summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h503
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c349
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c111
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c184
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c915
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c190
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c219
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c483
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c233
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c224
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c587
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c93
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c275
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c150
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c285
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c154
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c177
20 files changed, 0 insertions, 5335 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
deleted file mode 100644
index cf74343657..0000000000
--- a/src/lib/libcrypto/rsa/rsa.h
+++ /dev/null
@@ -1,503 +0,0 @@
1/* crypto/rsa/rsa.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/asn1.h>
63
64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h>
66#endif
67#include <openssl/crypto.h>
68#include <openssl/ossl_typ.h>
69#ifndef OPENSSL_NO_DEPRECATED
70#include <openssl/bn.h>
71#endif
72
73#ifdef OPENSSL_NO_RSA
74#error RSA is disabled.
75#endif
76
77#ifdef __cplusplus
78extern "C" {
79#endif
80
81/* Declared already in ossl_typ.h */
82/* typedef struct rsa_st RSA; */
83/* typedef struct rsa_meth_st RSA_METHOD; */
84
85struct rsa_meth_st
86 {
87 const char *name;
88 int (*rsa_pub_enc)(int flen,const unsigned char *from,
89 unsigned char *to,
90 RSA *rsa,int padding);
91 int (*rsa_pub_dec)(int flen,const unsigned char *from,
92 unsigned char *to,
93 RSA *rsa,int padding);
94 int (*rsa_priv_enc)(int flen,const unsigned char *from,
95 unsigned char *to,
96 RSA *rsa,int padding);
97 int (*rsa_priv_dec)(int flen,const unsigned char *from,
98 unsigned char *to,
99 RSA *rsa,int padding);
100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
102 const BIGNUM *m, BN_CTX *ctx,
103 BN_MONT_CTX *m_ctx); /* Can be null */
104 int (*init)(RSA *rsa); /* called at new */
105 int (*finish)(RSA *rsa); /* called at free */
106 int flags; /* RSA_METHOD_FLAG_* things */
107 char *app_data; /* may be needed! */
108/* New sign and verify functions: some libraries don't allow arbitrary data
109 * to be signed/verified: this allows them to be used. Note: for this to work
110 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
111 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
112 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
113 * option is set in 'flags'.
114 */
115 int (*rsa_sign)(int type,
116 const unsigned char *m, unsigned int m_length,
117 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
118 int (*rsa_verify)(int dtype,
119 const unsigned char *m, unsigned int m_length,
120 const unsigned char *sigbuf, unsigned int siglen,
121 const RSA *rsa);
122/* If this callback is NULL, the builtin software RSA key-gen will be used. This
123 * is for behavioural compatibility whilst the code gets rewired, but one day
124 * it would be nice to assume there are no such things as "builtin software"
125 * implementations. */
126 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
127 };
128
129struct rsa_st
130 {
131 /* The first parameter is used to pickup errors where
132 * this is passed instead of aEVP_PKEY, it is set to 0 */
133 int pad;
134 long version;
135 const RSA_METHOD *meth;
136 /* functional reference if 'meth' is ENGINE-provided */
137 ENGINE *engine;
138 BIGNUM *n;
139 BIGNUM *e;
140 BIGNUM *d;
141 BIGNUM *p;
142 BIGNUM *q;
143 BIGNUM *dmp1;
144 BIGNUM *dmq1;
145 BIGNUM *iqmp;
146 /* be careful using this if the RSA structure is shared */
147 CRYPTO_EX_DATA ex_data;
148 int references;
149 int flags;
150
151 /* Used to cache montgomery values */
152 BN_MONT_CTX *_method_mod_n;
153 BN_MONT_CTX *_method_mod_p;
154 BN_MONT_CTX *_method_mod_q;
155
156 /* all BIGNUM values are actually in the following data, if it is not
157 * NULL */
158 char *bignum_data;
159 BN_BLINDING *blinding;
160 BN_BLINDING *mt_blinding;
161 };
162
163#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
164# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
165#endif
166
167#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
168# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
169#endif
170#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
171# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
172#endif
173
174#define RSA_3 0x3L
175#define RSA_F4 0x10001L
176
177#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */
178
179#define RSA_FLAG_CACHE_PUBLIC 0x0002
180#define RSA_FLAG_CACHE_PRIVATE 0x0004
181#define RSA_FLAG_BLINDING 0x0008
182#define RSA_FLAG_THREAD_SAFE 0x0010
183/* This flag means the private key operations will be handled by rsa_mod_exp
184 * and that they do not depend on the private key components being present:
185 * for example a key stored in external hardware. Without this flag bn_mod_exp
186 * gets called when private key components are absent.
187 */
188#define RSA_FLAG_EXT_PKEY 0x0020
189
190/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
191 */
192#define RSA_FLAG_SIGN_VER 0x0040
193
194#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
195 * RSA implementation now uses blinding by
196 * default (ignoring RSA_FLAG_BLINDING),
197 * but other engines might not need it
198 */
199#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
200 * implementation now uses constant time
201 * operations by default in private key operations,
202 * e.g., constant time modular exponentiation,
203 * modular inverse without leaking branches,
204 * division without leaking branches. This
205 * flag disables these constant time
206 * operations and results in faster RSA
207 * private key operations.
208 */
209#ifndef OPENSSL_NO_DEPRECATED
210#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
211 /* new with 0.9.7h; the built-in RSA
212 * implementation now uses constant time
213 * modular exponentiation for secret exponents
214 * by default. This flag causes the
215 * faster variable sliding window method to
216 * be used for all exponents.
217 */
218#endif
219
220
221#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
223 pad, NULL)
224
225#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
227 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
228 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
229 len, NULL)
230
231#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
232 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
233 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
234
235#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
237 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
238
239#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
240#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
241
242#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
243#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
244
245#define RSA_PKCS1_PADDING 1
246#define RSA_SSLV23_PADDING 2
247#define RSA_NO_PADDING 3
248#define RSA_PKCS1_OAEP_PADDING 4
249#define RSA_X931_PADDING 5
250/* EVP_PKEY_ only */
251#define RSA_PKCS1_PSS_PADDING 6
252
253#define RSA_PKCS1_PADDING_SIZE 11
254
255#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
256#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
257
258RSA * RSA_new(void);
259RSA * RSA_new_method(ENGINE *engine);
260int RSA_size(const RSA *);
261
262/* Deprecated version */
263#ifndef OPENSSL_NO_DEPRECATED
264RSA * RSA_generate_key(int bits, unsigned long e,void
265 (*callback)(int,int,void *),void *cb_arg);
266#endif /* !defined(OPENSSL_NO_DEPRECATED) */
267
268/* New version */
269int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
270
271int RSA_check_key(const RSA *);
272 /* next 4 return -1 on error */
273int RSA_public_encrypt(int flen, const unsigned char *from,
274 unsigned char *to, RSA *rsa,int padding);
275int RSA_private_encrypt(int flen, const unsigned char *from,
276 unsigned char *to, RSA *rsa,int padding);
277int RSA_public_decrypt(int flen, const unsigned char *from,
278 unsigned char *to, RSA *rsa,int padding);
279int RSA_private_decrypt(int flen, const unsigned char *from,
280 unsigned char *to, RSA *rsa,int padding);
281void RSA_free (RSA *r);
282/* "up" the RSA object's reference count */
283int RSA_up_ref(RSA *r);
284
285int RSA_flags(const RSA *r);
286
287void RSA_set_default_method(const RSA_METHOD *meth);
288const RSA_METHOD *RSA_get_default_method(void);
289const RSA_METHOD *RSA_get_method(const RSA *rsa);
290int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
291
292/* This function needs the memory locking malloc callbacks to be installed */
293int RSA_memory_lock(RSA *r);
294
295/* these are the actual SSLeay RSA functions */
296const RSA_METHOD *RSA_PKCS1_SSLeay(void);
297
298const RSA_METHOD *RSA_null_method(void);
299
300DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
301DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
302
303#ifndef OPENSSL_NO_FP_API
304int RSA_print_fp(FILE *fp, const RSA *r,int offset);
305#endif
306
307#ifndef OPENSSL_NO_BIO
308int RSA_print(BIO *bp, const RSA *r,int offset);
309#endif
310
311#ifndef OPENSSL_NO_RC4
312int i2d_RSA_NET(const RSA *a, unsigned char **pp,
313 int (*cb)(char *buf, int len, const char *prompt, int verify),
314 int sgckey);
315RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
316 int (*cb)(char *buf, int len, const char *prompt, int verify),
317 int sgckey);
318
319int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
320 int (*cb)(char *buf, int len, const char *prompt,
321 int verify));
322RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
323 int (*cb)(char *buf, int len, const char *prompt,
324 int verify));
325#endif
326
327/* The following 2 functions sign and verify a X509_SIG ASN1 object
328 * inside PKCS#1 padded RSA encryption */
329int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
330 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
331int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
332 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
333
334/* The following 2 function sign and verify a ASN1_OCTET_STRING
335 * object inside PKCS#1 padded RSA encryption */
336int RSA_sign_ASN1_OCTET_STRING(int type,
337 const unsigned char *m, unsigned int m_length,
338 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
339int RSA_verify_ASN1_OCTET_STRING(int type,
340 const unsigned char *m, unsigned int m_length,
341 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
342
343int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
344void RSA_blinding_off(RSA *rsa);
345BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
346
347int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
348 const unsigned char *f,int fl);
349int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
350 const unsigned char *f,int fl,int rsa_len);
351int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
352 const unsigned char *f,int fl);
353int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
354 const unsigned char *f,int fl,int rsa_len);
355int PKCS1_MGF1(unsigned char *mask, long len,
356 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
357int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
358 const unsigned char *f,int fl,
359 const unsigned char *p,int pl);
360int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
361 const unsigned char *f,int fl,int rsa_len,
362 const unsigned char *p,int pl);
363int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
364 const unsigned char *f,int fl);
365int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
366 const unsigned char *f,int fl,int rsa_len);
367int RSA_padding_add_none(unsigned char *to,int tlen,
368 const unsigned char *f,int fl);
369int RSA_padding_check_none(unsigned char *to,int tlen,
370 const unsigned char *f,int fl,int rsa_len);
371int RSA_padding_add_X931(unsigned char *to,int tlen,
372 const unsigned char *f,int fl);
373int RSA_padding_check_X931(unsigned char *to,int tlen,
374 const unsigned char *f,int fl,int rsa_len);
375int RSA_X931_hash_id(int nid);
376
377int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
378 const EVP_MD *Hash, const unsigned char *EM, int sLen);
379int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
380 const unsigned char *mHash,
381 const EVP_MD *Hash, int sLen);
382
383int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
384 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
385int RSA_set_ex_data(RSA *r,int idx,void *arg);
386void *RSA_get_ex_data(const RSA *r, int idx);
387
388RSA *RSAPublicKey_dup(RSA *rsa);
389RSA *RSAPrivateKey_dup(RSA *rsa);
390
391/* BEGIN ERROR CODES */
392/* The following lines are auto generated by the script mkerr.pl. Any changes
393 * made after this point may be overwritten when the script is next run.
