,30 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
                        RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
                        return -1;
                }
+                if (rctx->pad_mode == RSA_X931_PADDING) {
+                        if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
+                            siglen) <= 0)
+                                return 0;
+                } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
+                        int ret;
-                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
+                        if (!setup_tbuf(rctx, ctx))
-                        return -1;
+                                return -1;
+                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                if (!setup_tbuf(rctx, ctx))
+                            rsa, RSA_NO_PADDING);
+                        if (ret <= 0)
+                                return 0;
+                        ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
+                            rctx->mgf1md, rctx->tbuf, rctx->saltlen);
+                        if (ret <= 0)
+                                return 0;
+                        return 1;
+                } else {
                        return -1;
-                ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                }
-                    rsa, RSA_NO_PADDING);
-                if (ret <= 0)
-                        return 0;
-                ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
-                    rctx->mgf1md, rctx->tbuf, rctx->saltlen);
-                if (ret <= 0)
-                        return 0;
-                return 1;
        } else {
+                int ret;
                if (!setup_tbuf(rctx, ctx))
                        return -1;
@@ -365,34 +404,41 @@ check_padding_md(const EVP_MD *md, int padding)
        if (md == NULL)
                return 1;
-        if (padding == RSA_NO_PADDING || padding == RSA_X931_PADDING) {
+        if (padding == RSA_NO_PADDING) {
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                RSAerror(RSA_R_INVALID_PADDING_MODE);
                return 0;
        }
-        /* List of all supported RSA digests. */
+        if (padding == RSA_X931_PADDING) {
-        /* RFC 8017 and NIST CSOR. */
+                if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
-        switch(EVP_MD_type(md)) {
+                        RSAerror(RSA_R_INVALID_X931_DIGEST);
-        case NID_sha1:
+                        return 0;
-        case NID_sha224:
+                }
-        case NID_sha256:
+        } else {
-        case NID_sha384:
+                /* List of all supported RSA digests. */
-        case NID_sha512:
+                /* RFC 8017 and NIST CSOR. */
-        case NID_sha512_224:
+                switch(EVP_MD_type(md)) {
-        case NID_sha512_256:
+                case NID_sha1:
-        case NID_sha3_224:
+                case NID_sha224:
-        case NID_sha3_256:
+                case NID_sha256:
-        case NID_sha3_384:
+                case NID_sha384:
-        case NID_sha3_512:
+                case NID_sha512:
-        case NID_md5:
+                case NID_sha512_224:
-        case NID_md5_sha1:
+                case NID_sha512_256:
-        case NID_md4:
+                case NID_sha3_224:
-        case NID_ripemd160:
+                case NID_sha3_256:
-                return 1;
+                case NID_sha3_384:
+                case NID_sha3_512:
+                case NID_md5:
+                case NID_md5_sha1:
+                case NID_md4:
+                case NID_ripemd160:
+                        return 1;
-        default:
+                default:
-                RSAerror(RSA_R_INVALID_DIGEST);
+                        RSAerror(RSA_R_INVALID_DIGEST);
-                return 0;
+                        return 0;
+                }
        }
        return 1;
@@ -598,6 +644,8 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                        pm = RSA_PKCS1_OAEP_PADDING;
                else if (!strcmp(value, "oaep"))
                        pm = RSA_PKCS1_OAEP_PADDING;
+                else if (!strcmp(value, "x931"))
+                        pm = RSA_X931_PADDING;
                else if (!strcmp(value, "pss"))
                        pm = RSA_PKCS1_PSS_PADDING;
                else {

diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 8e06365566..429524d73d 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.37 2023/04/25 15:48:48 tb Exp $ */	1	/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -187,7 +187,7 @@ static int
187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,	187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
188	const unsigned char *tbs, size_t tbslen)	188	const unsigned char *tbs, size_t tbslen)
189	{	189	{
190	int ret = -1;	190	int ret;
191	RSA_PKEY_CTX *rctx = ctx->data;	191	RSA_PKEY_CTX *rctx = ctx->data;
192	RSA *rsa = ctx->pkey->pkey.rsa;	192	RSA *rsa = ctx->pkey->pkey.rsa;
193		193
@@ -197,11 +197,21 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
197	return -1;	197	return -1;
198	}	198	}
199		199
200	if (rctx->pad_mode != RSA_PKCS1_PADDING &&	200	if (rctx->pad_mode == RSA_X931_PADDING) {
201	rctx->pad_mode != RSA_PKCS1_PSS_PADDING)	201	if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
202	return -1;	202	RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
203		203	return -1;
204	if (rctx->pad_mode == RSA_PKCS1_PADDING) {	204	}
		205	if (!setup_tbuf(rctx, ctx)) {
		206	RSAerror(ERR_R_MALLOC_FAILURE);
		207	return -1;
		208	}
		209	memcpy(rctx->tbuf, tbs, tbslen);
		210	rctx->tbuf[tbslen] =
		211	RSA_X931_hash_id(EVP_MD_type(rctx->md));
		212	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
		213	rsa, RSA_X931_PADDING);
		214	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
205	unsigned int sltmp;	215	unsigned int sltmp;
206		216
