summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h96
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c8
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c4
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c539
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c22
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c160
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c130
-rw-r--r--src/lib/libcrypto/rsa/rsa_null.c15
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c38
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c4
-rw-r--r--src/lib/libcrypto/rsa/rsa_test.c32
12 files changed, 651 insertions, 400 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index dbed701e89..6b5e4f8a9a 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -64,25 +64,25 @@
64#ifndef OPENSSL_NO_BIO 64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h> 65#include <openssl/bio.h>
66#endif 66#endif
67#include <openssl/bn.h>
68#include <openssl/crypto.h> 67#include <openssl/crypto.h>
69#include <openssl/ossl_typ.h> 68#include <openssl/ossl_typ.h>
69#ifndef OPENSSL_NO_DEPRECATED
70#include <openssl/bn.h>
71#endif
70 72
71#ifdef OPENSSL_NO_RSA 73#ifdef OPENSSL_NO_RSA
72#error RSA is disabled. 74#error RSA is disabled.
73#endif 75#endif
74 76
75#if defined(OPENSSL_FIPS)
76#define FIPS_RSA_SIZE_T int
77#endif
78
79#ifdef __cplusplus 77#ifdef __cplusplus
80extern "C" { 78extern "C" {
81#endif 79#endif
82 80
83typedef struct rsa_st RSA; 81/* Declared already in ossl_typ.h */
82/* typedef struct rsa_st RSA; */
83/* typedef struct rsa_meth_st RSA_METHOD; */
84 84
85typedef struct rsa_meth_st 85struct rsa_meth_st
86 { 86 {
87 const char *name; 87 const char *name;
88 int (*rsa_pub_enc)(int flen,const unsigned char *from, 88 int (*rsa_pub_enc)(int flen,const unsigned char *from,
@@ -97,7 +97,7 @@ typedef struct rsa_meth_st
97 int (*rsa_priv_dec)(int flen,const unsigned char *from, 97 int (*rsa_priv_dec)(int flen,const unsigned char *from,
98 unsigned char *to, 98 unsigned char *to,
99 RSA *rsa,int padding); 99 RSA *rsa,int padding);
100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */ 100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
102 const BIGNUM *m, BN_CTX *ctx, 102 const BIGNUM *m, BN_CTX *ctx,
103 BN_MONT_CTX *m_ctx); /* Can be null */ 103 BN_MONT_CTX *m_ctx); /* Can be null */
@@ -118,8 +118,12 @@ typedef struct rsa_meth_st
118 int (*rsa_verify)(int dtype, 118 int (*rsa_verify)(int dtype,
119 const unsigned char *m, unsigned int m_length, 119 const unsigned char *m, unsigned int m_length,
120 unsigned char *sigbuf, unsigned int siglen, const RSA *rsa); 120 unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
121 121/* If this callback is NULL, the builtin software RSA key-gen will be used. This
122 } RSA_METHOD; 122 * is for behavioural compatibility whilst the code gets rewired, but one day
123 * it would be nice to assume there are no such things as "builtin software"
124 * implementations. */
125 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
126 };
123 127
124struct rsa_st 128struct rsa_st
125 { 129 {
@@ -152,12 +156,19 @@ struct rsa_st
152 * NULL */ 156 * NULL */
153 char *bignum_data; 157 char *bignum_data;
154 BN_BLINDING *blinding; 158 BN_BLINDING *blinding;
159 BN_BLINDING *mt_blinding;
155 }; 160 };
156 161
157#define OPENSSL_RSA_MAX_MODULUS_BITS 16384 162#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
163# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
164#endif
158 165
159#define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 166#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
160#define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "small" modulus only */ 167# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
168#endif
169#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
170# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
171#endif
161 172
162#define RSA_3 0x3L 173#define RSA_3 0x3L
163#define RSA_F4 0x10001L 174#define RSA_F4 0x10001L
@@ -184,13 +195,27 @@ struct rsa_st
184 * default (ignoring RSA_FLAG_BLINDING), 195 * default (ignoring RSA_FLAG_BLINDING),
185 * but other engines might not need it 196 * but other engines might not need it
186 */ 197 */
187#define RSA_FLAG_NO_EXP_CONSTTIME 0x0100 /* new with 0.9.7h; the built-in RSA 198#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
199 * implementation now uses constant time
200 * operations by default in private key operations,
201 * e.g., constant time modular exponentiation,
202 * modular inverse without leaking branches,
203 * division without leaking branches. This
204 * flag disables these constant time
205 * operations and results in faster RSA
206 * private key operations.
207 */
208#ifndef OPENSSL_NO_DEPRECATED
209#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
210 /* new with 0.9.7h; the built-in RSA
188 * implementation now uses constant time 211 * implementation now uses constant time
189 * modular exponentiation for secret exponents 212 * modular exponentiation for secret exponents
190 * by default. This flag causes the 213 * by default. This flag causes the
191 * faster variable sliding window method to 214 * faster variable sliding window method to
192 * be used for all exponents. 215 * be used for all exponents.
193 */ 216 */
217#endif
218
194 219
195#define RSA_PKCS1_PADDING 1 220#define RSA_PKCS1_PADDING 1
196#define RSA_SSLV23_PADDING 2 221#define RSA_SSLV23_PADDING 2
@@ -206,18 +231,17 @@ struct rsa_st
206RSA * RSA_new(void); 231RSA * RSA_new(void);
207RSA * RSA_new_method(ENGINE *engine); 232RSA * RSA_new_method(ENGINE *engine);
208int RSA_size(const RSA *); 233int RSA_size(const RSA *);
234
235/* Deprecated version */
236#ifndef OPENSSL_NO_DEPRECATED
209RSA * RSA_generate_key(int bits, unsigned long e,void 237RSA * RSA_generate_key(int bits, unsigned long e,void
210 (*callback)(int,int,void *),void *cb_arg); 238 (*callback)(int,int,void *),void *cb_arg);
239#endif /* !defined(OPENSSL_NO_DEPRECATED) */
240
241/* New version */
242int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
243
211int RSA_check_key(const RSA *); 244int RSA_check_key(const RSA *);
212#ifdef OPENSSL_FIPS
213int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
214 void (*cb)(int, int, void *), void *cb_arg,
215 const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
216 const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
217 const BIGNUM *e);
218RSA *RSA_X931_generate_key(int bits, const BIGNUM *e,
219 void (*cb)(int,int,void *), void *cb_arg);
220#endif
221 /* next 4 return -1 on error */ 245 /* next 4 return -1 on error */
222int RSA_public_encrypt(int flen, const unsigned char *from, 246int RSA_public_encrypt(int flen, const unsigned char *from,
223 unsigned char *to, RSA *rsa,int padding); 247 unsigned char *to, RSA *rsa,int padding);
@@ -257,11 +281,19 @@ int RSA_print_fp(FILE *fp, const RSA *r,int offset);
257int RSA_print(BIO *bp, const RSA *r,int offset); 281int RSA_print(BIO *bp, const RSA *r,int offset);
258#endif 282#endif
259 283
260int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey); 284int i2d_RSA_NET(const RSA *a, unsigned char **pp,
261RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey); 285 int (*cb)(char *buf, int len, const char *prompt, int verify),
286 int sgckey);
287RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
288 int (*cb)(char *buf, int len, const char *prompt, int verify),
289 int sgckey);
262 290
263int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)()); 291int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
264RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)()); 292 int (*cb)(char *buf, int len, const char *prompt,
293 int verify));
294RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
295 int (*cb)(char *buf, int len, const char *prompt,
296 int verify));
265 297
266/* The following 2 functions sign and verify a X509_SIG ASN1 object 298/* The following 2 functions sign and verify a X509_SIG ASN1 object
267 * inside PKCS#1 padded RSA encryption */ 299 * inside PKCS#1 padded RSA encryption */
@@ -281,6 +313,7 @@ int RSA_verify_ASN1_OCTET_STRING(int type,
281 313
282int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 314int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
283void RSA_blinding_off(RSA *rsa); 315void RSA_blinding_off(RSA *rsa);
316BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
284 317
285int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen, 318int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
286 const unsigned char *f,int fl); 319 const unsigned char *f,int fl);
@@ -336,14 +369,21 @@ void ERR_load_RSA_strings(void);
336 369
337/* Function codes. */ 370/* Function codes. */
338#define RSA_F_MEMORY_LOCK 100 371#define RSA_F_MEMORY_LOCK 100
372#define RSA_F_RSA_BUILTIN_KEYGEN 129
339#define RSA_F_RSA_CHECK_KEY 123 373#define RSA_F_RSA_CHECK_KEY 123
340#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101 374#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
341#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102 375#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
342#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 376#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
343#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104 377#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
344#define RSA_F_RSA_GENERATE_KEY 105 378#define RSA_F_RSA_GENERATE_KEY 105
379#define RSA_F_RSA_MEMORY_LOCK 130
345#define RSA_F_RSA_NEW_METHOD 106 380#define RSA_F_RSA_NEW_METHOD 106
346#define RSA_F_RSA_NULL 124 381#define RSA_F_RSA_NULL 124
382#define RSA_F_RSA_NULL_MOD_EXP 131
383#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