394 */
395void ERR_load_RSA_strings(void);
396
397/* Error codes for the RSA functions. */
398
399/* Function codes. */
400#define RSA_F_CHECK_PADDING_MD 140
401#define RSA_F_DO_RSA_PRINT 146
402#define RSA_F_INT_RSA_VERIFY 145
403#define RSA_F_MEMORY_LOCK 100
404#define RSA_F_OLD_RSA_PRIV_DECODE 147
405#define RSA_F_PKEY_RSA_CTRL 143
406#define RSA_F_PKEY_RSA_CTRL_STR 144
407#define RSA_F_PKEY_RSA_SIGN 142
408#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
409#define RSA_F_RSA_BUILTIN_KEYGEN 129
410#define RSA_F_RSA_CHECK_KEY 123
411#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
412#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
413#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
414#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
415#define RSA_F_RSA_GENERATE_KEY 105
416#define RSA_F_RSA_MEMORY_LOCK 130
417#define RSA_F_RSA_NEW_METHOD 106
418#define RSA_F_RSA_NULL 124
419#define RSA_F_RSA_NULL_MOD_EXP 131
420#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
421#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
422#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
423#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
424#define RSA_F_RSA_PADDING_ADD_NONE 107
425#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
426#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
427#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
428#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
429#define RSA_F_RSA_PADDING_ADD_SSLV23 110
430#define RSA_F_RSA_PADDING_ADD_X931 127
431#define RSA_F_RSA_PADDING_CHECK_NONE 111
432#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
433#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
434#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
435#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
436#define RSA_F_RSA_PADDING_CHECK_X931 128
437#define RSA_F_RSA_PRINT 115
438#define RSA_F_RSA_PRINT_FP 116
439#define RSA_F_RSA_PRIV_DECODE 137
440#define RSA_F_RSA_PRIV_ENCODE 138
441#define RSA_F_RSA_PUB_DECODE 139
442#define RSA_F_RSA_SETUP_BLINDING 136
443#define RSA_F_RSA_SIGN 117
444#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
445#define RSA_F_RSA_VERIFY 119
446#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
447#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
448
449/* Reason codes. */
450#define RSA_R_ALGORITHM_MISMATCH 100
451#define RSA_R_BAD_E_VALUE 101
452#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
453#define RSA_R_BAD_PAD_BYTE_COUNT 103
454#define RSA_R_BAD_SIGNATURE 104
455#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
456#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
457#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
458#define RSA_R_DATA_TOO_LARGE 109
459#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
460#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
461#define RSA_R_DATA_TOO_SMALL 111
462#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
463#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
464#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
465#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
466#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
467#define RSA_R_FIRST_OCTET_INVALID 133
468#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
469#define RSA_R_INVALID_DIGEST_LENGTH 143
470#define RSA_R_INVALID_HEADER 137
471#define RSA_R_INVALID_KEYBITS 145
472#define RSA_R_INVALID_MESSAGE_LENGTH 131
473#define RSA_R_INVALID_PADDING 138
474#define RSA_R_INVALID_PADDING_MODE 141
475#define RSA_R_INVALID_PSS_SALTLEN 146
476#define RSA_R_INVALID_TRAILER 139
477#define RSA_R_INVALID_X931_DIGEST 142
478#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
479#define RSA_R_KEY_SIZE_TOO_SMALL 120
480#define RSA_R_LAST_OCTET_INVALID 134
481#define RSA_R_MODULUS_TOO_LARGE 105
482#define RSA_R_NO_PUBLIC_EXPONENT 140
483#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
484#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
485#define RSA_R_OAEP_DECODING_ERROR 121
486#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
487#define RSA_R_PADDING_CHECK_FAILED 114
488#define RSA_R_P_NOT_PRIME 128
489#define RSA_R_Q_NOT_PRIME 129
490#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
491#define RSA_R_SLEN_CHECK_FAILED 136
492#define RSA_R_SLEN_RECOVERY_FAILED 135
493#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
494#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
495#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
496#define RSA_R_UNKNOWN_PADDING_TYPE 118
497#define RSA_R_VALUE_MISSING 147
498#define RSA_R_WRONG_SIGNATURE_LENGTH 119
499
500#ifdef __cplusplus
501}
502#endif
503#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index 8c3209885e..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,349 +0,0 @@
1/* crypto/rsa/rsa_ameth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#ifndef OPENSSL_NO_CMS
66#include <openssl/cms.h>
67#endif
68#include "asn1_locl.h"
69
70static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
71 {
72 unsigned char *penc = NULL;
73 int penclen;
74 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75 if (penclen <= 0)
76 return 0;
77 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78 V_ASN1_NULL, NULL, penc, penclen))
79 return 1;
80
81 OPENSSL_free(penc);
82 return 0;
83 }
84
85static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
86 {
87 const unsigned char *p;
88 int pklen;
89 RSA *rsa = NULL;
90 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91 return 0;
92 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen)))
93 {
94 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95 return 0;
96 }
97 EVP_PKEY_assign_RSA (pkey, rsa);
98 return 1;
99 }
100
101static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
102 {
103 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0
104 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
105 return 0;
106 return 1;
107 }
108
109static int old_rsa_priv_decode(EVP_PKEY *pkey,
110 const unsigned char **pder, int derlen)
111 {
112 RSA *rsa;
113 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen)))
114 {
115 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116 return 0;
117 }
118 EVP_PKEY_assign_RSA(pkey, rsa);
119 return 1;
120 }
121
122static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
123 {
124 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125 }
126
127static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
128 {
129 unsigned char *rk = NULL;
130 int rklen;
131 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132
133 if (rklen <= 0)
134 {
135 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136 return 0;
137 }
138
139 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140 V_ASN1_NULL, NULL, rk, rklen))
141 {
142 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143 return 0;
144 }
145
146 return 1;
147 }
148
149static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
150 {
151 const unsigned char *p;
152 int pklen;
153 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154 return 0;
155 return old_rsa_priv_decode(pkey, &p, pklen);
156 }
157
158static int int_rsa_size(const EVP_PKEY *pkey)
159 {
160 return RSA_size(pkey->pkey.rsa);
161 }
162
163static int rsa_bits(const EVP_PKEY *pkey)
164 {
165 return BN_num_bits(pkey->pkey.rsa->n);
166 }
167
168static void int_rsa_free(EVP_PKEY *pkey)
169 {
170 RSA_free(pkey->pkey.rsa);
171 }
172
173
174static void update_buflen(const BIGNUM *b, size_t *pbuflen)
175 {
176 size_t i;
177 if (!b)
178 return;
179 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180 *pbuflen = i;
181 }
182
183static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
184 {
185 char *str;
186 const char *s;
187 unsigned char *m=NULL;
188 int ret=0, mod_len = 0;
189 size_t buf_len=0;
190
191 update_buflen(x->n, &buf_len);
192 update_buflen(x->e, &buf_len);
193
194 if (priv)
195 {
196 update_buflen(x->d, &buf_len);
197 update_buflen(x->p, &buf_len);
198 update_buflen(x->q, &buf_len);
199 update_buflen(x->dmp1, &buf_len);
200 update_buflen(x->dmq1, &buf_len);
201 update_buflen(x->iqmp, &buf_len);
202 }
203
204 m=(unsigned char *)OPENSSL_malloc(buf_len+10);
205 if (m == NULL)
206 {
207 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208 goto err;
209 }
210
211 if (x->n != NULL)
212 mod_len = BN_num_bits(x->n);
213
214 if(!BIO_indent(bp,off,128))
215 goto err;
216
217 if (priv && x->d)
218 {
219 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
220 <= 0) goto err;
221 str = "modulus:";
222 s = "publicExponent:";
223 }
224 else
225 {
226 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227 <= 0) goto err;
228 str = "Modulus:";
229 s= "Exponent:";
230 }
231 if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err;
232 if (!ASN1_bn_print(bp,s,x->e,m,off))
233 goto err;
234 if (priv)
235 {
236 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off))
237 goto err;
238 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off))
239 goto err;
240 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off))
241 goto err;
242 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off))
243 goto err;
244 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off))
245 goto err;
246 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off))
247 goto err;
248 }
249 ret=1;
250err:
251 if (m != NULL) OPENSSL_free(m);
252 return(ret);
253 }
254
255static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
256 ASN1_PCTX *ctx)
257 {
258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259 }
260
261
262static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
263 ASN1_PCTX *ctx)
264 {
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 }
267
268
269static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
270 {
271 X509_ALGOR *alg = NULL;
272 switch (op)
273 {
274
275 case ASN1_PKEY_CTRL_PKCS7_SIGN:
276 if (arg1 == 0)
277 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
278 break;
279
280 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
281 if (arg1 == 0)
282 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
283 break;
284#ifndef OPENSSL_NO_CMS
285 case ASN1_PKEY_CTRL_CMS_SIGN:
286 if (arg1 == 0)
287 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
288 break;
289
290 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
291 if (arg1 == 0)
292 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
293 break;
294#endif
295
296 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
297 *(int *)arg2 = NID_sha1;
298 return 1;
299
300 default:
301 return -2;
302
303 }
304
305 if (alg)
306 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
307 V_ASN1_NULL, 0);
308
309 return 1;
310
311 }
312
313
314const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
315 {
316 {
317 EVP_PKEY_RSA,
318 EVP_PKEY_RSA,
319 ASN1_PKEY_SIGPARAM_NULL,
320
321 "RSA",
322 "OpenSSL RSA method",
323
324 rsa_pub_decode,
325 rsa_pub_encode,
326 rsa_pub_cmp,
327 rsa_pub_print,
328
329 rsa_priv_decode,
330 rsa_priv_encode,
331 rsa_priv_print,
332
333 int_rsa_size,
334 rsa_bits,
335
336 0,0,0,0,0,0,
337
338 int_rsa_free,
339 rsa_pkey_ctrl,
340 old_rsa_priv_decode,
341 old_rsa_priv_encode
342 },
343
344 {
345 EVP_PKEY_RSA2,
346 EVP_PKEY_RSA,
347 ASN1_PKEY_ALIAS
348 }
349 };
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
deleted file mode 100644
index 4efca8cdc8..0000000000
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ /dev/null
@@ -1,111 +0,0 @@
1/* rsa_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/asn1t.h>
64
65/* Override the default free and new methods */
66static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
67 void *exarg)
68{
69 if(operation == ASN1_OP_NEW_PRE) {
70 *pval = (ASN1_VALUE *)RSA_new();
71 if(*pval) return 2;
72 return 0;
73 } else if(operation == ASN1_OP_FREE_PRE) {
74 RSA_free((RSA *)*pval);
75 *pval = NULL;
76 return 2;
77 }
78 return 1;
79}
80
81ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
82 ASN1_SIMPLE(RSA, version, LONG),
83 ASN1_SIMPLE(RSA, n, BIGNUM),
84 ASN1_SIMPLE(RSA, e, BIGNUM),
85 ASN1_SIMPLE(RSA, d, BIGNUM),
86 ASN1_SIMPLE(RSA, p, BIGNUM),
87 ASN1_SIMPLE(RSA, q, BIGNUM),
88 ASN1_SIMPLE(RSA, dmp1, BIGNUM),
89 ASN1_SIMPLE(RSA, dmq1, BIGNUM),
90 ASN1_SIMPLE(RSA, iqmp, BIGNUM)
91} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
92
93
94ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
95 ASN1_SIMPLE(RSA, n, BIGNUM),
96 ASN1_SIMPLE(RSA, e, BIGNUM),
97} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
98
99IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
100
101IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
102
103RSA *RSAPublicKey_dup(RSA *rsa)
104 {
105 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
106 }
107
108RSA *RSAPrivateKey_dup(RSA *rsa)
109 {
110 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
111 }
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
deleted file mode 100644
index 9d848db8c6..0000000000
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ /dev/null
@@ -1,184 +0,0 @@
1/* crypto/rsa/rsa_chk.c -*- Mode: C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55
56int RSA_check_key(const RSA *key)
57 {
58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx;
60 int r;
61 int ret=1;
62
63 i = BN_new();
64 j = BN_new();
65 k = BN_new();
66 l = BN_new();
67 m = BN_new();
68 ctx = BN_CTX_new();
69 if (i == NULL || j == NULL || k == NULL || l == NULL ||
70 m == NULL || ctx == NULL)
71 {
72 ret = -1;
73 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
74 goto err;
75 }
76
77 /* p prime? */
78 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
79 if (r != 1)
80 {
81 ret = r;
82 if (r != 0)
83 goto err;
84 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
85 }
86
87 /* q prime? */
88 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
89 if (r != 1)
90 {
91 ret = r;
92 if (r != 0)
93 goto err;