207	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,	217	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -217,6 +227,8 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
217	return -1;	227	return -1;
218	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,	228	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
219	sig, rsa, RSA_NO_PADDING);	229	sig, rsa, RSA_NO_PADDING);
		230	} else {
		231	return -1;
220	}	232	}
221	} else {	233	} else {
222	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,	234	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -236,16 +248,36 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX ctx, unsigned char rout, size_t *routlen,
236	RSA_PKEY_CTX *rctx = ctx->data;	248	RSA_PKEY_CTX *rctx = ctx->data;
237		249
238	if (rctx->md) {	250	if (rctx->md) {
239	size_t sltmp;	251	if (rctx->pad_mode == RSA_X931_PADDING) {
		252	if (!setup_tbuf(rctx, ctx))
		253	return -1;
		254	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
		255	ctx->pkey->pkey.rsa, RSA_X931_PADDING);
		256	if (ret < 1)
		257	return 0;
		258	ret--;
		259	if (rctx->tbuf[ret] !=
		260	RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
		261	RSAerror(RSA_R_ALGORITHM_MISMATCH);
		262	return 0;
		263	}
		264	if (ret != EVP_MD_size(rctx->md)) {
		265	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
		266	return 0;
		267	}
		268	if (rout)
		269	memcpy(rout, rctx->tbuf, ret);
		270	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
		271	size_t sltmp;
240		272
241	if (rctx->pad_mode != RSA_PKCS1_PADDING)	273	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
		274	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
		275	if (ret <= 0)
		276	return 0;
		277	ret = sltmp;
		278	} else {
242	return -1;	279	return -1;
243		280	}
244	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
245	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
246	if (ret <= 0)
247	return 0;
248	ret = sltmp;
249	} else {	281	} else {
250	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,	282	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
251	rctx->pad_mode);	283	rctx->pad_mode);
@@ -263,7 +295,6 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
263	RSA_PKEY_CTX *rctx = ctx->data;	295	RSA_PKEY_CTX *rctx = ctx->data;
264	RSA *rsa = ctx->pkey->pkey.rsa;	296	RSA *rsa = ctx->pkey->pkey.rsa;
265	size_t rslen;	297	size_t rslen;
266	int ret;
267		298
268	if (rctx->md) {	299	if (rctx->md) {
269	if (rctx->pad_mode == RSA_PKCS1_PADDING)	300	if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -273,22 +304,30 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
273	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);	304	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
274	return -1;	305	return -1;
275	}	306	}
		307	if (rctx->pad_mode == RSA_X931_PADDING) {
		308	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
		309	siglen) <= 0)
		310	return 0;
		311	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
		312	int ret;
276		313
277	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)	314	if (!setup_tbuf(rctx, ctx))
278	return -1;	315	return -1;
279		316	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
280	if (!setup_tbuf(rctx, ctx))	317	rsa, RSA_NO_PADDING);
		318	if (ret <= 0)
		319	return 0;
		320	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
		321	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
		322	if (ret <= 0)
		323	return 0;
		324	return 1;
		325	} else {
281	return -1;	326	return -1;
282	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,	327	}
283	rsa, RSA_NO_PADDING);
284	if (ret <= 0)
285	return 0;
286	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
287	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
288	if (ret <= 0)
289	return 0;
290	return 1;
291	} else {	328	} else {
		329	int ret;
		330
292	if (!setup_tbuf(rctx, ctx))	331	if (!setup_tbuf(rctx, ctx))
293	return -1;	332	return -1;
294		333
@@ -365,34 +404,41 @@ check_padding_md(const EVP_MD *md, int padding)
365	if (md == NULL)	404	if (md == NULL)
366	return 1;	405	return 1;
367		406
368	if (padding == RSA_NO_PADDING \|\| padding == RSA_X931_PADDING) {	407	if (padding == RSA_NO_PADDING) {
369	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	408	RSAerror(RSA_R_INVALID_PADDING_MODE);
370	return 0;	409	return 0;
371	}	410	}
372		411
373	/* List of all supported RSA digests. */	412	if (padding == RSA_X931_PADDING) {
374	/* RFC 8017 and NIST CSOR. */	413	if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
375	switch(EVP_MD_type(md)) {	414	RSAerror(RSA_R_INVALID_X931_DIGEST);
376	case NID_sha1:	415	return 0;
377	case NID_sha224:	416	}
378	case NID_sha256:	417	} else {
379	case NID_sha384:	418	/* List of all supported RSA digests. */
380	case NID_sha512:	419	/* RFC 8017 and NIST CSOR. */
381	case NID_sha512_224:	420	switch(EVP_MD_type(md)) {
382	case NID_sha512_256:	421	case NID_sha1:
383	case NID_sha3_224:	422	case NID_sha224:
384	case NID_sha3_256:	423	case NID_sha256:
385	case NID_sha3_384:	424	case NID_sha384:
386	case NID_sha3_512:	425	case NID_sha512:
387	case NID_md5:	426	case NID_sha512_224:
388	case NID_md5_sha1:	427	case NID_sha512_256:
389	case NID_md4:	428	case NID_sha3_224:
390	case NID_ripemd160:	429	case NID_sha3_256:
391	return 1;	430	case NID_sha3_384:
		431	case NID_sha3_512:
		432	case NID_md5:
		433	case NID_md5_sha1:
		434	case NID_md4:
		435	case NID_ripemd160:
		436	return 1;
392		437
393	default:	438	default:
394	RSAerror(RSA_R_INVALID_DIGEST);	439	RSAerror(RSA_R_INVALID_DIGEST);
395	return 0;	440	return 0;
		441	}
396	}	442	}
397		443
398	return 1;	444	return 1;
@@ -598,6 +644,8 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
598	pm = RSA_PKCS1_OAEP_PADDING;	644	pm = RSA_PKCS1_OAEP_PADDING;
599	else if (!strcmp(value, "oaep"))	645	else if (!strcmp(value, "oaep"))
600	pm = RSA_PKCS1_OAEP_PADDING;	646	pm = RSA_PKCS1_OAEP_PADDING;
		647	else if (!strcmp(value, "x931"))
		648	pm = RSA_X931_PADDING;
601	else if (!strcmp(value, "pss"))	649	else if (!strcmp(value, "pss"))
602	pm = RSA_PKCS1_PSS_PADDING;	650	pm = RSA_PKCS1_PSS_PADDING;
603	else {	651	else {