384#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
385#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
386#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
347#define RSA_F_RSA_PADDING_ADD_NONE 107 387#define RSA_F_RSA_PADDING_ADD_NONE 107
348#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 388#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
349#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 389#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
@@ -359,6 +399,7 @@ void ERR_load_RSA_strings(void);
359#define RSA_F_RSA_PADDING_CHECK_X931 128 399#define RSA_F_RSA_PADDING_CHECK_X931 128
360#define RSA_F_RSA_PRINT 115 400#define RSA_F_RSA_PRINT 115
361#define RSA_F_RSA_PRINT_FP 116 401#define RSA_F_RSA_PRINT_FP 116
402#define RSA_F_RSA_SETUP_BLINDING 136
362#define RSA_F_RSA_SIGN 117 403#define RSA_F_RSA_SIGN 117
363#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 404#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
364#define RSA_F_RSA_VERIFY 119 405#define RSA_F_RSA_VERIFY 119
@@ -392,6 +433,7 @@ void ERR_load_RSA_strings(void);
392#define RSA_R_KEY_SIZE_TOO_SMALL 120 433#define RSA_R_KEY_SIZE_TOO_SMALL 120
393#define RSA_R_LAST_OCTET_INVALID 134 434#define RSA_R_LAST_OCTET_INVALID 134
394#define RSA_R_MODULUS_TOO_LARGE 105 435#define RSA_R_MODULUS_TOO_LARGE 105
436#define RSA_R_NO_PUBLIC_EXPONENT 140
395#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 437#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
396#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 438#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
397#define RSA_R_OAEP_DECODING_ERROR 121 439#define RSA_R_OAEP_DECODING_ERROR 121
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index 1455a7e0e4..bbbf26d50e 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -63,10 +63,10 @@
63#include <openssl/asn1t.h> 63#include <openssl/asn1t.h>
64 64
65static ASN1_METHOD method={ 65static ASN1_METHOD method={
66 (int (*)()) i2d_RSAPrivateKey, 66 (I2D_OF(void)) i2d_RSAPrivateKey,
67 (char *(*)())d2i_RSAPrivateKey, 67 (D2I_OF(void)) d2i_RSAPrivateKey,
68 (char *(*)())RSA_new, 68 (void *(*)(void)) RSA_new,
69 (void (*)()) RSA_free}; 69 (void (*)(void *)) RSA_free};
70 70
71ASN1_METHOD *RSAPrivateKey_asn1_meth(void) 71ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
72 { 72 {
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index 002f2cb487..9d848db8c6 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -75,7 +75,7 @@ int RSA_check_key(const RSA *key)
75 } 75 }
76 76
77 /* p prime? */ 77 /* p prime? */
78 r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL); 78 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
79 if (r != 1) 79 if (r != 1)
80 { 80 {
81 ret = r; 81 ret = r;
@@ -85,7 +85,7 @@ int RSA_check_key(const RSA *key)
85 } 85 }
86 86
87 /* q prime? */ 87 /* q prime? */
88 r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL); 88 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
89 if (r != 1) 89 if (r != 1)
90 { 90 {
91 ret = r; 91 ret = r;
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 610889dc80..bb77d0f67e 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -115,7 +115,7 @@
115#include <openssl/rsa.h> 115#include <openssl/rsa.h>
116#include <openssl/rand.h> 116#include <openssl/rand.h>
117 117
118#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) 118#ifndef RSA_NULL
119 119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding); 121 unsigned char *to, RSA *rsa,int padding);
@@ -125,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding); 125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding); 127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa); 129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa); 130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={ 131static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -141,7 +141,8 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
141 0, /* flags */ 141 0, /* flags */
142 NULL, 142 NULL,
143 0, /* rsa_sign */ 143 0, /* rsa_sign */
144 0 /* rsa_verify */ 144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
145 }; 146 };
146 147
147const RSA_METHOD *RSA_PKCS1_SSLeay(void) 148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -149,19 +150,53 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 return(&rsa_pkcs1_eay_meth); 150 return(&rsa_pkcs1_eay_meth);
150 } 151 }
151 152
153/* Usage example;
154 * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
155 */
156#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
157 if ((pre_cond) && ((method_mod) == NULL) && \
158 !BN_MONT_CTX_set_locked(&(method_mod), \
159 CRYPTO_LOCK_RSA, \
160 (m), (ctx))) \
161 err_instr
162
152static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 163static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
153 unsigned char *to, RSA *rsa, int padding) 164 unsigned char *to, RSA *rsa, int padding)
154 { 165 {
155 BIGNUM f,ret; 166 BIGNUM *f,*ret;
156 int i,j,k,num=0,r= -1; 167 int i,j,k,num=0,r= -1;
157 unsigned char *buf=NULL; 168 unsigned char *buf=NULL;
158 BN_CTX *ctx=NULL; 169 BN_CTX *ctx=NULL;
159 170
160 BN_init(&f); 171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
161 BN_init(&ret); 172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
174 return -1;
175 }
176
177 if (BN_ucmp(rsa->n, rsa->e) <= 0)
178 {
179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
180 return -1;
181 }
182
183 /* for large moduli, enforce exponent limit */
184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
185 {
186 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
187 {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
189 return -1;
190 }
191 }
192
162 if ((ctx=BN_CTX_new()) == NULL) goto err; 193 if ((ctx=BN_CTX_new()) == NULL) goto err;
194 BN_CTX_start(ctx);
195 f = BN_CTX_get(ctx);
196 ret = BN_CTX_get(ctx);
163 num=BN_num_bytes(rsa->n); 197 num=BN_num_bytes(rsa->n);
164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 198 buf = OPENSSL_malloc(num);
199 if (!f || !ret || !buf)
165 { 200 {
166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
167 goto err; 202 goto err;
@@ -189,37 +224,34 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
189 } 224 }
190 if (i <= 0) goto err; 225 if (i <= 0) goto err;
191 226
192 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 227 if (BN_bin2bn(buf,num,f) == NULL) goto err;
193 228
194 if (BN_ucmp(&f, rsa->n) >= 0) 229 if (BN_ucmp(f, rsa->n) >= 0)
195 { 230 {
196 /* usually the padding functions would catch this */ 231 /* usually the padding functions would catch this */
197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
198 goto err; 233 goto err;
199 } 234 }
200 235
201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 236 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
202 {
203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
204 CRYPTO_LOCK_RSA, rsa->n, ctx))
205 goto err;
206 }
207 237
208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 238 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
209 rsa->_method_mod_n)) goto err; 239 rsa->_method_mod_n)) goto err;
210 240
211 /* put in leading 0 bytes if the number is less than the 241 /* put in leading 0 bytes if the number is less than the
212 * length of the modulus */ 242 * length of the modulus */
213 j=BN_num_bytes(&ret); 243 j=BN_num_bytes(ret);
214 i=BN_bn2bin(&ret,&(to[num-j])); 244 i=BN_bn2bin(ret,&(to[num-j]));
215 for (k=0; k<(num-i); k++) 245 for (k=0; k<(num-i); k++)
216 to[k]=0; 246 to[k]=0;
217 247
218 r=num; 248 r=num;
219err: 249err:
220 if (ctx != NULL) BN_CTX_free(ctx); 250 if (ctx != NULL)
221 BN_clear_free(&f); 251 {
222 BN_clear_free(&ret); 252 BN_CTX_end(ctx);
253 BN_CTX_free(ctx);
254 }
223 if (buf != NULL) 255 if (buf != NULL)
224 { 256 {
225 OPENSSL_cleanse(buf,num); 257 OPENSSL_cleanse(buf,num);
@@ -228,64 +260,101 @@ err:
228 return(r); 260 return(r);
229 } 261 }
230 262
231static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 263static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
232 { 264{
233 int ret = 1; 265 BN_BLINDING *ret;
234 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 266 int got_write_lock = 0;
235 /* Check again inside the lock - the macro's check is racey */
236 if(rsa->blinding == NULL)
237 ret = RSA_blinding_on(rsa, ctx);
238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
239 return ret;
240 }
241 267
242#define BLINDING_HELPER(rsa, ctx, err_instr) \ 268 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
243 do { \
244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
245 ((rsa)->blinding == NULL) && \
246 !rsa_eay_blinding(rsa, ctx)) \
247 err_instr \
248 } while(0)
249 269
250static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 270 if (rsa->blinding == NULL)
251 { 271 {
252 BIGNUM *A, *Ai; 272 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
253 BN_BLINDING *ret = NULL; 273 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
274 got_write_lock = 1;
254 275
255 /* added in OpenSSL 0.9.6j and 0.9.7b */ 276 if (rsa->blinding == NULL)
277 rsa->blinding = RSA_setup_blinding(rsa, ctx);
278 }
256 279
257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 280 ret = rsa->blinding;
258 * this should be placed in a new function of its own, but for reasons 281 if (ret == NULL)
259 * of binary compatibility can't */ 282 goto err;
260 283
261 BN_CTX_start(ctx); 284 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
262 A = BN_CTX_get(ctx);
263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
264 { 285 {
265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 286 /* rsa->blinding is ours! */
266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 287
267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 288 *local = 1;