94 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
95 }
96
97 /* n = p*q? */
98 r = BN_mul(i, key->p, key->q, ctx);
99 if (!r) { ret = -1; goto err; }
100
101 if (BN_cmp(i, key->n) != 0)
102 {
103 ret = 0;
104 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
105 }
106
107 /* d*e = 1 mod lcm(p-1,q-1)? */
108
109 r = BN_sub(i, key->p, BN_value_one());
110 if (!r) { ret = -1; goto err; }
111 r = BN_sub(j, key->q, BN_value_one());
112 if (!r) { ret = -1; goto err; }
113
114 /* now compute k = lcm(i,j) */
115 r = BN_mul(l, i, j, ctx);
116 if (!r) { ret = -1; goto err; }
117 r = BN_gcd(m, i, j, ctx);
118 if (!r) { ret = -1; goto err; }
119 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
120 if (!r) { ret = -1; goto err; }
121
122 r = BN_mod_mul(i, key->d, key->e, k, ctx);
123 if (!r) { ret = -1; goto err; }
124
125 if (!BN_is_one(i))
126 {
127 ret = 0;
128 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
129 }
130
131 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
132 {
133 /* dmp1 = d mod (p-1)? */
134 r = BN_sub(i, key->p, BN_value_one());
135 if (!r) { ret = -1; goto err; }
136
137 r = BN_mod(j, key->d, i, ctx);
138 if (!r) { ret = -1; goto err; }
139
140 if (BN_cmp(j, key->dmp1) != 0)
141 {
142 ret = 0;
143 RSAerr(RSA_F_RSA_CHECK_KEY,
144 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
145 }
146
147 /* dmq1 = d mod (q-1)? */
148 r = BN_sub(i, key->q, BN_value_one());
149 if (!r) { ret = -1; goto err; }
150
151 r = BN_mod(j, key->d, i, ctx);
152 if (!r) { ret = -1; goto err; }
153
154 if (BN_cmp(j, key->dmq1) != 0)
155 {
156 ret = 0;
157 RSAerr(RSA_F_RSA_CHECK_KEY,
158 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
159 }
160
161 /* iqmp = q^-1 mod p? */
162 if(!BN_mod_inverse(i, key->q, key->p, ctx))
163 {
164 ret = -1;
165 goto err;
166 }
167
168 if (BN_cmp(i, key->iqmp) != 0)
169 {
170 ret = 0;
171 RSAerr(RSA_F_RSA_CHECK_KEY,
172 RSA_R_IQMP_NOT_INVERSE_OF_Q);
173 }
174 }
175
176 err:
177 if (i != NULL) BN_free(i);
178 if (j != NULL) BN_free(j);
179 if (k != NULL) BN_free(k);
180 if (l != NULL) BN_free(l);
181 if (m != NULL) BN_free(m);
182 if (ctx != NULL) BN_CTX_free(ctx);
183 return (ret);
184 }
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
deleted file mode 100644
index a859ded987..0000000000
--- a/src/lib/libcrypto/rsa/rsa_depr.c
+++ /dev/null
@@ -1,101 +0,0 @@
1/* crypto/rsa/rsa_depr.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61#include "cryptlib.h"
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64
65#ifdef OPENSSL_NO_DEPRECATED
66
67static void *dummy=&dummy;
68
69#else
70
71RSA *RSA_generate_key(int bits, unsigned long e_value,
72 void (*callback)(int,int,void *), void *cb_arg)
73 {
74 BN_GENCB cb;
75 int i;
76 RSA *rsa = RSA_new();
77 BIGNUM *e = BN_new();
78
79 if(!rsa || !e) goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i=0; i<(int)sizeof(unsigned long)*8; i++)
84 {
85 if (e_value & (1UL<<i))
86 if (BN_set_bit(e,i) == 0)
87 goto err;
88 }
89
90 BN_GENCB_set_old(&cb, callback, cb_arg);
91
92 if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
93 BN_free(e);
94 return rsa;
95 }
96err:
97 if(e) BN_free(e);
98 if(rsa) RSA_free(rsa);
99 return 0;
100 }
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
deleted file mode 100644
index 2e1ddd48d3..0000000000
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ /dev/null
@@ -1,915 +0,0 @@
1/* crypto/rsa/rsa_eay.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include "cryptlib.h"
114#include <openssl/bn.h>
115#include <openssl/rsa.h>
116#include <openssl/rand.h>
117
118#ifndef RSA_NULL
119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding);
122static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123 unsigned char *to, RSA *rsa,int padding);
124static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={
132 "Eric Young's PKCS#1 RSA",
133 RSA_eay_public_encrypt,
134 RSA_eay_public_decrypt, /* signature verification */
135 RSA_eay_private_encrypt, /* signing */
136 RSA_eay_private_decrypt,
137 RSA_eay_mod_exp,
138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
139 RSA_eay_init,
140 RSA_eay_finish,
141 0, /* flags */
142 NULL,
143 0, /* rsa_sign */
144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
146 };
147
148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 {
150 return(&rsa_pkcs1_eay_meth);
151 }
152
153static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
154 unsigned char *to, RSA *rsa, int padding)
155 {
156 BIGNUM *f,*ret;
157 int i,j,k,num=0,r= -1;
158 unsigned char *buf=NULL;
159 BN_CTX *ctx=NULL;
160
161 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
162 {
163 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
164 return -1;
165 }
166
167 if (BN_ucmp(rsa->n, rsa->e) <= 0)
168 {
169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
170 return -1;
171 }
172
173 /* for large moduli, enforce exponent limit */
174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
175 {
176 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
177 {
178 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
179 return -1;
180 }
181 }
182
183 if ((ctx=BN_CTX_new()) == NULL) goto err;
184 BN_CTX_start(ctx);
185 f = BN_CTX_get(ctx);
186 ret = BN_CTX_get(ctx);
187 num=BN_num_bytes(rsa->n);
188 buf = OPENSSL_malloc(num);
189 if (!f || !ret || !buf)
190 {
191 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
192 goto err;
193 }
194
195 switch (padding)
196 {
197 case RSA_PKCS1_PADDING:
198 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
199 break;
200#ifndef OPENSSL_NO_SHA
201 case RSA_PKCS1_OAEP_PADDING:
202 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
203 break;
204#endif
205 case RSA_SSLV23_PADDING:
206 i=RSA_padding_add_SSLv23(buf,num,from,flen);
207 break;
208 case RSA_NO_PADDING:
209 i=RSA_padding_add_none(buf,num,from,flen);
210 break;
211 default:
212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
213 goto err;
214 }
215 if (i <= 0) goto err;
216
217 if (BN_bin2bn(buf,num,f) == NULL) goto err;
218
219 if (BN_ucmp(f, rsa->n) >= 0)
220 {
221 /* usually the padding functions would catch this */
222 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
223 goto err;
224 }
225
226 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
227 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
228 goto err;
229
230 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
231 rsa->_method_mod_n)) goto err;
232
233 /* put in leading 0 bytes if the number is less than the
234 * length of the modulus */
235 j=BN_num_bytes(ret);
236 i=BN_bn2bin(ret,&(to[num-j]));
237 for (k=0; k<(num-i); k++)
238 to[k]=0;
239
240 r=num;
241err:
242 if (ctx != NULL)
243 {
244 BN_CTX_end(ctx);
245 BN_CTX_free(ctx);
246 }
247 if (buf != NULL)
248 {
249 OPENSSL_cleanse(buf,num);
250 OPENSSL_free(buf);
251 }
252 return(r);
253 }
254
255static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
256{
257 BN_BLINDING *ret;
258 int got_write_lock = 0;
259 CRYPTO_THREADID cur;
260
261 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
262
263 if (rsa->blinding == NULL)
264 {
265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267 got_write_lock = 1;
268
269 if (rsa->blinding == NULL)
270 rsa->blinding = RSA_setup_blinding(rsa, ctx);
271 }
272
273 ret = rsa->blinding;
274 if (ret == NULL)
275 goto err;
276
277 CRYPTO_THREADID_current(&cur);
278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret)))
279 {
280 /* rsa->blinding is ours! */
281
282 *local = 1;
283 }
284 else
285 {
286 /* resort to rsa->mt_blinding instead */
287
288 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
289 * that the BN_BLINDING is shared, meaning that accesses
290 * require locks, and that the blinding factor must be
291 * stored outside the BN_BLINDING
292 */
293
294 if (rsa->mt_blinding == NULL)
295 {
296 if (!got_write_lock)
297 {
298 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
299 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
300 got_write_lock = 1;
301 }
302
303 if (rsa->mt_blinding == NULL)
304 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
305 }
306 ret = rsa->mt_blinding;
307 }
308
309 err:
310 if (got_write_lock)
311 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
312 else
313 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
314 return ret;
315}
316
317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BN_CTX *ctx)
319 {
320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
324 else
325 {
326 /* Shared blinding: store the unblinding factor
327 * outside BN_BLINDING. */
328 int ret;
329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
332 return ret;
333 }
334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
348
349/* signing */
350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
351 unsigned char *to, RSA *rsa, int padding)
352 {
353 BIGNUM *f, *ret, *res;
354 int i,j,k,num=0,r= -1;
355 unsigned char *buf=NULL;
356 BN_CTX *ctx=NULL;
357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
362 BN_BLINDING *blinding = NULL;
363
364 if ((ctx=BN_CTX_new()) == NULL) goto err;
365 BN_CTX_start(ctx);
366 f = BN_CTX_get(ctx);
367 ret = BN_CTX_get(ctx);
368 num = BN_num_bytes(rsa->n);
369 buf = OPENSSL_malloc(num);
370 if(!f || !ret || !buf)
371 {
372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
373 goto err;
374 }
375
376 switch (padding)
377 {
378 case RSA_PKCS1_PADDING:
379 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
380 break;
381 case RSA_X931_PADDING:
382 i=RSA_padding_add_X931(buf,num,from,flen);
383 break;
384 case RSA_NO_PADDING:
385 i=RSA_padding_add_none(buf,num,from,flen);
386 break;
387 case RSA_SSLV23_PADDING:
388 default:
389 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
390 goto err;
391 }
392 if (i <= 0) goto err;
393
394 if (BN_bin2bn(buf,num,f) == NULL) goto err;
395
396 if (BN_ucmp(f, rsa->n) >= 0)
397 {
398 /* usually the padding functions would catch this */
399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
400 goto err;
401 }
402
403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
404 {
405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
406 if (blinding == NULL)
407 {
408 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
409 goto err;
410 }
411 }
412
413 if (blinding != NULL)
414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
421 goto err;
422 }
423
424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
425 ((rsa->p != NULL) &&
426 (rsa->q != NULL) &&
427 (rsa->dmp1 != NULL) &&
428 (rsa->dmq1 != NULL) &&
429 (rsa->iqmp != NULL)) )
430 {
431 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
432 }
433 else
434 {
435 BIGNUM local_d;
436 BIGNUM *d = NULL;
437
438 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
439 {
440 BN_init(&local_d);
441 d = &local_d;
442 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
443 }
444 else
445 d= rsa->d;
446
447 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
448 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
449 goto err;
450
451 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
452 rsa->_method_mod_n)) goto err;
453 }
454
455 if (blinding)
456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
457 goto err;
458
459 if (padding == RSA_X931_PADDING)
460 {
461 BN_sub(f, rsa->n, ret);
462 if (BN_cmp(ret, f))
463 res = f;
464 else
465 res = ret;
466 }
467 else
468 res = ret;
469
470 /* put in leading 0 bytes if the number is less than the
471 * length of the modulus */
472 j=BN_num_bytes(res);
473 i=BN_bn2bin(res,&(to[num-j]));
474 for (k=0; k<(num-i); k++)
475 to[k]=0;
476
477 r=num;
478err:
479 if (ctx != NULL)
480 {
481 BN_CTX_end(ctx);
482 BN_CTX_free(ctx);
483 }
484 if (buf != NULL)
485 {
486 OPENSSL_cleanse(buf,num);
487 OPENSSL_free(buf);
488 }
489 return(r);
490 }
491
492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
493 unsigned char *to, RSA *rsa, int padding)
494 {
495 BIGNUM *f, *ret;
496 int j,num=0,r= -1;
497 unsigned char *p;
498 unsigned char *buf=NULL;
499 BN_CTX *ctx=NULL;
500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
505 BN_BLINDING *blinding = NULL;
506
507 if((ctx = BN_CTX_new()) == NULL) goto err;
508 BN_CTX_start(ctx);
509 f = BN_CTX_get(ctx);
510 ret = BN_CTX_get(ctx);
511 num = BN_num_bytes(rsa->n);
512 buf = OPENSSL_malloc(num);
513 if(!f || !ret || !buf)
514 {
515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
516 goto err;
517 }
518
519 /* This check was for equality but PGP does evil things
520 * and chops off the top '0' bytes */
521 if (flen > num)
522 {
523 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
524 goto err;
525 }
526
527 /* make data into a big number */
528 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
529
530 if (BN_ucmp(f, rsa->n) >= 0)
531 {
532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
533 goto err;
534 }
535
536 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
537 {
538 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
539 if (blinding == NULL)
540 {
541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
542 goto err;
543 }
544 }
545
546 if (blinding != NULL)
547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
556
557 /* do the decrypt */
558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
559 ((rsa->p != NULL) &&
560 (rsa->q != NULL) &&
561 (rsa->dmp1 != NULL) &&
562 (rsa->dmq1 != NULL) &&
563 (rsa->iqmp != NULL)) )
564 {
565 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
566 }
567 else
568 {
569 BIGNUM local_d;
570 BIGNUM *d = NULL;
571
572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
573 {
574 d = &local_d;
575 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
576 }
577 else
578 d = rsa->d;
579
580 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
581 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
582 goto err;
583 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
584 rsa->_method_mod_n))
585 goto err;
586 }
587
588 if (blinding)
