1 files changed, 0 insertions, 280 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index 6edd20626d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-#include "asn1_local.h"
-#include "rsa_local.h"
-#include "x509_local.h"
-/* Size of an SSL signature: MD5+SHA1 */
-#define SSL_SIG_LENGTH  36
-static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *,
-    unsigned int);
-/*
- * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as
- * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This
- * encodes the DigestInfo (T and tLen) but does not add the padding.
- *
- * On success, it returns one and sets `*out' to a newly allocated buffer
- * containing the result and `*out_len' to its length.  Freeing `*out' is
- * the caller's responsibility. Failure is indicated by zero.
- */
-static int
-encode_pkcs1(unsigned char **out, int *out_len, int type,
-    const unsigned char *m, unsigned int m_len)
-{
-        X509_SIG sig;
-        X509_ALGOR algor;
-        ASN1_TYPE parameter;
-        ASN1_OCTET_STRING digest;
-        uint8_t *der = NULL;
-        int len;
-        sig.algor = &algor;
-        if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) {
-                RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
-                return 0;
-        }
-        if (sig.algor->algorithm->length == 0) {
-                RSAerror(
-                    RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
-                return 0;
-        }
-        parameter.type = V_ASN1_NULL;
-        parameter.value.ptr = NULL;
-        sig.algor->parameter = &parameter;
-        sig.digest = &digest;
-        sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
-        sig.digest->length = m_len;
-        if ((len = i2d_X509_SIG(&sig, &der)) < 0)
-                return 0;
-        *out = der;
-        *out_len = len;
-        return 1;
-}
-int
-RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-    unsigned char *sigret, unsigned int *siglen, RSA *rsa)
-{
-        const unsigned char *encoded = NULL;
-        unsigned char *tmps = NULL;
-        int encrypt_len, encoded_len = 0, ret = 0;
-        if (rsa->meth->rsa_sign != NULL)
-                return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
-        /* Compute the encoded digest. */
-        if (type == NID_md5_sha1) {
-                /*
-                 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
-                 * TLS 1.1 and earlier. It has no DigestInfo wrapper but
-                 * otherwise is RSASSA-PKCS-v1.5.
-                 */
-                if (m_len != SSL_SIG_LENGTH) {
-                        RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
-                        return 0;
-                }
-                encoded_len = SSL_SIG_LENGTH;
-                encoded = m;
-        } else {
-                if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))
-                        goto err;
-                encoded = tmps;
-        }
-        if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {
-                RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
-                goto err;
-        }
-        if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret,
-            rsa, RSA_PKCS1_PADDING)) <= 0)
-                goto err;
-        *siglen = encrypt_len;
-        ret = 1;
- err:
-        freezero(tmps, (size_t)encoded_len);
-        return (ret);
-}
-LCRYPTO_ALIAS(RSA_sign);
-/*
- * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be
- * called in two modes. If `rm' is NULL, it verifies the signature for the
- * digest `m'. Otherwise, it recovers the digest from the signature, writing the
- * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest
- * algorithm to use. It returns one on successful verification and zero
- * otherwise.
- */
-int
-int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
-    unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
-    size_t siglen, RSA *rsa)
-{
-        unsigned char *decrypt_buf, *encoded = NULL;
-        int decrypt_len, encoded_len = 0, ret = 0;
-        if (siglen != (size_t)RSA_size(rsa)) {
-                RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH);
-                return 0;
-        }
-        /* Recover the encoded digest. */
-        if ((decrypt_buf = malloc(siglen)) == NULL) {
-                RSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
-            rsa, RSA_PKCS1_PADDING)) <= 0)
-                goto err;
-        if (type == NID_md5_sha1) {
-                /*
-                 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
-                 * TLS 1.1 and earlier. It has no DigestInfo wrapper but
-                 * otherwise is RSASSA-PKCS1-v1_5.