268 } 289 }
269 else 290 else
270 { 291 {
271 if (!BN_rand_range(A,rsa->n)) goto err; 292 /* resort to rsa->mt_blinding instead */
293
294 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
295 * that the BN_BLINDING is shared, meaning that accesses
296 * require locks, and that the blinding factor must be
297 * stored outside the BN_BLINDING
298 */
299
300 if (rsa->mt_blinding == NULL)
301 {
302 if (!got_write_lock)
303 {
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
306 got_write_lock = 1;
307 }
308
309 if (rsa->mt_blinding == NULL)
310 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
311 }
312 ret = rsa->mt_blinding;
272 } 313 }
273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
274 314
275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 315 err:
276 goto err; 316 if (got_write_lock)
277 ret = BN_BLINDING_new(A,Ai,rsa->n); 317 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
278 BN_free(Ai); 318 else
279err: 319 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
280 BN_CTX_end(ctx);
281 return ret; 320 return ret;
282 } 321}
322
323static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
324 BIGNUM *r, BN_CTX *ctx)
325{
326 if (local)
327 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
328 else
329 {
330 int ret;
331 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
332 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
333 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
334 return ret;
335 }
336}
337
338static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
339 BIGNUM *r, BN_CTX *ctx)
340{
341 if (local)
342 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
343 else
344 {
345 int ret;
346 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
347 ret = BN_BLINDING_invert_ex(f, r, b, ctx);
348 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
349 return ret;
350 }
351}
283 352
284/* signing */ 353/* signing */
285static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 354static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
286 unsigned char *to, RSA *rsa, int padding) 355 unsigned char *to, RSA *rsa, int padding)
287 { 356 {
288 BIGNUM f,ret, *res; 357 BIGNUM *f, *ret, *br, *res;
289 int i,j,k,num=0,r= -1; 358 int i,j,k,num=0,r= -1;
290 unsigned char *buf=NULL; 359 unsigned char *buf=NULL;
291 BN_CTX *ctx=NULL; 360 BN_CTX *ctx=NULL;
@@ -318,8 +387,13 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
318 } 387 }
319 388
320 if ((ctx=BN_CTX_new()) == NULL) goto err; 389 if ((ctx=BN_CTX_new()) == NULL) goto err;
321 num=BN_num_bytes(rsa->n); 390 BN_CTX_start(ctx);
322 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 391 f = BN_CTX_get(ctx);
392 br = BN_CTX_get(ctx);
393 ret = BN_CTX_get(ctx);
394 num = BN_num_bytes(rsa->n);
395 buf = OPENSSL_malloc(num);
396 if(!f || !ret || !buf)
323 { 397 {
324 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 398 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
325 goto err; 399 goto err;
@@ -330,6 +404,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
330 case RSA_PKCS1_PADDING: 404 case RSA_PKCS1_PADDING:
331 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 405 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
332 break; 406 break;
407 case RSA_X931_PADDING:
408 i=RSA_padding_add_X931(buf,num,from,flen);
409 break;
333 case RSA_NO_PADDING: 410 case RSA_NO_PADDING:
334 i=RSA_padding_add_none(buf,num,from,flen); 411 i=RSA_padding_add_none(buf,num,from,flen);
335 break; 412 break;
@@ -340,26 +417,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
340 } 417 }
341 if (i <= 0) goto err; 418 if (i <= 0) goto err;
342 419
343 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 420 if (BN_bin2bn(buf,num,f) == NULL) goto err;
344 421
345 if (BN_ucmp(&f, rsa->n) >= 0) 422 if (BN_ucmp(f, rsa->n) >= 0)
346 { 423 {
347 /* usually the padding functions would catch this */ 424 /* usually the padding functions would catch this */
348 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 425 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
349 goto err; 426 goto err;
350 } 427 }
351 428
352 BLINDING_HELPER(rsa, ctx, goto err;);
353 blinding = rsa->blinding;
354
355 /* Now unless blinding is disabled, 'blinding' is non-NULL.
356 * But the BN_BLINDING object may be owned by some other thread
357 * (we don't want to keep it constant and we don't want to use
358 * lots of locking to avoid race conditions, so only a single
359 * thread can use it; other threads have to use local blinding
360 * factors) */
361 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 429 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
362 { 430 {
431 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
363 if (blinding == NULL) 432 if (blinding == NULL)
364 { 433 {
365 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 434 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -368,20 +437,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
368 } 437 }
369 438
370 if (blinding != NULL) 439 if (blinding != NULL)
371 { 440 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
372 if (blinding->thread_id != CRYPTO_thread_id()) 441 goto err;
373 {
374 /* we need a local one-time blinding factor */
375
376 blinding = setup_blinding(rsa, ctx);
377 if (blinding == NULL)
378 goto err;
379 local_blinding = 1;
380 }
381 }
382
383 if (blinding)
384 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
385 442
386 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 443 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
387 ((rsa->p != NULL) && 444 ((rsa->p != NULL) &&
@@ -390,37 +447,42 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
390 (rsa->dmq1 != NULL) && 447 (rsa->dmq1 != NULL) &&
391 (rsa->iqmp != NULL)) ) 448 (rsa->iqmp != NULL)) )
392 { 449 {
393 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 450 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
394 } 451 }
395 else 452 else
396 { 453 {
397 BIGNUM local_d; 454 BIGNUM local_d;
398 BIGNUM *d = NULL; 455 BIGNUM *d = NULL;
399 456
400 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 457 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
401 { 458 {
402 BN_init(&local_d); 459 BN_init(&local_d);
403 d = &local_d; 460 d = &local_d;
404 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 461 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
405 } 462 }
406 else 463 else
407 d = rsa->d; 464 d= rsa->d;
408 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; 465
466 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
467
468 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
469 rsa->_method_mod_n)) goto err;
409 } 470 }
410 471
411 if (blinding) 472 if (blinding)
412 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 473 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
474 goto err;
413 475
414 if (padding == RSA_X931_PADDING) 476 if (padding == RSA_X931_PADDING)
415 { 477 {
416 BN_sub(&f, rsa->n, &ret); 478 BN_sub(f, rsa->n, ret);
417 if (BN_cmp(&ret, &f)) 479 if (BN_cmp(ret, f))
418 res = &f; 480 res = f;
419 else 481 else
420 res = &ret; 482 res = ret;
421 } 483 }
422 else 484 else
423 res = &ret; 485 res = ret;
424 486
425 /* put in leading 0 bytes if the number is less than the 487 /* put in leading 0 bytes if the number is less than the
426 * length of the modulus */ 488 * length of the modulus */
@@ -431,11 +493,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
431 493
432 r=num; 494 r=num;
433err: 495err:
434 if (ctx != NULL) BN_CTX_free(ctx); 496 if (ctx != NULL)
435 BN_clear_free(&ret); 497 {
436 BN_clear_free(&f); 498 BN_CTX_end(ctx);
437 if (local_blinding) 499 BN_CTX_free(ctx);
438 BN_BLINDING_free(blinding); 500 }
439 if (buf != NULL) 501 if (buf != NULL)
440 { 502 {
441 OPENSSL_cleanse(buf,num); 503 OPENSSL_cleanse(buf,num);
@@ -447,7 +509,7 @@ err:
447static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 509static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
448 unsigned char *to, RSA *rsa, int padding) 510 unsigned char *to, RSA *rsa, int padding)
449 { 511 {
450 BIGNUM f,ret; 512 BIGNUM *f, *ret, *br;
451 int j,num=0,r= -1; 513 int j,num=0,r= -1;
452 unsigned char *p; 514 unsigned char *p;
453 unsigned char *buf=NULL; 515 unsigned char *buf=NULL;
@@ -455,14 +517,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
455 int local_blinding = 0; 517 int local_blinding = 0;
456 BN_BLINDING *blinding = NULL; 518 BN_BLINDING *blinding = NULL;
457 519
458 BN_init(&f); 520 if((ctx = BN_CTX_new()) == NULL) goto err;
459 BN_init(&ret); 521 BN_CTX_start(ctx);
460 ctx=BN_CTX_new(); 522 f = BN_CTX_get(ctx);
461 if (ctx == NULL) goto err; 523 br = BN_CTX_get(ctx);
462 524 ret = BN_CTX_get(ctx);
463 num=BN_num_bytes(rsa->n); 525 num = BN_num_bytes(rsa->n);
464 526 buf = OPENSSL_malloc(num);
465 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 527 if(!f || !ret || !buf)
466 { 528 {
467 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 529 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
468 goto err; 530 goto err;
@@ -477,25 +539,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
477 } 539 }
478 540
479 /* make data into a big number */ 541 /* make data into a big number */
480 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 542 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
481 543
482 if (BN_ucmp(&f, rsa->n) >= 0) 544 if (BN_ucmp(f, rsa->n) >= 0)
483 { 545 {
484 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 546 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
485 goto err; 547 goto err;
486 } 548 }
487 549
488 BLINDING_HELPER(rsa, ctx, goto err;);
489 blinding = rsa->blinding;
490
491 /* Now unless blinding is disabled, 'blinding' is non-NULL.