589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
590 goto err;
591
592 p=buf;
593 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
594
595 switch (padding)
596 {
597 case RSA_PKCS1_PADDING:
598 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
599 break;
600#ifndef OPENSSL_NO_SHA
601 case RSA_PKCS1_OAEP_PADDING:
602 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
603 break;
604#endif
605 case RSA_SSLV23_PADDING:
606 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
607 break;
608 case RSA_NO_PADDING:
609 r=RSA_padding_check_none(to,num,buf,j,num);
610 break;
611 default:
612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
613 goto err;
614 }
615 if (r < 0)
616 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
617
618err:
619 if (ctx != NULL)
620 {
621 BN_CTX_end(ctx);
622 BN_CTX_free(ctx);
623 }
624 if (buf != NULL)
625 {
626 OPENSSL_cleanse(buf,num);
627 OPENSSL_free(buf);
628 }
629 return(r);
630 }
631
632/* signature verification */
633static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
634 unsigned char *to, RSA *rsa, int padding)
635 {
636 BIGNUM *f,*ret;
637 int i,num=0,r= -1;
638 unsigned char *p;
639 unsigned char *buf=NULL;
640 BN_CTX *ctx=NULL;
641
642 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
643 {
644 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
645 return -1;
646 }
647
648 if (BN_ucmp(rsa->n, rsa->e) <= 0)
649 {
650 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
651 return -1;
652 }
653
654 /* for large moduli, enforce exponent limit */
655 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
656 {
657 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
658 {
659 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
660 return -1;
661 }
662 }
663
664 if((ctx = BN_CTX_new()) == NULL) goto err;
665 BN_CTX_start(ctx);
666 f = BN_CTX_get(ctx);
667 ret = BN_CTX_get(ctx);
668 num=BN_num_bytes(rsa->n);
669 buf = OPENSSL_malloc(num);
670 if(!f || !ret || !buf)
671 {
672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
673 goto err;
674 }
675
676 /* This check was for equality but PGP does evil things
677 * and chops off the top '0' bytes */
678 if (flen > num)
679 {
680 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
681 goto err;
682 }
683
684 if (BN_bin2bn(from,flen,f) == NULL) goto err;
685
686 if (BN_ucmp(f, rsa->n) >= 0)
687 {
688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
689 goto err;
690 }
691
692 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
693 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
694 goto err;
695
696 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
697 rsa->_method_mod_n)) goto err;
698
699 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
700 if (!BN_sub(ret, rsa->n, ret)) goto err;
701
702 p=buf;
703 i=BN_bn2bin(ret,p);
704
705 switch (padding)
706 {
707 case RSA_PKCS1_PADDING:
708 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
709 break;
710 case RSA_X931_PADDING:
711 r=RSA_padding_check_X931(to,num,buf,i,num);
712 break;
713 case RSA_NO_PADDING:
714 r=RSA_padding_check_none(to,num,buf,i,num);
715 break;
716 default:
717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
718 goto err;
719 }
720 if (r < 0)
721 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
722
723err:
724 if (ctx != NULL)
725 {
726 BN_CTX_end(ctx);
727 BN_CTX_free(ctx);
728 }
729 if (buf != NULL)
730 {
731 OPENSSL_cleanse(buf,num);
732 OPENSSL_free(buf);
733 }
734 return(r);
735 }
736
737static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
738 {
739 BIGNUM *r1,*m1,*vrfy;
740 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
741 BIGNUM *dmp1,*dmq1,*c,*pr1;
742 int ret=0;
743
744 BN_CTX_start(ctx);
745 r1 = BN_CTX_get(ctx);
746 m1 = BN_CTX_get(ctx);
747 vrfy = BN_CTX_get(ctx);
748
749 {
750 BIGNUM local_p, local_q;
751 BIGNUM *p = NULL, *q = NULL;
752
753 /* Make sure BN_mod_inverse in Montgomery intialization uses the
754 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
755 */
756 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
757 {
758 BN_init(&local_p);
759 p = &local_p;
760 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
761
762 BN_init(&local_q);
763 q = &local_q;
764 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
765 }
766 else
767 {
768 p = rsa->p;
769 q = rsa->q;
770 }
771
772 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
773 {
774 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
775 goto err;
776 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
777 goto err;
778 }
779 }
780
781 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
782 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
783 goto err;
784
785 /* compute I mod q */
786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
787 {
788 c = &local_c;
789 BN_with_flags(c, I, BN_FLG_CONSTTIME);
790 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
791 }
792 else
793 {
794 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
795 }
796
797 /* compute r1^dmq1 mod q */
798 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
799 {
800 dmq1 = &local_dmq1;
801 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
802 }
803 else
804 dmq1 = rsa->dmq1;
805 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
806 rsa->_method_mod_q)) goto err;
807
808 /* compute I mod p */
809 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
810 {
811 c = &local_c;
812 BN_with_flags(c, I, BN_FLG_CONSTTIME);
813 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
814 }
815 else
816 {
817 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
818 }
819
820 /* compute r1^dmp1 mod p */
821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
822 {
823 dmp1 = &local_dmp1;
824 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
825 }
826 else
827 dmp1 = rsa->dmp1;
828 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
829 rsa->_method_mod_p)) goto err;
830
831 if (!BN_sub(r0,r0,m1)) goto err;
832 /* This will help stop the size of r0 increasing, which does
833 * affect the multiply if it optimised for a power of 2 size */
834 if (BN_is_negative(r0))
835 if (!BN_add(r0,r0,rsa->p)) goto err;
836
837 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
838
839 /* Turn BN_FLG_CONSTTIME flag on before division operation */
840 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
841 {
842 pr1 = &local_r1;
843 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
844 }
845 else
846 pr1 = r1;
847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
848
849 /* If p < q it is occasionally possible for the correction of
850 * adding 'p' if r0 is negative above to leave the result still
851 * negative. This can break the private key operations: the following
852 * second correction should *always* correct this rare occurrence.
853 * This will *never* happen with OpenSSL generated keys because
854 * they ensure p > q [steve]
855 */
856 if (BN_is_negative(r0))
857 if (!BN_add(r0,r0,rsa->p)) goto err;
858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
859 if (!BN_add(r0,r1,m1)) goto err;
860
861 if (rsa->e && rsa->n)
862 {
863 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
864 /* If 'I' was greater than (or equal to) rsa->n, the operation
865 * will be equivalent to using 'I mod n'. However, the result of
866 * the verify will *always* be less than 'n' so we don't check
867 * for absolute equality, just congruency. */
868 if (!BN_sub(vrfy, vrfy, I)) goto err;
869 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
870 if (BN_is_negative(vrfy))
871 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
872 if (!BN_is_zero(vrfy))
873 {
874 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
875 * miscalculated CRT output, just do a raw (slower)
876 * mod_exp and return that instead. */
877
878 BIGNUM local_d;
879 BIGNUM *d = NULL;
880
881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
882 {
883 d = &local_d;
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885 }
886 else
887 d = rsa->d;
888 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
889 rsa->_method_mod_n)) goto err;
890 }
891 }
892 ret=1;
893err:
894 BN_CTX_end(ctx);
895 return(ret);
896 }
897
898static int RSA_eay_init(RSA *rsa)
899 {
900 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
901 return(1);
902 }
903
904static int RSA_eay_finish(RSA *rsa)
905 {
906 if (rsa->_method_mod_n != NULL)
907 BN_MONT_CTX_free(rsa->_method_mod_n);
908 if (rsa->_method_mod_p != NULL)
909 BN_MONT_CTX_free(rsa->_method_mod_p);
910 if (rsa->_method_mod_q != NULL)
911 BN_MONT_CTX_free(rsa->_method_mod_q);
912 return(1);
913 }
914
915#endif
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
deleted file mode 100644
index cf9f1106b0..0000000000
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ /dev/null
@@ -1,190 +0,0 @@
1/* crypto/rsa/rsa_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/rsa.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
70
71static ERR_STRING_DATA RSA_str_functs[]=
72 {
73{ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
74{ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
75{ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
76{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
77{ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
82{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
83{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
84{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
85{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
86{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
88{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
89{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
90{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
91{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
92{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
93{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
94{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
95{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
96{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
97{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
98{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
99{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
103{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
104{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
105{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
106{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
107{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
108{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
109{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
110{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
111{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
112{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
113{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
114{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
115{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
116{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
117{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
118{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
119{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
120{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
121{0,NULL}
122 };
123
124static ERR_STRING_DATA RSA_str_reasons[]=
125 {
126{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"},
127{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"},
128{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
129{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"},
130{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"},
131{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"},
132{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"},
133{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
134{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"},
135{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
136{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
137{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"},
138{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
139{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
140{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
141{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
142{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
143{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"},
144{ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),"illegal or unsupported padding mode"},
145{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) ,"invalid digest length"},
146{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
147{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
148{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
149{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
150{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
151{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},
152{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
153{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"},
154{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
155{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
156{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
157{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
158{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
159{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
160{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
161{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
162{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
163{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
164{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
165{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
166{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
167{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