-                 */
-                if (decrypt_len != SSL_SIG_LENGTH) {
-                        RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
-                        goto err;
-                }
-                if (rm != NULL) {
-                        memcpy(rm, decrypt_buf, SSL_SIG_LENGTH);
-                        *prm_len = SSL_SIG_LENGTH;
-                } else {
-                        if (m_len != SSL_SIG_LENGTH) {
-                                RSAerror(RSA_R_INVALID_MESSAGE_LENGTH);
-                                goto err;
-                        }
-                        if (timingsafe_bcmp(decrypt_buf,
-                            m, SSL_SIG_LENGTH) != 0) {
-                                RSAerror(RSA_R_BAD_SIGNATURE);
-                                goto err;
-                        }
-                }
-        } else {
-                /*
-                 * If recovering the digest, extract a digest-sized output from
-                 * the end of `decrypt_buf' for `encode_pkcs1', then compare the
-                 * decryption output as in a standard verification.
-                 */
-                if (rm != NULL) {
-                        const EVP_MD *md;
-                        if ((md = EVP_get_digestbynid(type)) == NULL) {
-                                RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
-                                goto err;
-                        }
-                        if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) {
-                                RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
-                                goto err;
-                        }
-                        m = decrypt_buf + decrypt_len - m_len;
-                }
-                /* Construct the encoded digest and ensure it matches */
-                if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))
-                        goto err;
-                if (encoded_len != decrypt_len ||
-                    timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {
-                        RSAerror(RSA_R_BAD_SIGNATURE);
-                        goto err;
-                }
-                /* Output the recovered digest. */
-                if (rm != NULL) {
-                        memcpy(rm, m, m_len);
-                        *prm_len = m_len;
-                }
-        }
-        ret = 1;
- err:
-        freezero(encoded, (size_t)encoded_len);
-        freezero(decrypt_buf, siglen);
-        return ret;
-}
-int
-RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
-    const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
-{
-        if (rsa->meth->rsa_verify != NULL)
-                return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
-                    rsa);
-        return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
-}
-LCRYPTO_ALIAS(RSA_verify);

diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c deleted file mode 100644 index 6edd20626d..0000000000 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ /dev/null
@@ -1,280 +0,0 @@
1	/* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58
59	#include <stdio.h>
60	#include <string.h>
61
62	#include <openssl/bn.h>
63	#include <openssl/err.h>
64	#include <openssl/objects.h>
65	#include <openssl/rsa.h>
66	#include <openssl/x509.h>
67
68	#include "asn1_local.h"
69	#include "rsa_local.h"
70	#include "x509_local.h"
71
72	/* Size of an SSL signature: MD5+SHA1 */
73	#define SSL_SIG_LENGTH 36
74
75	static int encode_pkcs1(unsigned char *, int , int , const unsigned char *,
76	unsigned int);
77
78	/*
79	* encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as
80	* described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This
81	* encodes the DigestInfo (T and tLen) but does not add the padding.
82	*
83	* On success, it returns one and sets `*out' to a newly allocated buffer
84	* containing the result and `out_len' to its length. Freeing `out' is
85	* the caller's responsibility. Failure is indicated by zero.
86	*/
87	static int
88	encode_pkcs1(unsigned char *out, int out_len, int type,
89	const unsigned char *m, unsigned int m_len)
90	{
91	X509_SIG sig;
92	X509_ALGOR algor;
93	ASN1_TYPE parameter;
94	ASN1_OCTET_STRING digest;
95	uint8_t *der = NULL;
96	int len;
97
98	sig.algor = &algor;
99	if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) {
100	RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
101	return 0;
102	}
103	if (sig.algor->algorithm->length == 0) {
104	RSAerror(
105	RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
106	return 0;
107	}
108	parameter.type = V_ASN1_NULL;
109	parameter.value.ptr = NULL;
110	sig.algor->parameter = &parameter;
111
112	sig.digest = &digest;
113	sig.digest->data = (unsigned char )m; / TMP UGLY CAST */
114	sig.digest->length = m_len;
115
116	if ((len = i2d_X509_SIG(&sig, &der)) < 0)
117	return 0;
118
119	*out = der;
120	*out_len = len;
121
122	return 1;
123	}
124
125	int
126	RSA_sign(int type, const unsigned char *m, unsigned int m_len,
127	unsigned char sigret, unsigned int siglen, RSA *rsa)
128	{
129	const unsigned char *encoded = NULL;
130	unsigned char *tmps = NULL;
131	int encrypt_len, encoded_len = 0, ret = 0;
132
133	if (rsa->meth->rsa_sign != NULL)
134	return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
135
136	/* Compute the encoded digest. */
137	if (type == NID_md5_sha1) {
138	/*
139	* NID_md5_sha1 corresponds to the MD5/SHA1 combination in
140	* TLS 1.1 and earlier. It has no DigestInfo wrapper but
141	* otherwise is RSASSA-PKCS-v1.5.