492 * But the BN_BLINDING object may be owned by some other thread
493 * (we don't want to keep it constant and we don't want to use
494 * lots of locking to avoid race conditions, so only a single
495 * thread can use it; other threads have to use local blinding
496 * factors) */
497 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 550 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
498 { 551 {
552 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
499 if (blinding == NULL) 553 if (blinding == NULL)
500 { 554 {
501 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 555 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -504,20 +558,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
504 } 558 }
505 559
506 if (blinding != NULL) 560 if (blinding != NULL)
507 { 561 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
508 if (blinding->thread_id != CRYPTO_thread_id()) 562 goto err;
509 {
510 /* we need a local one-time blinding factor */
511
512 blinding = setup_blinding(rsa, ctx);
513 if (blinding == NULL)
514 goto err;
515 local_blinding = 1;
516 }
517 }
518
519 if (blinding)
520 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
521 563
522 /* do the decrypt */ 564 /* do the decrypt */
523 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 565 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -527,29 +569,33 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
527 (rsa->dmq1 != NULL) && 569 (rsa->dmq1 != NULL) &&
528 (rsa->iqmp != NULL)) ) 570 (rsa->iqmp != NULL)) )
529 { 571 {
530 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 572 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
531 } 573 }
532 else 574 else
533 { 575 {
534 BIGNUM local_d; 576 BIGNUM local_d;
535 BIGNUM *d = NULL; 577 BIGNUM *d = NULL;
536 578
537 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 579 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
538 { 580 {
539 d = &local_d; 581 d = &local_d;
540 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 582 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
541 } 583 }
542 else 584 else
543 d = rsa->d; 585 d = rsa->d;
544 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) 586
545 goto err; 587 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
588 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
589 rsa->_method_mod_n))
590 goto err;
546 } 591 }
547 592
548 if (blinding) 593 if (blinding)
549 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 594 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
595 goto err;
550 596
551 p=buf; 597 p=buf;
552 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 598 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
553 599
554 switch (padding) 600 switch (padding)
555 { 601 {
@@ -575,11 +621,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
575 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 621 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
576 622
577err: 623err:
578 if (ctx != NULL) BN_CTX_free(ctx); 624 if (ctx != NULL)
579 BN_clear_free(&f); 625 {
580 BN_clear_free(&ret); 626 BN_CTX_end(ctx);
581 if (local_blinding) 627 BN_CTX_free(ctx);
582 BN_BLINDING_free(blinding); 628 }
583 if (buf != NULL) 629 if (buf != NULL)
584 { 630 {
585 OPENSSL_cleanse(buf,num); 631 OPENSSL_cleanse(buf,num);
@@ -592,7 +638,7 @@ err:
592static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 638static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
593 unsigned char *to, RSA *rsa, int padding) 639 unsigned char *to, RSA *rsa, int padding)
594 { 640 {
595 BIGNUM f,ret; 641 BIGNUM *f,*ret;
596 int i,num=0,r= -1; 642 int i,num=0,r= -1;
597 unsigned char *p; 643 unsigned char *p;
598 unsigned char *buf=NULL; 644 unsigned char *buf=NULL;
@@ -619,15 +665,14 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
619 return -1; 665 return -1;
620 } 666 }
621 } 667 }
622 668
623 BN_init(&f); 669 if((ctx = BN_CTX_new()) == NULL) goto err;
624 BN_init(&ret); 670 BN_CTX_start(ctx);
625 ctx=BN_CTX_new(); 671 f = BN_CTX_get(ctx);
626 if (ctx == NULL) goto err; 672 ret = BN_CTX_get(ctx);
627
628 num=BN_num_bytes(rsa->n); 673 num=BN_num_bytes(rsa->n);
629 buf=(unsigned char *)OPENSSL_malloc(num); 674 buf = OPENSSL_malloc(num);
630 if (buf == NULL) 675 if(!f || !ret || !buf)
631 { 676 {
632 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 677 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
633 goto err; 678 goto err;
@@ -641,37 +686,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
641 goto err; 686 goto err;
642 } 687 }
643 688
644 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 689 if (BN_bin2bn(from,flen,f) == NULL) goto err;
645 690
646 if (BN_ucmp(&f, rsa->n) >= 0) 691 if (BN_ucmp(f, rsa->n) >= 0)
647 { 692 {
648 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 693 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
649 goto err; 694 goto err;
650 } 695 }
651 696
652 /* do the decrypt */ 697 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
653
654 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
655 {
656 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
657 CRYPTO_LOCK_RSA, rsa->n, ctx))
658 goto err;
659 }
660 698
661 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 699 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
662 rsa->_method_mod_n)) goto err; 700 rsa->_method_mod_n)) goto err;
663 701
664 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) 702 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
665 BN_sub(&ret, rsa->n, &ret); 703 BN_sub(ret, rsa->n, ret);
666 704
667 p=buf; 705 p=buf;
668 i=BN_bn2bin(&ret,p); 706 i=BN_bn2bin(ret,p);
669 707
670 switch (padding) 708 switch (padding)
671 { 709 {
672 case RSA_PKCS1_PADDING: 710 case RSA_PKCS1_PADDING:
673 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 711 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
674 break; 712 break;
713 case RSA_X931_PADDING:
714 r=RSA_padding_check_X931(to,num,buf,i,num);
715 break;
675 case RSA_NO_PADDING: 716 case RSA_NO_PADDING:
676 r=RSA_padding_check_none(to,num,buf,i,num); 717 r=RSA_padding_check_none(to,num,buf,i,num);
677 break; 718 break;
@@ -683,9 +724,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 724 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
684 725
685err: 726err:
686 if (ctx != NULL) BN_CTX_free(ctx); 727 if (ctx != NULL)
687 BN_clear_free(&f); 728 {
688 BN_clear_free(&ret); 729 BN_CTX_end(ctx);
730 BN_CTX_free(ctx);
731 }
689 if (buf != NULL) 732 if (buf != NULL)
690 { 733 {
691 OPENSSL_cleanse(buf,num); 734 OPENSSL_cleanse(buf,num);
@@ -694,59 +737,111 @@ err:
694 return(r); 737 return(r);
695 } 738 }
696 739
697static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 740static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
698 { 741 {
699 BIGNUM r1,m1,vrfy; 742 BIGNUM *r1,*m1,*vrfy;
700 BIGNUM local_dmp1, local_dmq1; 743 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
701 BIGNUM *dmp1, *dmq1; 744 BIGNUM *dmp1,*dmq1,*c,*pr1;
702 int ret=0; 745 int ret=0;
703 BN_CTX *ctx;
704 746
705 BN_init(&m1); 747 BN_CTX_start(ctx);
706 BN_init(&r1); 748 r1 = BN_CTX_get(ctx);
707 BN_init(&vrfy); 749 m1 = BN_CTX_get(ctx);
708 if ((ctx=BN_CTX_new()) == NULL) goto err; 750 vrfy = BN_CTX_get(ctx);
751
752 {
753 BIGNUM local_p, local_q;
754 BIGNUM *p = NULL, *q = NULL;
755
756 /* Make sure BN_mod_inverse in Montgomery intialization uses the
757 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
758 */
759 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
760 {
761 BN_init(&local_p);
762 p = &local_p;
763 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
764
765 BN_init(&local_q);
766 q = &local_q;
767 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
768 }
769 else
770 {
771 p = rsa->p;
772 q = rsa->q;
773 }
774
775 MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
776 MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
777 }
709 778
710 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 779 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
780
781 /* compute I mod q */
782 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
711 { 783 {
712 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 784 c = &local_c;
713 CRYPTO_LOCK_RSA, rsa->p, ctx)) 785 BN_with_flags(c, I, BN_FLG_CONSTTIME);
714 goto err; 786 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
715 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 787 }
716 CRYPTO_LOCK_RSA, rsa->q, ctx)) 788 else
717 goto err; 789 {
790 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
718 } 791 }
719 792
720 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 793 /* compute r1^dmq1 mod q */
721 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 794 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
722 { 795 {
723 dmq1 = &local_dmq1; 796 dmq1 = &local_dmq1;
724 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 797 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
725 } 798 }
726 else 799 else
727 dmq1 = rsa->dmq1; 800 dmq1 = rsa->dmq1;