168{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
169{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
170{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
171{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
172{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
173{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"},
174{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
175{0,NULL}
176 };
177
178#endif
179
180void ERR_load_RSA_strings(void)
181 {
182#ifndef OPENSSL_NO_ERR
183
184 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL)
185 {
186 ERR_load_strings(0,RSA_str_functs);
187 ERR_load_strings(0,RSA_str_reasons);
188 }
189#endif
190 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
deleted file mode 100644
index 767f7ab682..0000000000
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ /dev/null
@@ -1,219 +0,0 @@
1/* crypto/rsa/rsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
65#include <stdio.h>
66#include <time.h>
67#include "cryptlib.h"
68#include <openssl/bn.h>
69#include <openssl/rsa.h>
70
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72
73/* NB: this wrapper would normally be placed in rsa_lib.c and the static
74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 {
80 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 }
84
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
86 {
87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
88 BIGNUM local_r0,local_d,local_p;
89 BIGNUM *pr0,*d,*p;
90 int bitsp,bitsq,ok= -1,n=0;
91 BN_CTX *ctx=NULL;
92
93 ctx=BN_CTX_new();
94 if (ctx == NULL) goto err;
95 BN_CTX_start(ctx);
96 r0 = BN_CTX_get(ctx);
97 r1 = BN_CTX_get(ctx);
98 r2 = BN_CTX_get(ctx);
99 r3 = BN_CTX_get(ctx);
100 if (r3 == NULL) goto err;
101
102 bitsp=(bits+1)/2;
103 bitsq=bits-bitsp;
104
105 /* We need the RSA components non-NULL */
106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
114
115 BN_copy(rsa->e, e_value);
116
117 /* generate p and q */
118 for (;;)
119 {
120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
121 goto err;
122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
124 if (BN_is_one(r1)) break;
125 if(!BN_GENCB_call(cb, 2, n++))
126 goto err;
127 }
128 if(!BN_GENCB_call(cb, 3, 0))
129 goto err;
130 for (;;)
131 {
132 /* When generating ridiculously small keys, we can get stuck
133 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */
135 unsigned int degenerate = 0;
136 do
137 {
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
139 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
141 if(degenerate == 3)
142 {
143 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
145 goto err;
146 }
147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
149 if (BN_is_one(r1))
150 break;
151 if(!BN_GENCB_call(cb, 2, n++))
152 goto err;
153 }
154 if(!BN_GENCB_call(cb, 3, 1))
155 goto err;
156 if (BN_cmp(rsa->p,rsa->q) < 0)
157 {
158 tmp=rsa->p;
159 rsa->p=rsa->q;
160 rsa->q=tmp;
161 }
162
163 /* calculate n */
164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
165
166 /* calculate d */
167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
171 {
172 pr0 = &local_r0;
173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 }
175 else
176 pr0 = r0;
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
178
179 /* set up d for correct BN_FLG_CONSTTIME flag */
180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
181 {
182 d = &local_d;
183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
184 }
185 else
186 d = rsa->d;
187
188 /* calculate d mod (p-1) */
189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
190
191 /* calculate d mod (q-1) */
192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
193
194 /* calculate inverse of q mod p */
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
196 {
197 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 }
200 else
201 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
203
204 ok=1;
205err:
206 if (ok == -1)
207 {
208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
209 ok=0;
210 }
211 if (ctx != NULL)
212 {
213 BN_CTX_end(ctx);
214 BN_CTX_free(ctx);
215 }
216
217 return ok;
218 }
219
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
deleted file mode 100644
index de45088d76..0000000000
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ /dev/null
@@ -1,483 +0,0 @@
1/* crypto/rsa/rsa_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/crypto.h>
61#include "cryptlib.h"
62#include <openssl/lhash.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65#include <openssl/rand.h>
66#ifndef OPENSSL_NO_ENGINE
67#include <openssl/engine.h>
68#endif
69
70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
71
72static const RSA_METHOD *default_RSA_meth=NULL;
73
74RSA *RSA_new(void)
75 {
76 RSA *r=RSA_new_method(NULL);
77
78 return r;
79 }
80
81void RSA_set_default_method(const RSA_METHOD *meth)
82 {
83 default_RSA_meth = meth;
84 }
85
86const RSA_METHOD *RSA_get_default_method(void)
87 {
88 if (default_RSA_meth == NULL)
89 {
90#ifdef RSA_NULL
91 default_RSA_meth=RSA_null_method();
92#else
93#if 0 /* was: #ifdef RSAref */
94 default_RSA_meth=RSA_PKCS1_RSAref();
95#else
96 default_RSA_meth=RSA_PKCS1_SSLeay();
97#endif
98#endif
99 }
100
101 return default_RSA_meth;
102 }
103
104const RSA_METHOD *RSA_get_method(const RSA *rsa)
105 {
106 return rsa->meth;
107 }
108
109int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
110 {
111 /* NB: The caller is specifically setting a method, so it's not up to us
112 * to deal with which ENGINE it comes from. */
113 const RSA_METHOD *mtmp;
114 mtmp = rsa->meth;
115 if (mtmp->finish) mtmp->finish(rsa);
116#ifndef OPENSSL_NO_ENGINE
117 if (rsa->engine)
118 {
119 ENGINE_finish(rsa->engine);
120 rsa->engine = NULL;
121 }
122#endif
123 rsa->meth = meth;
124 if (meth->init) meth->init(rsa);
125 return 1;
126 }
127
128RSA *RSA_new_method(ENGINE *engine)
129 {
130 RSA *ret;
131
132 ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
133 if (ret == NULL)
134 {
135 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
136 return NULL;
137 }
138
139 ret->meth = RSA_get_default_method();
140#ifndef OPENSSL_NO_ENGINE
141 if (engine)
142 {
143 if (!ENGINE_init(engine))
144 {
145 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
146 OPENSSL_free(ret);
147 return NULL;
148 }
149 ret->engine = engine;
150 }
151 else
152 ret->engine = ENGINE_get_default_RSA();
153 if(ret->engine)
154 {
155 ret->meth = ENGINE_get_RSA(ret->engine);
156 if(!ret->meth)
157 {
158 RSAerr(RSA_F_RSA_NEW_METHOD,
159 ERR_R_ENGINE_LIB);
160 ENGINE_finish(ret->engine);
161 OPENSSL_free(ret);
162 return NULL;
163 }
164 }
165#endif
166
167 ret->pad=0;
168 ret->version=0;
169 ret->n=NULL;
170 ret->e=NULL;
171 ret->d=NULL;
172 ret->p=NULL;
173 ret->q=NULL;
174 ret->dmp1=NULL;
175 ret->dmq1=NULL;
176 ret->iqmp=NULL;
177 ret->references=1;
178 ret->_method_mod_n=NULL;
179 ret->_method_mod_p=NULL;
180 ret->_method_mod_q=NULL;
181 ret->blinding=NULL;
182 ret->mt_blinding=NULL;
183 ret->bignum_data=NULL;
184 ret->flags=ret->meth->flags;
185 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
186 {
187#ifndef OPENSSL_NO_ENGINE
188 if (ret->engine)
189 ENGINE_finish(ret->engine);
190#endif
191 OPENSSL_free(ret);
192 return(NULL);
193 }
194
195 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
196 {
197#ifndef OPENSSL_NO_ENGINE
198 if (ret->engine)
199 ENGINE_finish(ret->engine);
200#endif
201 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
202 OPENSSL_free(ret);
203 ret=NULL;
204 }
205 return(ret);
206 }
207
208void RSA_free(RSA *r)
209 {
210 int i;
211
212 if (r == NULL) return;
213
214 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA);
215#ifdef REF_PRINT
216 REF_PRINT("RSA",r);
217#endif
218 if (i > 0) return;
219#ifdef REF_CHECK
220 if (i < 0)
221 {
222 fprintf(stderr,"RSA_free, bad reference count\n");
223 abort();
224 }
225#endif
226
227 if (r->meth->finish)
228 r->meth->finish(r);
229#ifndef OPENSSL_NO_ENGINE
230 if (r->engine)
231 ENGINE_finish(r->engine);
232#endif
233
234 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
235
236 if (r->n != NULL) BN_clear_free(r->n);
237 if (r->e != NULL) BN_clear_free(r->e);
238 if (r->d != NULL) BN_clear_free(r->d);
239 if (r->p != NULL) BN_clear_free(r->p);
240 if (r->q != NULL) BN_clear_free(r->q);
241 if (r->dmp1 != NULL) BN_clear_free(r->dmp1);
242 if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
243 if (r->iqmp != NULL) BN_clear_free(r->iqmp);
244 if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
245 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
246 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
247 OPENSSL_free(r);
248 }
249
250int RSA_up_ref(RSA *r)
251 {
252 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
253#ifdef REF_PRINT
254 REF_PRINT("RSA",r);
255#endif
256#ifdef REF_CHECK
257 if (i < 2)
258 {
259 fprintf(stderr, "RSA_up_ref, bad reference count\n");
260 abort();
261 }
262#endif
263 return ((i > 1) ? 1 : 0);
264 }
265
266int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
267 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
268 {
269 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
270 new_func, dup_func, free_func);
271 }
272
273int RSA_set_ex_data(RSA *r, int idx, void *arg)
274 {
275 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
276 }
277
278void *RSA_get_ex_data(const RSA *r, int idx)
279 {
280 return(CRYPTO_get_ex_data(&r->ex_data,idx));
281 }
282
283int RSA_size(const RSA *r)
284 {
285 return(BN_num_bytes(r->n));
286 }
287
288int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
289 RSA *rsa, int padding)
290 {
291 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
292 }
293
294int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
295 RSA *rsa, int padding)
296 {
297 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
298 }
299
300int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
301 RSA *rsa, int padding)
302 {
303 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
304 }
305
306int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
307 RSA *rsa, int padding)
308 {
309 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
310 }
311
312int RSA_flags(const RSA *r)
313 {
314 return((r == NULL)?0:r->meth->flags);
315 }
316
317void RSA_blinding_off(RSA *rsa)
318 {
319 if (rsa->blinding != NULL)
320 {
321 BN_BLINDING_free(rsa->blinding);
322 rsa->blinding=NULL;
323 }
324 rsa->flags &= ~RSA_FLAG_BLINDING;
325 rsa->flags |= RSA_FLAG_NO_BLINDING;
326 }
327
328int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
329 {
330 int ret=0;
331
332 if (rsa->blinding != NULL)
333 RSA_blinding_off(rsa);
334
335 rsa->blinding = RSA_setup_blinding(rsa, ctx);
336 if (rsa->blinding == NULL)
337 goto err;
338
339 rsa->flags |= RSA_FLAG_BLINDING;
340 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
341 ret=1;
342err:
343 return(ret);
344 }
345
346static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
347 const BIGNUM *q, BN_CTX *ctx)
348{
349 BIGNUM *ret = NULL, *r0, *r1, *r2;
350
351 if (d == NULL || p == NULL || q == NULL)
352 return NULL;
353
354 BN_CTX_start(ctx);
355 r0 = BN_CTX_get(ctx);
356 r1 = BN_CTX_get(ctx);
357 r2 = BN_CTX_get(ctx);
358 if (r2 == NULL)
359 goto err;
360
361 if (!BN_sub(r1, p, BN_value_one())) goto err;
362 if (!BN_sub(r2, q, BN_value_one())) goto err;
363 if (!BN_mul(r0, r1, r2, ctx)) goto err;
364
365 ret = BN_mod_inverse(NULL, d, r0, ctx);
366err:
367 BN_CTX_end(ctx);
368 return ret;
369}
370
371BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
372{
373 BIGNUM local_n;
374 BIGNUM *e,*n;
375 BN_CTX *ctx;
376 BN_BLINDING *ret = NULL;
377
378 if (in_ctx == NULL)
379 {
380 if ((ctx = BN_CTX_new()) == NULL) return 0;
381 }
382 else
383 ctx = in_ctx;
384
385 BN_CTX_start(ctx);
386 e = BN_CTX_get(ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
390 goto err;
391 }
392
393 if (rsa->e == NULL)
394 {
395 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
396 if (e == NULL)
397 {
398 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
399 goto err;
400 }
401 }
402 else
403 e = rsa->e;
404
405
406 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
407 {
408 /* if PRNG is not properly seeded, resort to secret
409 * exponent as unpredictable seed */
410 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
411 }
412
413 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
414 {
415 /* Set BN_FLG_CONSTTIME flag */
416 n = &local_n;
417 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
418 }
419 else
420 n = rsa->n;
421
422 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
423 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
424 if (ret == NULL)
425 {
426 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
427 goto err;
428 }
429 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
430err:
431 BN_CTX_end(ctx);
432 if (in_ctx == NULL)
433 BN_CTX_free(ctx);
434 if(rsa->e == NULL)
435 BN_free(e);
436
437 return ret;
438}
439
440int RSA_memory_lock(RSA *r)
441 {
442 int i,j,k,off;
443 char *p;
444 BIGNUM *bn,**t[6],*b;
445 BN_ULONG *ul;
446
447 if (r->d == NULL) return(1);
448 t[0]= &r->d;
449 t[1]= &r->p;
450 t[2]= &r->q;
451 t[3]= &r->dmp1;
452 t[4]= &r->dmq1;
453 t[5]= &r->iqmp;
454 k=sizeof(BIGNUM)*6;
455 off=k/sizeof(BN_ULONG)+1;
456 j=1;
457 for (i=0; i<6; i++)
458 j+= (*t[i])->top;
459 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
460 {
461 RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
462 return(0);
463 }
464 bn=(BIGNUM *)p;
465 ul=(BN_ULONG *)&(p[off]);
466 for (i=0; i<6; i++)
467 {
468 b= *(t[i]);
469 *(t[i])= &(bn[i]);
470 memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
471 bn[i].flags=BN_FLG_STATIC_DATA;
472 bn[i].d=ul;
473 memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
474 ul+=b->top;
475 BN_clear_free(b);
476 }
477
478 /* I should fix this so it can still be done */
479 r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