142	*/
143	if (m_len != SSL_SIG_LENGTH) {
144	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
145	return 0;
146	}
147	encoded_len = SSL_SIG_LENGTH;
148	encoded = m;
149	} else {
150	if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))
151	goto err;
152	encoded = tmps;
153	}
154	if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {
155	RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
156	goto err;
157	}
158	if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret,
159	rsa, RSA_PKCS1_PADDING)) <= 0)
160	goto err;
161
162	*siglen = encrypt_len;
163	ret = 1;
164
165	err:
166	freezero(tmps, (size_t)encoded_len);
167	return (ret);
168	}
169	LCRYPTO_ALIAS(RSA_sign);
170
171	/*
172	* int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be
173	* called in two modes. If `rm' is NULL, it verifies the signature for the
174	* digest `m'. Otherwise, it recovers the digest from the signature, writing the
175	* digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest
176	* algorithm to use. It returns one on successful verification and zero
177	* otherwise.
178	*/
179	int
180	int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
181	unsigned char rm, size_t prm_len, const unsigned char *sigbuf,
182	size_t siglen, RSA *rsa)
183	{
184	unsigned char decrypt_buf, encoded = NULL;
185	int decrypt_len, encoded_len = 0, ret = 0;
186
187	if (siglen != (size_t)RSA_size(rsa)) {
188	RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH);
189	return 0;
190	}
191
192	/* Recover the encoded digest. */
193	if ((decrypt_buf = malloc(siglen)) == NULL) {
194	RSAerror(ERR_R_MALLOC_FAILURE);
195	goto err;
196	}
197	if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
198	rsa, RSA_PKCS1_PADDING)) <= 0)
199	goto err;
200
201	if (type == NID_md5_sha1) {
202	/*
203	* NID_md5_sha1 corresponds to the MD5/SHA1 combination in
204	* TLS 1.1 and earlier. It has no DigestInfo wrapper but
205	* otherwise is RSASSA-PKCS1-v1_5.
206	*/
207	if (decrypt_len != SSL_SIG_LENGTH) {
208	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
209	goto err;
210	}
211
212	if (rm != NULL) {
213	memcpy(rm, decrypt_buf, SSL_SIG_LENGTH);
214	*prm_len = SSL_SIG_LENGTH;
215	} else {
216	if (m_len != SSL_SIG_LENGTH) {
217	RSAerror(RSA_R_INVALID_MESSAGE_LENGTH);
218	goto err;
219	}
220	if (timingsafe_bcmp(decrypt_buf,
221	m, SSL_SIG_LENGTH) != 0) {
222	RSAerror(RSA_R_BAD_SIGNATURE);
223	goto err;
224	}
225	}
226	} else {
227	/*
228	* If recovering the digest, extract a digest-sized output from
229	* the end of `decrypt_buf' for `encode_pkcs1', then compare the
230	* decryption output as in a standard verification.
231	*/
232	if (rm != NULL) {
233	const EVP_MD *md;
234
235	if ((md = EVP_get_digestbynid(type)) == NULL) {
236	RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
237	goto err;
238	}
239	if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) {
240	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
241	goto err;
242	}
243	m = decrypt_buf + decrypt_len - m_len;
244	}
245
246	/* Construct the encoded digest and ensure it matches */
247	if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))
248	goto err;
249
250	if (encoded_len != decrypt_len \|\|
251	timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {
252	RSAerror(RSA_R_BAD_SIGNATURE);
253	goto err;
254	}
255
256	/* Output the recovered digest. */
257	if (rm != NULL) {
258	memcpy(rm, m, m_len);
259	*prm_len = m_len;
260	}
261	}
262
263	ret = 1;
264	err:
265	freezero(encoded, (size_t)encoded_len);
266	freezero(decrypt_buf, siglen);
267	return ret;
268	}
269
270	int
271	RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
272	const unsigned char sigbuf, unsigned int siglen, RSA rsa)
273	{
274	if (rsa->meth->rsa_verify != NULL)
275	return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
276	rsa);
277
278	return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
279	}
280	LCRYPTO_ALIAS(RSA_verify);