728 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, 801 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
729 rsa->_method_mod_q)) goto err; 802 rsa->_method_mod_q)) goto err;
730 803
731 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 804 /* compute I mod p */
732 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 805 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
806 {
807 c = &local_c;
808 BN_with_flags(c, I, BN_FLG_CONSTTIME);
809 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
810 }
811 else
812 {
813 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
814 }
815
816 /* compute r1^dmp1 mod p */
817 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
733 { 818 {
734 dmp1 = &local_dmp1; 819 dmp1 = &local_dmp1;
735 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 820 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
736 } 821 }
737 else 822 else
738 dmp1 = rsa->dmp1; 823 dmp1 = rsa->dmp1;
739 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, 824 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
740 rsa->_method_mod_p)) goto err; 825 rsa->_method_mod_p)) goto err;
741 826
742 if (!BN_sub(r0,r0,&m1)) goto err; 827 if (!BN_sub(r0,r0,m1)) goto err;
743 /* This will help stop the size of r0 increasing, which does 828 /* This will help stop the size of r0 increasing, which does
744 * affect the multiply if it optimised for a power of 2 size */ 829 * affect the multiply if it optimised for a power of 2 size */
745 if (r0->neg) 830 if (BN_is_negative(r0))
746 if (!BN_add(r0,r0,rsa->p)) goto err; 831 if (!BN_add(r0,r0,rsa->p)) goto err;
747 832
748 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 833 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
749 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 834
835 /* Turn BN_FLG_CONSTTIME flag on before division operation */
836 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
837 {
838 pr1 = &local_r1;
839 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
840 }
841 else
842 pr1 = r1;
843 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
844
750 /* If p < q it is occasionally possible for the correction of 845 /* If p < q it is occasionally possible for the correction of
751 * adding 'p' if r0 is negative above to leave the result still 846 * adding 'p' if r0 is negative above to leave the result still
752 * negative. This can break the private key operations: the following 847 * negative. This can break the private key operations: the following
@@ -754,23 +849,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
754 * This will *never* happen with OpenSSL generated keys because 849 * This will *never* happen with OpenSSL generated keys because
755 * they ensure p > q [steve] 850 * they ensure p > q [steve]
756 */ 851 */
757 if (r0->neg) 852 if (BN_is_negative(r0))
758 if (!BN_add(r0,r0,rsa->p)) goto err; 853 if (!BN_add(r0,r0,rsa->p)) goto err;
759 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 854 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
760 if (!BN_add(r0,&r1,&m1)) goto err; 855 if (!BN_add(r0,r1,m1)) goto err;
761 856
762 if (rsa->e && rsa->n) 857 if (rsa->e && rsa->n)
763 { 858 {
764 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 859 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
765 /* If 'I' was greater than (or equal to) rsa->n, the operation 860 /* If 'I' was greater than (or equal to) rsa->n, the operation
766 * will be equivalent to using 'I mod n'. However, the result of 861 * will be equivalent to using 'I mod n'. However, the result of
767 * the verify will *always* be less than 'n' so we don't check 862 * the verify will *always* be less than 'n' so we don't check
768 * for absolute equality, just congruency. */ 863 * for absolute equality, just congruency. */
769 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 864 if (!BN_sub(vrfy, vrfy, I)) goto err;
770 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 865 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
771 if (vrfy.neg) 866 if (BN_is_negative(vrfy))
772 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 867 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
773 if (!BN_is_zero(&vrfy)) 868 if (!BN_is_zero(vrfy))
774 { 869 {
775 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 870 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
776 * miscalculated CRT output, just do a raw (slower) 871 * miscalculated CRT output, just do a raw (slower)
@@ -779,22 +874,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
779 BIGNUM local_d; 874 BIGNUM local_d;
780 BIGNUM *d = NULL; 875 BIGNUM *d = NULL;
781 876
782 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 877 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
783 { 878 {
784 d = &local_d; 879 d = &local_d;
785 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 880 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
786 } 881 }
787 else 882 else
788 d = rsa->d; 883 d = rsa->d;
789 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; 884 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
885 rsa->_method_mod_n)) goto err;
790 } 886 }
791 } 887 }
792 ret=1; 888 ret=1;
793err: 889err:
794 BN_clear_free(&m1); 890 BN_CTX_end(ctx);
795 BN_clear_free(&r1);
796 BN_clear_free(&vrfy);
797 BN_CTX_free(ctx);
798 return(ret); 891 return(ret);
799 } 892 }
800 893
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index ddcb28e663..fe3ba1b44b 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -71,14 +71,21 @@
71static ERR_STRING_DATA RSA_str_functs[]= 71static ERR_STRING_DATA RSA_str_functs[]=
72 { 72 {
73{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"}, 73{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
74{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
74{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, 75{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
75{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"}, 76{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
76{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"}, 77{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
77{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, 78{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
78{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, 79{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
79{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"}, 80{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
81{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
80{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"}, 82{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
81{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"}, 83{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
84{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
85{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
86{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
87{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
88{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
82{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, 89{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
83{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, 90{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
84{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, 91{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
@@ -94,6 +101,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
94{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, 101{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
95{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, 102{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
96{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, 103{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
104{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
97{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, 105{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
98{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, 106{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
99{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, 107{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
@@ -130,20 +138,21 @@ static ERR_STRING_DATA RSA_str_reasons[]=
130{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, 138{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
131{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, 139{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
132{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 140{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
141{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
133{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, 142{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
134{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, 143{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
135{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, 144{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