480
481 r->bignum_data=p;
482 return(1);
483 }
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
deleted file mode 100644
index f5d2d56628..0000000000
--- a/src/lib/libcrypto/rsa/rsa_locl.h
+++ /dev/null
@@ -1,4 +0,0 @@
1extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
2 unsigned char *rm, size_t *prm_len,
3 const unsigned char *sigbuf, size_t siglen,
4 RSA *rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
deleted file mode 100644
index e6f3e627ca..0000000000
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ /dev/null
@@ -1,98 +0,0 @@
1/* crypto/rsa/rsa_none.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_none(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 if (flen > tlen)
69 {
70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
71 return(0);
72 }
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
79
80 memcpy(to,from,(unsigned int)flen);
81 return(1);
82 }
83
84int RSA_padding_check_none(unsigned char *to, int tlen,
85 const unsigned char *from, int flen, int num)
86 {
87
88 if (flen > tlen)
89 {
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE);
91 return(-1);
92 }
93
94 memset(to,0,tlen-flen);
95 memcpy(to+tlen-flen,from,flen);
96 return(tlen);
97 }
98
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
deleted file mode 100644
index 18d307ea9e..0000000000
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ /dev/null
@@ -1,233 +0,0 @@
1/* crypto/rsa/rsa_oaep.c */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4
5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6
7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21
22#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
23#include <stdio.h>
24#include "cryptlib.h"
25#include <openssl/bn.h>
26#include <openssl/rsa.h>
27#include <openssl/evp.h>
28#include <openssl/rand.h>
29#include <openssl/sha.h>
30
31static int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
35 const unsigned char *from, int flen,
36 const unsigned char *param, int plen)
37 {
38 int i, emlen = tlen - 1;
39 unsigned char *db, *seed;
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
41
42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
43 {
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
46 return 0;
47 }
48
49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
50 {
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
52 return 0;
53 }
54
55 to[0] = 0;
56 seed = to + 1;
57 db = to + SHA_DIGEST_LENGTH + 1;
58
59 EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
60 memset(db + SHA_DIGEST_LENGTH, 0,
61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
63 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
64 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
65 return 0;
66#ifdef PKCS_TESTVECT
67 memcpy(seed,
68 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
69 20);
70#endif
71
72 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
73 if (dbmask == NULL)
74 {
75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
76 return 0;
77 }
78
79 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
80 return 0;
81 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
82 db[i] ^= dbmask[i];
83
84 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
85 return 0;
86 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
87 seed[i] ^= seedmask[i];
88
89 OPENSSL_free(dbmask);
90 return 1;
91 }
92
93int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
94 const unsigned char *from, int flen, int num,
95 const unsigned char *param, int plen)
96 {
97 int i, dblen, mlen = -1;
98 const unsigned char *maskeddb;
99 int lzero;
100 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
101 unsigned char *padded_from;
102 int bad = 0;
103
104 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
105 /* 'num' is the length of the modulus, i.e. does not depend on the
106 * particular ciphertext. */
107 goto decoding_err;
108
109 lzero = num - flen;
110 if (lzero < 0)
111 {
112 /* signalling this error immediately after detection might allow
113 * for side-channel attacks (e.g. timing if 'plen' is huge
114 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
115 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
116 * so we use a 'bad' flag */
117 bad = 1;
118 lzero = 0;
119 flen = num; /* don't overflow the memcpy to padded_from */
120 }
121
122 dblen = num - SHA_DIGEST_LENGTH;
123 db = OPENSSL_malloc(dblen + num);
124 if (db == NULL)
125 {
126 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
127 return -1;
128 }
129
130 /* Always do this zero-padding copy (even when lzero == 0)
131 * to avoid leaking timing info about the value of lzero. */
132 padded_from = db + dblen;
133 memset(padded_from, 0, lzero);
134 memcpy(padded_from + lzero, from, flen);
135
136 maskeddb = padded_from + SHA_DIGEST_LENGTH;
137
138 if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
139 return -1;
140 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
141 seed[i] ^= padded_from[i];
142
143 if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
144 return -1;
145 for (i = 0; i < dblen; i++)
146 db[i] ^= maskeddb[i];
147
148 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
149
150 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
151 goto decoding_err;
152 else
153 {
154 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
155 if (db[i] != 0x00)
156 break;
157 if (i == dblen || db[i] != 0x01)
158 goto decoding_err;
159 else
160 {
161 /* everything looks OK */
162
163 mlen = dblen - ++i;
164 if (tlen < mlen)
165 {
166 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
167 mlen = -1;
168 }
169 else
170 memcpy(to, db + i, mlen);
171 }
172 }
173 OPENSSL_free(db);
174 return mlen;
175
176decoding_err:
177 /* to avoid chosen ciphertext attacks, the error message should not reveal
178 * which kind of decoding error happened */
179 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
180 if (db != NULL) OPENSSL_free(db);
181 return -1;
182 }
183
184int PKCS1_MGF1(unsigned char *mask, long len,
185 const unsigned char *seed, long seedlen, const EVP_MD *dgst)
186 {
187 long i, outlen = 0;
188 unsigned char cnt[4];
189 EVP_MD_CTX c;
190 unsigned char md[EVP_MAX_MD_SIZE];
191 int mdlen;
192 int rv = -1;
193
194 EVP_MD_CTX_init(&c);
195 mdlen = EVP_MD_size(dgst);
196 if (mdlen < 0)
197 goto err;
198 for (i = 0; outlen < len; i++)
199 {
200 cnt[0] = (unsigned char)((i >> 24) & 255);
201 cnt[1] = (unsigned char)((i >> 16) & 255);
202 cnt[2] = (unsigned char)((i >> 8)) & 255;
203 cnt[3] = (unsigned char)(i & 255);
204 if (!EVP_DigestInit_ex(&c,dgst, NULL)
205 || !EVP_DigestUpdate(&c, seed, seedlen)
206 || !EVP_DigestUpdate(&c, cnt, 4))
207 goto err;
208 if (outlen + mdlen <= len)
209 {
210 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
211 goto err;
212 outlen += mdlen;
213 }
214 else
215 {
216 if (!EVP_DigestFinal_ex(&c, md, NULL))
217 goto err;
218 memcpy(mask + outlen, md, len - outlen);
219 outlen = len;
220 }
221 }
222 rv = 0;
223 err:
224 EVP_MD_CTX_cleanup(&c);
225 return rv;
226 }
227
228static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
229 long seedlen)
230 {
231 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
232 }
233#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
deleted file mode 100644
index 8560755f1d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ /dev/null
@@ -1,224 +0,0 @@
1/* crypto/rsa/rsa_pk1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int j;
69 unsigned char *p;
70
71 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=1; /* Private Key BT (Block Type) */
81
82 /* pad out with 0xff data */
83 j=tlen-3-flen;
84 memset(p,0xff,j);
85 p+=j;
86 *(p++)='\0';
87 memcpy(p,from,(unsigned int)flen);
88 return(1);
89 }
90
91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
92 const unsigned char *from, int flen, int num)
93 {
94 int i,j;
95 const unsigned char *p;
96
97 p=from;
98 if ((num != (flen+1)) || (*(p++) != 01))
99 {
100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
101 return(-1);
102 }
103
104 /* scan over padding data */
105 j=flen-1; /* one for type. */
106 for (i=0; i<j; i++)
107 {
108 if (*p != 0xff) /* should decrypt to 0xff */
109 {
110 if (*p == 0)
111 { p++; break; }
112 else {
113 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT);
114 return(-1);
115 }
116 }
117 p++;
118 }
119
120 if (i == j)
121 {
122 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING);
123 return(-1);
124 }
125
126 if (i < 8)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT);
129 return(-1);
130 }
131 i++; /* Skip over the '\0' */
132 j-=i;
133 if (j > tlen)
134 {
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
136 return(-1);
137 }
138 memcpy(to,p,(unsigned int)j);
139
140 return(j);
141 }
142
143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
144 const unsigned char *from, int flen)
145 {
146 int i,j;
147 unsigned char *p;
148
149 if (flen > (tlen-11))
150 {
151 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
152 return(0);
153 }
154
155 p=(unsigned char *)to;
156
157 *(p++)=0;
158 *(p++)=2; /* Public Key BT (Block Type) */
159
160 /* pad out with non-zero random data */
161 j=tlen-3-flen;
162
163 if (RAND_bytes(p,j) <= 0)
164 return(0);
165 for (i=0; i<j; i++)
166 {
167 if (*p == '\0')
168 do {
169 if (RAND_bytes(p,1) <= 0)
170 return(0);
171 } while (*p == '\0');
172 p++;
173 }
174
175 *(p++)='\0';
176
177 memcpy(p,from,(unsigned int)flen);
178 return(1);
179 }
180
181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
182 const unsigned char *from, int flen, int num)
183 {
184 int i,j;
185 const unsigned char *p;
186
187 p=from;
188 if ((num != (flen+1)) || (*(p++) != 02))
189 {
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1);
192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
196
197 /* scan over padding data */
198 j=flen-1; /* one for type. */
199 for (i=0; i<j; i++)
200 if (*(p++) == 0) break;
201
202 if (i == j)
203 {
204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING);
205 return(-1);
206 }
207
208 if (i < 8)
209 {
210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT);
211 return(-1);
212 }
213 i++; /* Skip over the '\0' */
214 j-=i;
215 if (j > tlen)
216 {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
218 return(-1);
219 }
220 memcpy(to,p,(unsigned int)j);
221
222 return(j);
223 }
224
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index c6892ecd09..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,587 +0,0 @@
1/* crypto/rsa/rsa_pmeth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#include <openssl/evp.h>
66#include "evp_locl.h"
67#include "rsa_locl.h"
68
69/* RSA pkey context structure */
70
71typedef struct
72 {
73 /* Key gen parameters */
74 int nbits;
75 BIGNUM *pub_exp;
76 /* Keygen callback info */
77 int gentmp[2];
78 /* RSA padding mode */
79 int pad_mode;
80 /* message digest */
81 const EVP_MD *md;
82 /* PSS/OAEP salt length */
83 int saltlen;
84 /* Temp buffer */
85 unsigned char *tbuf;
86 } RSA_PKEY_CTX;
87
88static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
89 {
90 RSA_PKEY_CTX *rctx;
91 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
92 if (!rctx)
93 return 0;
94 rctx->nbits = 1024;
95 rctx->pub_exp = NULL;
96 rctx->pad_mode = RSA_PKCS1_PADDING;
97 rctx->md = NULL;
98 rctx->tbuf = NULL;
99
100 rctx->saltlen = -2;
101
102 ctx->data = rctx;
103 ctx->keygen_info = rctx->gentmp;
104 ctx->keygen_info_count = 2;
105
106 return 1;
107 }
108
109static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
110 {
111 RSA_PKEY_CTX *dctx, *sctx;
112 if (!pkey_rsa_init(dst))
113 return 0;
114 sctx = src->data;
115 dctx = dst->data;
116 dctx->nbits = sctx->nbits;
117 if (sctx->pub_exp)
118 {
119 dctx->pub_exp = BN_dup(sctx->pub_exp);
120 if (!dctx->pub_exp)
121 return 0;
122 }
123 dctx->pad_mode = sctx->pad_mode;
124 dctx->md = sctx->md;
125 return 1;
126 }
127
128static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
129 {
130 if (ctx->tbuf)
131 return 1;
132 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
133 if (!ctx->tbuf)
134 return 0;
135 return 1;
136 }
137
138static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
139 {
140 RSA_PKEY_CTX *rctx = ctx->data;
141 if (rctx)
142 {
143 if (rctx->pub_exp)
144 BN_free(rctx->pub_exp);
145 if (rctx->tbuf)
146 OPENSSL_free(rctx->tbuf);
147 OPENSSL_free(rctx);
148 }
149 }
150
151static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
152 const unsigned char *tbs, size_t tbslen)
153 {
154 int ret;
155 RSA_PKEY_CTX *rctx = ctx->data;
156 RSA *rsa = ctx->pkey->pkey.rsa;
157
158 if (rctx->md)
159 {
160 if (tbslen != (size_t)EVP_MD_size(rctx->md))
161 {
162 RSAerr(RSA_F_PKEY_RSA_SIGN,
163 RSA_R_INVALID_DIGEST_LENGTH);
164 return -1;
165 }
166 if (rctx->pad_mode == RSA_X931_PADDING)
167 {
168 if (!setup_tbuf(rctx, ctx))
169 return -1;
170 memcpy(rctx->tbuf, tbs, tbslen);
171 rctx->tbuf[tbslen] =
172 RSA_X931_hash_id(EVP_MD_type(rctx->md));
173 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
174 sig, rsa, RSA_X931_PADDING);
175 }
176 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
177 {
178 unsigned int sltmp;
179 ret = RSA_sign(EVP_MD_type(rctx->md),
180 tbs, tbslen, sig, &sltmp, rsa);
181 if (ret <= 0)
182 return ret;
183 ret = sltmp;
184 }
185 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
186 {
187 if (!setup_tbuf(rctx, ctx))
188 return -1;
189 if (!RSA_padding_add_PKCS1_PSS(rsa, rctx->tbuf, tbs,
190 rctx->md, rctx->saltlen))
191 return -1;
192 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
193 sig, rsa, RSA_NO_PADDING);
194 }
195 else
196 return -1;
197 }
198 else
199 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
200 rctx->pad_mode);
201 if (ret < 0)
202 return ret;
203 *siglen = ret;
204 return 1;
205 }
206
207
208static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
209 unsigned char *rout, size_t *routlen,
210 const unsigned char *sig, size_t siglen)
211 {