136{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
137{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, 145{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
138{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, 146{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
139{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, 147{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
140{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, 148{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
149{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
150{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
141{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"}, 151{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
142{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, 152{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
143{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"}, 153{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
144{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"}, 154{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
145{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, 155{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
146{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
147{0,NULL} 156{0,NULL}
148 }; 157 };
149 158
@@ -151,15 +160,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
151 160
152void ERR_load_RSA_strings(void) 161void ERR_load_RSA_strings(void)
153 { 162 {
154 static int init=1; 163#ifndef OPENSSL_NO_ERR
155 164
156 if (init) 165 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL)
157 { 166 {
158 init=0;
159#ifndef OPENSSL_NO_ERR
160 ERR_load_strings(0,RSA_str_functs); 167 ERR_load_strings(0,RSA_str_functs);
161 ERR_load_strings(0,RSA_str_reasons); 168 ERR_load_strings(0,RSA_str_reasons);
162#endif
163
164 } 169 }
170#endif
165 } 171 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index dd1422cc98..767f7ab682 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -56,26 +56,42 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
59#include <stdio.h> 65#include <stdio.h>
60#include <time.h> 66#include <time.h>
61#include "cryptlib.h" 67#include "cryptlib.h"
62#include <openssl/bn.h> 68#include <openssl/bn.h>
63#include <openssl/rsa.h> 69#include <openssl/rsa.h>
64 70
65#ifndef OPENSSL_FIPS 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
66 72
67RSA *RSA_generate_key(int bits, unsigned long e_value, 73/* NB: this wrapper would normally be placed in rsa_lib.c and the static
68 void (*callback)(int,int,void *), void *cb_arg) 74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 {
80 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 }
84
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
69 { 86 {
70 RSA *rsa=NULL;
71 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; 87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
72 int bitsp,bitsq,ok= -1,n=0,i; 88 BIGNUM local_r0,local_d,local_p;
73 BN_CTX *ctx=NULL,*ctx2=NULL; 89 BIGNUM *pr0,*d,*p;
90 int bitsp,bitsq,ok= -1,n=0;
91 BN_CTX *ctx=NULL;
74 92
75 ctx=BN_CTX_new(); 93 ctx=BN_CTX_new();
76 if (ctx == NULL) goto err; 94 if (ctx == NULL) goto err;
77 ctx2=BN_CTX_new();
78 if (ctx2 == NULL) goto err;
79 BN_CTX_start(ctx); 95 BN_CTX_start(ctx);
80 r0 = BN_CTX_get(ctx); 96 r0 = BN_CTX_get(ctx);
81 r1 = BN_CTX_get(ctx); 97 r1 = BN_CTX_get(ctx);
@@ -85,49 +101,58 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
85 101
86 bitsp=(bits+1)/2; 102 bitsp=(bits+1)/2;
87 bitsq=bits-bitsp; 103 bitsq=bits-bitsp;
88 rsa=RSA_new();
89 if (rsa == NULL) goto err;
90 104
91 /* set e */ 105 /* We need the RSA components non-NULL */
92 rsa->e=BN_new(); 106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
93 if (rsa->e == NULL) goto err; 107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
94 114
95#if 1 115 BN_copy(rsa->e, e_value);
96 /* The problem is when building with 8, 16, or 32 BN_ULONG,
97 * unsigned long can be larger */
98 for (i=0; i<sizeof(unsigned long)*8; i++)
99 {
100 if (e_value & (1UL<<i))
101 BN_set_bit(rsa->e,i);
102 }
103#else
104 if (!BN_set_word(rsa->e,e_value)) goto err;
105#endif
106 116
107 /* generate p and q */ 117 /* generate p and q */
108 for (;;) 118 for (;;)
109 { 119 {
110 rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg); 120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
111 if (rsa->p == NULL) goto err; 121 goto err;
112 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; 122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
113 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; 123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
114 if (BN_is_one(r1)) break; 124 if (BN_is_one(r1)) break;
115 if (callback != NULL) callback(2,n++,cb_arg); 125 if(!BN_GENCB_call(cb, 2, n++))
116 BN_free(rsa->p); 126 goto err;
117 } 127 }
118 if (callback != NULL) callback(3,0,cb_arg); 128 if(!BN_GENCB_call(cb, 3, 0))
129 goto err;
119 for (;;) 130 for (;;)
120 { 131 {
121 rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg); 132 /* When generating ridiculously small keys, we can get stuck
122 if (rsa->q == NULL) goto err; 133 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */
135 unsigned int degenerate = 0;
136 do
137 {
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
139 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
141 if(degenerate == 3)
142 {
143 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
145 goto err;
146 }
123 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; 147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
124 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; 148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
125 if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0)) 149 if (BN_is_one(r1))
126 break; 150 break;
127 if (callback != NULL) callback(2,n++,cb_arg); 151 if(!BN_GENCB_call(cb, 2, n++))
128 BN_free(rsa->q); 152 goto err;
129 } 153 }
130 if (callback != NULL) callback(3,1,cb_arg); 154 if(!BN_GENCB_call(cb, 3, 1))
155 goto err;
131 if (BN_cmp(rsa->p,rsa->q) < 0) 156 if (BN_cmp(rsa->p,rsa->q) < 0)
132 { 157 {
133 tmp=rsa->p; 158 tmp=rsa->p;
@@ -136,66 +161,59 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
136 } 161 }
137 162
138 /* calculate n */ 163 /* calculate n */
139 rsa->n=BN_new();
140 if (rsa->n == NULL) goto err;
141 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; 164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
142 165
143 /* calculate d */ 166 /* calculate d */
144 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ 167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
145 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ 168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
146 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ 169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
147 170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
148/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
149/* for (;;)
150 { 171 {
151 if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err; 172 pr0 = &local_r0;
152 if (BN_is_one(r3)) break; 173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 }
175 else
176 pr0 = r0;
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
153 178
154 if (1) 179 /* set up d for correct BN_FLG_CONSTTIME flag */
155 { 180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
156 if (!BN_add_word(rsa->e,2L)) goto err; 181 {
157 continue; 182 d = &local_d;
158 } 183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
159 RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
160 goto err;
161 } 184 }
162*/ 185 else
163 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ 186 d = rsa->d;
164 if (rsa->d == NULL) goto err;
165 187
166 /* calculate d mod (p-1) */ 188 /* calculate d mod (p-1) */
167 rsa->dmp1=BN_new(); 189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
168 if (rsa->dmp1 == NULL) goto err;
169 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
170 190
171 /* calculate d mod (q-1) */ 191 /* calculate d mod (q-1) */
172 rsa->dmq1=BN_new(); 192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
173 if (rsa->dmq1 == NULL) goto err;
174 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
175 193
176 /* calculate inverse of q mod p */ 194 /* calculate inverse of q mod p */
177 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); 195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
178 if (rsa->iqmp == NULL) goto err; 196 {
197 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 }
200 else
201 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
179 203
180 ok=1; 204 ok=1;
181err: 205err:
182 if (ok == -1) 206 if (ok == -1)
183 { 207 {
184 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN); 208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
185 ok=0; 209 ok=0;
186 } 210 }
187 if (ctx != NULL) 211 if (ctx != NULL)
188 BN_CTX_end(ctx);
189 BN_CTX_free(ctx);
190 BN_CTX_free(ctx2);
191
192 if (!ok)
193 { 212 {