212 int ret;
213 RSA_PKEY_CTX *rctx = ctx->data;
214
215 if (rctx->md)
216 {
217 if (rctx->pad_mode == RSA_X931_PADDING)
218 {
219 if (!setup_tbuf(rctx, ctx))
220 return -1;
221 ret = RSA_public_decrypt(siglen, sig,
222 rctx->tbuf, ctx->pkey->pkey.rsa,
223 RSA_X931_PADDING);
224 if (ret < 1)
225 return 0;
226 ret--;
227 if (rctx->tbuf[ret] !=
228 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
229 {
230 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
231 RSA_R_ALGORITHM_MISMATCH);
232 return 0;
233 }
234 if (ret != EVP_MD_size(rctx->md))
235 {
236 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
237 RSA_R_INVALID_DIGEST_LENGTH);
238 return 0;
239 }
240 if (rout)
241 memcpy(rout, rctx->tbuf, ret);
242 }
243 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
244 {
245 size_t sltmp;
246 ret = int_rsa_verify(EVP_MD_type(rctx->md),
247 NULL, 0, rout, &sltmp,
248 sig, siglen, ctx->pkey->pkey.rsa);
249 if (ret <= 0)
250 return 0;
251 ret = sltmp;
252 }
253 else
254 return -1;
255 }
256 else
257 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
258 rctx->pad_mode);
259 if (ret < 0)
260 return ret;
261 *routlen = ret;
262 return 1;
263 }
264
265static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
266 const unsigned char *sig, size_t siglen,
267 const unsigned char *tbs, size_t tbslen)
268 {
269 RSA_PKEY_CTX *rctx = ctx->data;
270 RSA *rsa = ctx->pkey->pkey.rsa;
271 size_t rslen;
272 if (rctx->md)
273 {
274 if (rctx->pad_mode == RSA_PKCS1_PADDING)
275 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
276 sig, siglen, rsa);
277 if (rctx->pad_mode == RSA_X931_PADDING)
278 {
279 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
280 sig, siglen) <= 0)
281 return 0;
282 }
283 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
284 {
285 int ret;
286 if (!setup_tbuf(rctx, ctx))
287 return -1;
288 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
289 rsa, RSA_NO_PADDING);
290 if (ret <= 0)
291 return 0;
292 ret = RSA_verify_PKCS1_PSS(rsa, tbs, rctx->md,
293 rctx->tbuf, rctx->saltlen);
294 if (ret <= 0)
295 return 0;
296 return 1;
297 }
298 else
299 return -1;
300 }
301 else
302 {
303 if (!setup_tbuf(rctx, ctx))
304 return -1;
305 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
306 rsa, rctx->pad_mode);
307 if (rslen == 0)
308 return 0;
309 }
310
311 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
312 return 0;
313
314 return 1;
315
316 }
317
318
319static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
320 unsigned char *out, size_t *outlen,
321 const unsigned char *in, size_t inlen)
322 {
323 int ret;
324 RSA_PKEY_CTX *rctx = ctx->data;
325 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
326 rctx->pad_mode);
327 if (ret < 0)
328 return ret;
329 *outlen = ret;
330 return 1;
331 }
332
333static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
334 unsigned char *out, size_t *outlen,
335 const unsigned char *in, size_t inlen)
336 {
337 int ret;
338 RSA_PKEY_CTX *rctx = ctx->data;
339 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
340 rctx->pad_mode);
341 if (ret < 0)
342 return ret;
343 *outlen = ret;
344 return 1;
345 }
346
347static int check_padding_md(const EVP_MD *md, int padding)
348 {
349 if (!md)
350 return 1;
351
352 if (padding == RSA_NO_PADDING)
353 {
354 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
355 return 0;
356 }
357
358 if (padding == RSA_X931_PADDING)
359 {
360 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
361 {
362 RSAerr(RSA_F_CHECK_PADDING_MD,
363 RSA_R_INVALID_X931_DIGEST);
364 return 0;
365 }
366 return 1;
367 }
368
369 return 1;
370 }
371
372
373static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
374 {
375 RSA_PKEY_CTX *rctx = ctx->data;
376 switch (type)
377 {
378 case EVP_PKEY_CTRL_RSA_PADDING:
379 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
380 {
381 if (!check_padding_md(rctx->md, p1))
382 return 0;
383 if (p1 == RSA_PKCS1_PSS_PADDING)
384 {
385 if (!(ctx->operation &
386 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
387 goto bad_pad;
388 if (!rctx->md)
389 rctx->md = EVP_sha1();
390 }
391 if (p1 == RSA_PKCS1_OAEP_PADDING)
392 {
393 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
394 goto bad_pad;
395 if (!rctx->md)
396 rctx->md = EVP_sha1();
397 }
398 rctx->pad_mode = p1;
399 return 1;
400 }
401 bad_pad:
402 RSAerr(RSA_F_PKEY_RSA_CTRL,
403 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
404 return -2;
405
406 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
407 if (p1 < -2)
408 return -2;
409 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
410 {
411 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
412 return -2;
413 }
414 rctx->saltlen = p1;
415 return 1;
416
417 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
418 if (p1 < 256)
419 {
420 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
421 return -2;
422 }
423 rctx->nbits = p1;
424 return 1;
425
426 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
427 if (!p2)
428 return -2;
429 rctx->pub_exp = p2;
430 return 1;
431
432 case EVP_PKEY_CTRL_MD:
433 if (!check_padding_md(p2, rctx->pad_mode))
434 return 0;
435 rctx->md = p2;
436 return 1;
437
438 case EVP_PKEY_CTRL_DIGESTINIT:
439 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
440 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
441 case EVP_PKEY_CTRL_PKCS7_SIGN:
442#ifndef OPENSSL_NO_CMS
443 case EVP_PKEY_CTRL_CMS_ENCRYPT:
444 case EVP_PKEY_CTRL_CMS_DECRYPT:
445 case EVP_PKEY_CTRL_CMS_SIGN:
446#endif
447 return 1;
448 case EVP_PKEY_CTRL_PEER_KEY:
449 RSAerr(RSA_F_PKEY_RSA_CTRL,
450 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
451 return -2;
452
453 default:
454 return -2;
455
456 }
457 }
458
459static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
460 const char *type, const char *value)
461 {
462 if (!value)
463 {
464 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
465 return 0;
466 }
467 if (!strcmp(type, "rsa_padding_mode"))
468 {
469 int pm;
470 if (!strcmp(value, "pkcs1"))
471 pm = RSA_PKCS1_PADDING;
472 else if (!strcmp(value, "sslv23"))
473 pm = RSA_SSLV23_PADDING;
474 else if (!strcmp(value, "none"))
475 pm = RSA_NO_PADDING;
476 else if (!strcmp(value, "oeap"))
477 pm = RSA_PKCS1_OAEP_PADDING;
478 else if (!strcmp(value, "x931"))
479 pm = RSA_X931_PADDING;
480 else if (!strcmp(value, "pss"))
481 pm = RSA_PKCS1_PSS_PADDING;
482 else
483 {
484 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
485 RSA_R_UNKNOWN_PADDING_TYPE);
486 return -2;
487 }
488 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
489 }
490
491 if (!strcmp(type, "rsa_pss_saltlen"))
492 {
493 int saltlen;
494 saltlen = atoi(value);
495 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
496 }
497
498 if (!strcmp(type, "rsa_keygen_bits"))
499 {
500 int nbits;
501 nbits = atoi(value);
502 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
503 }
504
505 if (!strcmp(type, "rsa_keygen_pubexp"))
506 {
507 int ret;
508 BIGNUM *pubexp = NULL;
509 if (!BN_asc2bn(&pubexp, value))
510 return 0;
511 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
512 if (ret <= 0)
513 BN_free(pubexp);
514 return ret;
515 }
516
517 return -2;
518 }
519
520static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
521 {
522 RSA *rsa = NULL;
523 RSA_PKEY_CTX *rctx = ctx->data;
524 BN_GENCB *pcb, cb;
525 int ret;
526 if (!rctx->pub_exp)
527 {
528 rctx->pub_exp = BN_new();
529 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
530 return 0;
531 }
532 rsa = RSA_new();
533 if (!rsa)
534 return 0;
535 if (ctx->pkey_gencb)
536 {
537 pcb = &cb;
538 evp_pkey_set_cb_translate(pcb, ctx);
539 }
540 else
541 pcb = NULL;
542 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
543 if (ret > 0)
544 EVP_PKEY_assign_RSA(pkey, rsa);
545 else
546 RSA_free(rsa);
547 return ret;
548 }
549
550const EVP_PKEY_METHOD rsa_pkey_meth =
551 {
552 EVP_PKEY_RSA,
553 EVP_PKEY_FLAG_AUTOARGLEN,
554 pkey_rsa_init,
555 pkey_rsa_copy,
556 pkey_rsa_cleanup,
557
558 0,0,
559
560 0,
561 pkey_rsa_keygen,
562
563 0,
564 pkey_rsa_sign,
565
566 0,
567 pkey_rsa_verify,
568
569 0,
570 pkey_rsa_verifyrecover,
571
572
573 0,0,0,0,
574
575 0,
576 pkey_rsa_encrypt,
577
578 0,
579 pkey_rsa_decrypt,
580
581 0,0,
582
583 pkey_rsa_ctrl,
584 pkey_rsa_ctrl_str
585
586
587 };
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
deleted file mode 100644
index 224db0fae5..0000000000
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ /dev/null
@@ -1,93 +0,0 @@
1/* crypto/rsa/rsa_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/rsa.h>
62#include <openssl/evp.h>
63
64#ifndef OPENSSL_NO_FP_API
65int RSA_print_fp(FILE *fp, const RSA *x, int off)
66 {
67 BIO *b;
68 int ret;
69
70 if ((b=BIO_new(BIO_s_file())) == NULL)
71 {
72 RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB);
73 return(0);
74 }
75 BIO_set_fp(b,fp,BIO_NOCLOSE);
76 ret=RSA_print(b,x,off);
77 BIO_free(b);
78 return(ret);
79 }
80#endif
81
82int RSA_print(BIO *bp, const RSA *x, int off)
83 {
84 EVP_PKEY *pk;
85 int ret;
86 pk = EVP_PKEY_new();
87 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
88 return 0;
89 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
90 EVP_PKEY_free(pk);
91 return ret;
92 }
93
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
deleted file mode 100644
index ac211e2ffe..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ /dev/null
@@ -1,275 +0,0 @@
1/* rsa_pss.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/evp.h>
64#include <openssl/rand.h>
65#include <openssl/sha.h>
66
67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69#if defined(_MSC_VER) && defined(_ARM_)
70#pragma optimize("g", off)
71#endif
72
73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
75 {
76 int i;
77 int ret = 0;
78 int hLen, maskedDBLen, MSBits, emLen;
79 const unsigned char *H;
80 unsigned char *DB = NULL;
81 EVP_MD_CTX ctx;
82 unsigned char H_[EVP_MAX_MD_SIZE];
83
84 hLen = EVP_MD_size(Hash);
85 if (hLen < 0)
86 goto err;
87 /*
88 * Negative sLen has special meanings:
89 * -1 sLen == hLen
90 * -2 salt length is autorecovered from signature
91 * -N reserved
92 */
93 if (sLen == -1) sLen = hLen;
94 else if (sLen == -2) sLen = -2;
95 else if (sLen < -2)
96 {
97 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
98 goto err;
99 }
100
101 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
102 emLen = RSA_size(rsa);
103 if (EM[0] & (0xFF << MSBits))
104 {
105 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
106 goto err;
107 }
108 if (MSBits == 0)
109 {
110 EM++;
111 emLen--;
112 }
113 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
114 {
115 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
116 goto err;
117 }
118 if (EM[emLen - 1] != 0xbc)
119 {
120 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
121 goto err;
122 }
123 maskedDBLen = emLen - hLen - 1;
124 H = EM + maskedDBLen;
125 DB = OPENSSL_malloc(maskedDBLen);
126 if (!DB)
127 {
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
129 goto err;
130 }
131 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0)
132 goto err;
133 for (i = 0; i < maskedDBLen; i++)
134 DB[i] ^= EM[i];
135 if (MSBits)
136 DB[0] &= 0xFF >> (8 - MSBits);
137 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
138 if (DB[i++] != 0x1)
139 {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
141 goto err;
142 }
143 if (sLen >= 0 && (maskedDBLen - i) != sLen)
144 {
145 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
146 goto err;
147 }
148 EVP_MD_CTX_init(&ctx);
149 EVP_DigestInit_ex(&ctx, Hash, NULL);
150 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
151 EVP_DigestUpdate(&ctx, mHash, hLen);
152 if (maskedDBLen - i)
153 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
154 EVP_DigestFinal(&ctx, H_, NULL);
155 EVP_MD_CTX_cleanup(&ctx);
156 if (memcmp(H_, H, hLen))
157 {
158 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
159 ret = 0;
160 }
161 else
162 ret = 1;
163
164 err:
165 if (DB)
166 OPENSSL_free(DB);
167
168 return ret;
169
170 }
171
172int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
173 const unsigned char *mHash,
174 const EVP_MD *Hash, int sLen)
175 {
176 int i;
177 int ret = 0;
178 int hLen, maskedDBLen, MSBits, emLen;
179 unsigned char *H, *salt = NULL, *p;
180 EVP_MD_CTX ctx;
181
182 hLen = EVP_MD_size(Hash);
183 if (hLen < 0)
184 goto err;
185 /*
186 * Negative sLen has special meanings:
187 * -1 sLen == hLen
188 * -2 salt length is maximized
189 * -N reserved
190 */
191 if (sLen == -1) sLen = hLen;
192 else if (sLen == -2) sLen = -2;
193 else if (sLen < -2)
194 {
195 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
196 goto err;
197 }
198
199 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
200 emLen = RSA_size(rsa);
201 if (MSBits == 0)
202 {
203 *EM++ = 0;
204 emLen--;
205 }
206 if (sLen == -2)
207 {
208 sLen = emLen - hLen - 2;
209 }
210 else if (emLen < (hLen + sLen + 2))
211 {
212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
213 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
214 goto err;
215 }
216 if (sLen > 0)
217 {
218 salt = OPENSSL_malloc(sLen);
219 if (!salt)
220 {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
222 ERR_R_MALLOC_FAILURE);
223 goto err;
224 }
225 if (RAND_bytes(salt, sLen) <= 0)
226 goto err;
227 }
228 maskedDBLen = emLen - hLen - 1;
229 H = EM + maskedDBLen;
230 EVP_MD_CTX_init(&ctx);
231 EVP_DigestInit_ex(&ctx, Hash, NULL);
232 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
233 EVP_DigestUpdate(&ctx, mHash, hLen);
234 if (sLen)
235 EVP_DigestUpdate(&ctx, salt, sLen);
236 EVP_DigestFinal(&ctx, H, NULL);
237 EVP_MD_CTX_cleanup(&ctx);
238
239 /* Generate dbMask in place then perform XOR on it */
240 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash))
241 goto err;
242
243 p = EM;
244
245 /* Initial PS XORs with all zeroes which is a NOP so just update
246 * pointer. Note from a test above this value is guaranteed to
247 * be non-negative.