194 if (rsa != NULL) RSA_free(rsa); 213 BN_CTX_end(ctx);
195 return(NULL); 214 BN_CTX_free(ctx);
196 } 215 }
197 else 216
198 return(rsa); 217 return ok;
199 } 218 }
200 219
201#endif
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index e4d622851e..104aa4c1f2 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,7 +67,7 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
71 71
72static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth=NULL;
73 73
@@ -179,6 +179,7 @@ RSA *RSA_new_method(ENGINE *engine)
179 ret->_method_mod_p=NULL; 179 ret->_method_mod_p=NULL;
180 ret->_method_mod_q=NULL; 180 ret->_method_mod_q=NULL;
181 ret->blinding=NULL; 181 ret->blinding=NULL;
182 ret->mt_blinding=NULL;
182 ret->bignum_data=NULL; 183 ret->bignum_data=NULL;
183 ret->flags=ret->meth->flags; 184 ret->flags=ret->meth->flags;
184 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); 185 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
@@ -232,6 +233,7 @@ void RSA_free(RSA *r)
232 if (r->dmq1 != NULL) BN_clear_free(r->dmq1); 233 if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
233 if (r->iqmp != NULL) BN_clear_free(r->iqmp); 234 if (r->iqmp != NULL) BN_clear_free(r->iqmp);
234 if (r->blinding != NULL) BN_BLINDING_free(r->blinding); 235 if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
236 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
235 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data); 237 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
236 OPENSSL_free(r); 238 OPENSSL_free(r);
237 } 239 }
@@ -314,59 +316,117 @@ void RSA_blinding_off(RSA *rsa)
314 rsa->flags |= RSA_FLAG_NO_BLINDING; 316 rsa->flags |= RSA_FLAG_NO_BLINDING;
315 } 317 }
316 318
317int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) 319int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
318 { 320 {
319 BIGNUM *A,*Ai = NULL;
320 BN_CTX *ctx;
321 int ret=0; 321 int ret=0;
322 322
323 if (p_ctx == NULL) 323 if (rsa->blinding != NULL)
324 RSA_blinding_off(rsa);
325
326 rsa->blinding = RSA_setup_blinding(rsa, ctx);
327 if (rsa->blinding == NULL)
328 goto err;
329
330 rsa->flags |= RSA_FLAG_BLINDING;
331 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
332 ret=1;
333err:
334 return(ret);
335 }
336
337static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
338 const BIGNUM *q, BN_CTX *ctx)
339{
340 BIGNUM *ret = NULL, *r0, *r1, *r2;
341
342 if (d == NULL || p == NULL || q == NULL)
343 return NULL;
344
345 BN_CTX_start(ctx);
346 r0 = BN_CTX_get(ctx);
347 r1 = BN_CTX_get(ctx);
348 r2 = BN_CTX_get(ctx);
349 if (r2 == NULL)
350 goto err;
351
352 if (!BN_sub(r1, p, BN_value_one())) goto err;
353 if (!BN_sub(r2, q, BN_value_one())) goto err;
354 if (!BN_mul(r0, r1, r2, ctx)) goto err;
355
356 ret = BN_mod_inverse(NULL, d, r0, ctx);
357err:
358 BN_CTX_end(ctx);
359 return ret;
360}
361
362BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
363{
364 BIGNUM local_n;
365 BIGNUM *e,*n;
366 BN_CTX *ctx;
367 BN_BLINDING *ret = NULL;
368
369 if (in_ctx == NULL)
324 { 370 {
325 if ((ctx=BN_CTX_new()) == NULL) goto err; 371 if ((ctx = BN_CTX_new()) == NULL) return 0;
326 } 372 }
327 else 373 else
328 ctx=p_ctx; 374 ctx = in_ctx;
329 375
330 /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */ 376 BN_CTX_start(ctx);
331 if (rsa->blinding != NULL) 377 e = BN_CTX_get(ctx);
378 if (e == NULL)
332 { 379 {
333 BN_BLINDING_free(rsa->blinding); 380 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
334 rsa->blinding = NULL; 381 goto err;
335 } 382 }
336 383
337 /* NB: similar code appears in setup_blinding (rsa_eay.c); 384 if (rsa->e == NULL)
338 * this should be placed in a new function of its own, but for reasons 385 {
339 * of binary compatibility can't */ 386 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
390 goto err;
391 }
392 }
393 else
394 e = rsa->e;
340 395
341 BN_CTX_start(ctx); 396
342 A = BN_CTX_get(ctx);
343 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 397 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
344 { 398 {
345 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 399 /* if PRNG is not properly seeded, resort to secret
346 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 400 * exponent as unpredictable seed */
347 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 401 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
348 } 402 }
349 else 403
404 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
350 { 405 {
351 if (!BN_rand_range(A,rsa->n)) goto err; 406 /* Set BN_FLG_CONSTTIME flag */
407 n = &local_n;
408 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
352 } 409 }
353 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; 410 else
411 n = rsa->n;
354 412
355 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 413 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
414 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
415 if (ret == NULL)
416 {
417 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
356 goto err; 418 goto err;
357 if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; 419 }
358 /* to make things thread-safe without excessive locking, 420 BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());
359 * rsa->blinding will be used just by the current thread: */
360 rsa->blinding->thread_id = CRYPTO_thread_id();
361 rsa->flags |= RSA_FLAG_BLINDING;
362 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
363 ret=1;
364err: 421err:
365 if (Ai != NULL) BN_free(Ai);
366 BN_CTX_end(ctx); 422 BN_CTX_end(ctx);
367 if (ctx != p_ctx) BN_CTX_free(ctx); 423 if (in_ctx == NULL)
368 return(ret); 424 BN_CTX_free(ctx);
369 } 425 if(rsa->e == NULL)
426 BN_free(e);
427
428 return ret;
429}
370 430
371int RSA_memory_lock(RSA *r) 431int RSA_memory_lock(RSA *r)
372 { 432 {
@@ -389,7 +449,7 @@ int RSA_memory_lock(RSA *r)
389 j+= (*t[i])->top; 449 j+= (*t[i])->top;
390 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL) 450 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
391 { 451 {
392 RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE); 452 RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
393 return(0); 453 return(0);
394 } 454 }
395 bn=(BIGNUM *)p; 455 bn=(BIGNUM *)p;
diff --git a/src/lib/libcrypto/rsa/rsa_null.c b/src/lib/libcrypto/rsa/rsa_null.c
index 64057fbdcf..491572c82b 100644
--- a/src/lib/libcrypto/rsa/rsa_null.c
+++ b/src/lib/libcrypto/rsa/rsa_null.c
@@ -94,6 +94,9 @@ static RSA_METHOD rsa_null_meth={
94 RSA_null_finish, 94 RSA_null_finish,
95 0, 95 0,
96 NULL, 96 NULL,
97 NULL,
98 NULL,
99 NULL
97 }; 100 };
98 101
99const RSA_METHOD *RSA_null_method(void) 102const RSA_METHOD *RSA_null_method(void)
@@ -104,35 +107,35 @@ const RSA_METHOD *RSA_null_method(void)
104static int RSA_null_public_encrypt(int flen, const unsigned char *from, 107static int RSA_null_public_encrypt(int flen, const unsigned char *from,
105 unsigned char *to, RSA *rsa, int padding) 108 unsigned char *to, RSA *rsa, int padding)
106 { 109 {
107 RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 110 RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
108 return -1; 111 return -1;
109 } 112 }
110 113
111static int RSA_null_private_encrypt(int flen, const unsigned char *from, 114static int RSA_null_private_encrypt(int flen, const unsigned char *from,
112 unsigned char *to, RSA *rsa, int padding) 115 unsigned char *to, RSA *rsa, int padding)
113 { 116 {
114 RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 117 RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
115 return -1; 118 return -1;
116 } 119 }
117 120
118static int RSA_null_private_decrypt(int flen, const unsigned char *from, 121static int RSA_null_private_decrypt(int flen, const unsigned char *from,
119 unsigned char *to, RSA *rsa, int padding) 122 unsigned char *to, RSA *rsa, int padding)
120 { 123 {
121 RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 124 RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
122 return -1; 125 return -1;
123 } 126 }
124 127
125static int RSA_null_public_decrypt(int flen, const unsigned char *from, 128static int RSA_null_public_decrypt(int flen, const unsigned char *from,
126 unsigned char *to, RSA *rsa, int padding) 129 unsigned char *to, RSA *rsa, int padding)
127 { 130 {
128 RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 131 RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
129 return -1; 132 return -1;
130 } 133 }
131 134
132#if 0 /* not currently used */ 135#if 0 /* not currently used */
133static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) 136static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
134 { 137 {
135 RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 138 ...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
136 return -1; 139 return -1;
137 } 140 }
138#endif 141#endif
@@ -146,5 +149,3 @@ static int RSA_null_finish(RSA *rsa)
146 { 149 {
147 return(1); 150 return(1);
148 } 151 }
149
150
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index d43ecaca63..3652677a99 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -28,6 +28,9 @@
28#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h> 29#include <openssl/sha.h>
30 30
31int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
31int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
32 const unsigned char *from, int flen, 35 const unsigned char *from, int flen,
33 const unsigned char *param, int plen) 36 const unsigned char *param, int plen)
@@ -73,13 +76,11 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
73 20); 76 20);
74#endif 77#endif
75 78
76 PKCS1_MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH, 79 MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
77 EVP_sha1());
78 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 80 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
79 db[i] ^= dbmask[i]; 81 db[i] ^= dbmask[i];
80 82
81 PKCS1_MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH, 83 MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
82 EVP_sha1());
83 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 84 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
84 seed[i] ^= seedmask[i]; 85 seed[i] ^= seedmask[i];
85 86
@@ -95,6 +96,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
95 const unsigned char *maskeddb; 96 const unsigned char *maskeddb;
96 int lzero; 97 int lzero;
97 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; 98 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
99 unsigned char *padded_from;
98 int bad = 0; 100 int bad = 0;
99 101
100 if (--num < 2 * SHA_DIGEST_LENGTH + 1) 102 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
@@ -105,8 +107,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
105 lzero = num - flen; 107 lzero = num - flen;
106 if (lzero < 0) 108 if (lzero < 0)
107 { 109 {
108 /* lzero == -1 */
109
110 /* signalling this error immediately after detection might allow 110 /* signalling this error immediately after detection might allow
111 * for side-channel attacks (e.g. timing if 'plen' is huge 111 * for side-channel attacks (e.g. timing if 'plen' is huge
112 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal 112 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
@@ -114,22 +114,30 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
114 * so we use a 'bad' flag */ 114 * so we use a 'bad' flag */
115 bad = 1; 115 bad = 1;
116 lzero = 0; 116 lzero = 0;
117 flen = num; /* don't overflow the memcpy to padded_from */
117 } 118 }
118 maskeddb = from - lzero + SHA_DIGEST_LENGTH;
119 119
120 dblen = num - SHA_DIGEST_LENGTH; 120 dblen = num - SHA_DIGEST_LENGTH;
121 db = OPENSSL_malloc(dblen); 121 db = OPENSSL_malloc(dblen + num);
122 if (db == NULL) 122 if (db == NULL)
123 { 123 {
124 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 124 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
125 return -1; 125 return -1;
126 } 126 }
127 127
128 PKCS1_MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen, EVP_sha1()); 128 /* Always do this zero-padding copy (even when lzero == 0)
129 for (i = lzero; i < SHA_DIGEST_LENGTH; i++) 129 * to avoid leaking timing info about the value of lzero. */
130 seed[i] ^= from[i - lzero]; 130 padded_from = db + dblen;
131 memset(padded_from, 0, lzero);
132 memcpy(padded_from + lzero, from, flen);
133
134 maskeddb = padded_from + SHA_DIGEST_LENGTH;
135
136 MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
137 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
138 seed[i] ^= padded_from[i];
131 139
132 PKCS1_MGF1(db, dblen, seed, SHA_DIGEST_LENGTH, EVP_sha1()); 140 MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
133 for (i = 0; i < dblen; i++) 141 for (i = 0; i < dblen; i++)
134 db[i] ^= maskeddb[i]; 142 db[i] ^= maskeddb[i];
135 143
@@ -142,13 +150,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
142 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) 150 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
143 if (db[i] != 0x00) 151 if (db[i] != 0x00)
144 break; 152 break;
145 if (db[i] != 0x01 || i++ >= dblen) 153 if (i == dblen || db[i] != 0x01)
146 goto decoding_err; 154 goto decoding_err;
147 else 155 else
148 { 156 {
149 /* everything looks OK */ 157 /* everything looks OK */
150 158
151 mlen = dblen - i; 159 mlen = dblen - ++i;
152 if (tlen < mlen) 160 if (tlen < mlen)
153 { 161 {
154 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); 162 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 24fc94835e..f98e0a80a6 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -107,7 +107,8 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
107 RSA *rsa) 107 RSA *rsa)
108 { 108 {
109 int i,ret=0; 109 int i,ret=0;
110 unsigned char *p,*s; 110 unsigned char *s;
111 const unsigned char *p;
111 ASN1_OCTET_STRING *sig=NULL; 112 ASN1_OCTET_STRING *sig=NULL;
112 113
113 if (siglen != (unsigned int)RSA_size(rsa)) 114 if (siglen != (unsigned int)RSA_size(rsa))
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index db86f1ac58..71aabeea1b 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -146,7 +146,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
146 unsigned char *sigbuf, unsigned int siglen, RSA *rsa) 146 unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
147 { 147 {
148 int i,ret=0,sigtype; 148 int i,ret=0,sigtype;
149 unsigned char *p,*s; 149 unsigned char *s;
150 X509_SIG *sig=NULL; 150 X509_SIG *sig=NULL;
151 151
152 if (siglen != (unsigned int)RSA_size(rsa)) 152 if (siglen != (unsigned int)RSA_size(rsa))
@@ -181,7 +181,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
181 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 181 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
182 else ret = 1; 182 else ret = 1;
183 } else { 183 } else {
184 p=s; 184 const unsigned char *p=s;
185 sig=d2i_X509_SIG(NULL,&p,(long)i); 185 sig=d2i_X509_SIG(NULL,&p,(long)i);
186 186
187 if (sig == NULL) goto err; 187 if (sig == NULL) goto err;
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index 218bb2a39b..4080de8bcf 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -8,6 +8,7 @@
8#include <openssl/crypto.h> 8#include <openssl/crypto.h>
9#include <openssl/err.h> 9#include <openssl/err.h>
10#include <openssl/rand.h> 10#include <openssl/rand.h>
11#include <openssl/bn.h>
11#ifdef OPENSSL_NO_RSA 12#ifdef OPENSSL_NO_RSA
12int main(int argc, char *argv[]) 13int main(int argc, char *argv[])
13{ 14{
@@ -218,6 +219,7 @@ int main(int argc, char *argv[])
218 int plen; 219 int plen;
219 int clen = 0; 220 int clen = 0;
220 int num; 221 int num;
222 int n;
221 223
222 CRYPTO_malloc_debug_init(); 224 CRYPTO_malloc_debug_init();
223 CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); 225 CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
@@ -241,7 +243,7 @@ int main(int argc, char *argv[])
241 clen = key3(key, ctext_ex); 243 clen = key3(key, ctext_ex);
242 break; 244 break;
243 } 245 }
244 if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME; 246 if (v/3 >= 1) key->flags |= RSA_FLAG_NO_CONSTTIME;
245 247
246 num = RSA_public_encrypt(plen, ptext_ex, ctext, key, 248 num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
247 RSA_PKCS1_PADDING); 249 RSA_PKCS1_PADDING);
@@ -277,7 +279,7 @@ int main(int argc, char *argv[])
277 err=1; 279 err=1;
278 goto next; 280 goto next;
279 } 281 }
280 282
281 num = RSA_private_decrypt(num, ctext, ptext, key, 283 num = RSA_private_decrypt(num, ctext, ptext, key,
282 RSA_PKCS1_OAEP_PADDING); 284 RSA_PKCS1_OAEP_PADDING);
283 if (num != plen || memcmp(ptext, ptext_ex, num) != 0) 285 if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
@@ -286,10 +288,7 @@ int main(int argc, char *argv[])
286 err=1; 288 err=1;
287 } 289 }
288 else if (memcmp(ctext, ctext_ex, num) == 0) 290 else if (memcmp(ctext, ctext_ex, num) == 0)
289 {
290 printf("OAEP test vector %d passed!\n", v); 291 printf("OAEP test vector %d passed!\n", v);
291 goto next;
292 }
293 292
294 /* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT). 293 /* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
295 Try decrypting ctext_ex */ 294 Try decrypting ctext_ex */
@@ -304,6 +303,26 @@ int main(int argc, char *argv[])
304 } 303 }
305 else 304 else
306 printf("OAEP encryption/decryption ok\n"); 305 printf("OAEP encryption/decryption ok\n");
306
307 /* Try decrypting corrupted ciphertexts */
308 for(n = 0 ; n < clen ; ++n)
309 {
310 int b;
311 unsigned char saved = ctext[n];
312 for(b = 0 ; b < 256 ; ++b)
313 {
314 if(b == saved)
315 continue;
316 ctext[n] = b;
317 num = RSA_private_decrypt(num, ctext, ptext, key,
318 RSA_PKCS1_OAEP_PADDING);
319 if(num > 0)
320 {
321 printf("Corrupt data decrypted!\n");
322 err = 1;
323 }
324 }
325 }
307 next: 326 next:
308 RSA_free(key); 327 RSA_free(key);
309 } 328 }
@@ -313,6 +332,9 @@ int main(int argc, char *argv[])
313 332
314 CRYPTO_mem_leaks_fp(stderr); 333 CRYPTO_mem_leaks_fp(stderr);
315 334
335#ifdef OPENSSL_SYS_NETWARE
336 if (err) printf("ERROR: %d\n", err);
337#endif
316 return err; 338 return err;
317 } 339 }
318#endif 340#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 13:40:54 +0000