248 */
249 p += emLen - sLen - hLen - 2;
250 *p++ ^= 0x1;
251 if (sLen > 0)
252 {
253 for (i = 0; i < sLen; i++)
254 *p++ ^= salt[i];
255 }
256 if (MSBits)
257 EM[0] &= 0xFF >> (8 - MSBits);
258
259 /* H is already in place so just set final 0xbc */
260
261 EM[emLen - 1] = 0xbc;
262
263 ret = 1;
264
265 err:
266 if (salt)
267 OPENSSL_free(salt);
268
269 return ret;
270
271 }
272
273#if defined(_MSC_VER)
274#pragma optimize("",on)
275#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
deleted file mode 100644
index f98e0a80a6..0000000000
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* crypto/rsa/rsa_saos.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65
66int RSA_sign_ASN1_OCTET_STRING(int type,
67 const unsigned char *m, unsigned int m_len,
68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69 {
70 ASN1_OCTET_STRING sig;
71 int i,j,ret=1;
72 unsigned char *p,*s;
73
74 sig.type=V_ASN1_OCTET_STRING;
75 sig.length=m_len;
76 sig.data=(unsigned char *)m;
77
78 i=i2d_ASN1_OCTET_STRING(&sig,NULL);
79 j=RSA_size(rsa);
80 if (i > (j-RSA_PKCS1_PADDING_SIZE))
81 {
82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83 return(0);
84 }
85 s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
86 if (s == NULL)
87 {
88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
89 return(0);
90 }
91 p=s;
92 i2d_ASN1_OCTET_STRING(&sig,&p);
93 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
94 if (i <= 0)
95 ret=0;
96 else
97 *siglen=i;
98
99 OPENSSL_cleanse(s,(unsigned int)j+1);
100 OPENSSL_free(s);
101 return(ret);
102 }
103
104int RSA_verify_ASN1_OCTET_STRING(int dtype,
105 const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
107 RSA *rsa)
108 {
109 int i,ret=0;
110 unsigned char *s;
111 const unsigned char *p;
112 ASN1_OCTET_STRING *sig=NULL;
113
114 if (siglen != (unsigned int)RSA_size(rsa))
115 {
116 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH);
117 return(0);
118 }
119
120 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
121 if (s == NULL)
122 {
123 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
127
128 if (i <= 0) goto err;
129
130 p=s;
131 sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i);
132 if (sig == NULL) goto err;
133
134 if ( ((unsigned int)sig->length != m_len) ||
135 (memcmp(m,sig->data,m_len) != 0))
136 {
137 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE);
138 }
139 else
140 ret=1;
141err:
142 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
143 if (s != NULL)
144 {
145 OPENSSL_cleanse(s,(unsigned int)siglen);
146 OPENSSL_free(s);
147 }
148 return(ret);
149 }
150
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index 0be4ec7fb0..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,285 +0,0 @@
1/* crypto/rsa/rsa_sign.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include "rsa_locl.h"
66
67/* Size of an SSL signature: MD5+SHA1 */
68#define SSL_SIG_LENGTH 36
69
70int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
71 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
72 {
73 X509_SIG sig;
74 ASN1_TYPE parameter;
75 int i,j,ret=1;
76 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL;
78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest;
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
81 {
82 return rsa->meth->rsa_sign(type, m, m_len,
83 sigret, siglen, rsa);
84 }
85 /* Special case: SSL signature, just check the length */
86 if(type == NID_md5_sha1) {
87 if(m_len != SSL_SIG_LENGTH) {
88 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
89 return(0);
90 }
91 i = SSL_SIG_LENGTH;
92 s = m;
93 } else {
94 sig.algor= &algor;
95 sig.algor->algorithm=OBJ_nid2obj(type);
96 if (sig.algor->algorithm == NULL)
97 {
98 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
99 return(0);
100 }
101 if (sig.algor->algorithm->length == 0)
102 {
103 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
104 return(0);
105 }
106 parameter.type=V_ASN1_NULL;
107 parameter.value.ptr=NULL;
108 sig.algor->parameter= &parameter;
109
110 sig.digest= &digest;
111 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
112 sig.digest->length=m_len;
113
114 i=i2d_X509_SIG(&sig,NULL);
115 }
116 j=RSA_size(rsa);
117 if (i > (j-RSA_PKCS1_PADDING_SIZE))
118 {
119 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
120 return(0);
121 }
122 if(type != NID_md5_sha1) {
123 tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
124 if (tmps == NULL)
125 {
126 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
127 return(0);
128 }
129 p=tmps;
130 i2d_X509_SIG(&sig,&p);
131 s=tmps;
132 }
133 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
134 if (i <= 0)
135 ret=0;
136 else
137 *siglen=i;
138
139 if(type != NID_md5_sha1) {
140 OPENSSL_cleanse(tmps,(unsigned int)j+1);
141 OPENSSL_free(tmps);
142 }
143 return(ret);
144 }
145
146int int_rsa_verify(int dtype, const unsigned char *m,
147 unsigned int m_len,
148 unsigned char *rm, size_t *prm_len,
149 const unsigned char *sigbuf, size_t siglen,
150 RSA *rsa)
151 {
152 int i,ret=0,sigtype;
153 unsigned char *s;
154 X509_SIG *sig=NULL;
155
156 if (siglen != (unsigned int)RSA_size(rsa))
157 {
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
159 return(0);
160 }
161
162 if((dtype == NID_md5_sha1) && rm)
163 {
164 i = RSA_public_decrypt((int)siglen,
165 sigbuf,rm,rsa,RSA_PKCS1_PADDING);
166 if (i <= 0)
167 return 0;
168 *prm_len = i;
169 return 1;
170 }
171
172 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
173 if (s == NULL)
174 {
175 RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
176 goto err;
177 }
178 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
179 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
180 goto err;
181 }
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
183
184 if (i <= 0) goto err;
185
186 /* Special case: SSL signature */
187 if(dtype == NID_md5_sha1) {
188 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
189 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
190 else ret = 1;
191 } else {
192 const unsigned char *p=s;
193 sig=d2i_X509_SIG(NULL,&p,(long)i);
194
195 if (sig == NULL) goto err;
196
197 /* Excess data can be used to create forgeries */
198 if(p != s+i)
199 {
200 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
201 goto err;
202 }
203
204 /* Parameters to the signature algorithm can also be used to
205 create forgeries */
206 if(sig->algor->parameter
207 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
208 {
209 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
210 goto err;
211 }
212
213 sigtype=OBJ_obj2nid(sig->algor->algorithm);
214
215
216 #ifdef RSA_DEBUG
217 /* put a backward compatibility flag in EAY */
218 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
219 OBJ_nid2ln(dtype));
220 #endif
221 if (sigtype != dtype)
222 {
223 if (((dtype == NID_md5) &&
224 (sigtype == NID_md5WithRSAEncryption)) ||
225 ((dtype == NID_md2) &&
226 (sigtype == NID_md2WithRSAEncryption)))
227 {
228 /* ok, we will let it through */
229#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
230 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
231#endif
232 }
233 else
234 {
235 RSAerr(RSA_F_INT_RSA_VERIFY,
236 RSA_R_ALGORITHM_MISMATCH);
237 goto err;
238 }
239 }
240 if (rm)
241 {
242 const EVP_MD *md;
243 md = EVP_get_digestbynid(dtype);
244 if (md && (EVP_MD_size(md) != sig->digest->length))
245 RSAerr(RSA_F_INT_RSA_VERIFY,
246 RSA_R_INVALID_DIGEST_LENGTH);
247 else
248 {
249 memcpy(rm, sig->digest->data,
250 sig->digest->length);
251 *prm_len = sig->digest->length;
252 ret = 1;
253 }
254 }
255 else if (((unsigned int)sig->digest->length != m_len) ||
256 (memcmp(m,sig->digest->data,m_len) != 0))
257 {
258 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
259 }
260 else
261 ret=1;
262 }
263err:
264 if (sig != NULL) X509_SIG_free(sig);
265 if (s != NULL)
266 {
267 OPENSSL_cleanse(s,(unsigned int)siglen);
268 OPENSSL_free(s);
269 }
270 return(ret);
271 }
272
273int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
274 const unsigned char *sigbuf, unsigned int siglen,
275 RSA *rsa)
276 {
277
278 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
279 {
280 return rsa->meth->rsa_verify(dtype, m, m_len,
281 sigbuf, siglen, rsa);
282 }
283
284 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
285 }
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
deleted file mode 100644
index cfeff15bc9..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ /dev/null
@@ -1,154 +0,0 @@
1/* crypto/rsa/rsa_ssl.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int i,j;
69 unsigned char *p;
70
71 if (flen > (tlen-11))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=2; /* Public Key BT (Block Type) */
81
82 /* pad out with non-zero random data */
83 j=tlen-3-8-flen;
84
85 if (RAND_bytes(p,j) <= 0)
86 return(0);
87 for (i=0; i<j; i++)
88 {
89 if (*p == '\0')
90 do {
91 if (RAND_bytes(p,1) <= 0)
92 return(0);
93 } while (*p == '\0');
94 p++;
95 }
96
97 memset(p,3,8);
98 p+=8;
99 *(p++)='\0';
100
101 memcpy(p,from,(unsigned int)flen);
102 return(1);
103 }
104
105int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i,j,k;
109 const unsigned char *p;
110
111 p=from;
112 if (flen < 10)
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL);
115 return(-1);
116 }
117 if ((num != (flen+1)) || (*(p++) != 02))
118 {
119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02);
120 return(-1);
121 }
122
123 /* scan over padding data */
124 j=flen-1; /* one for type */
125 for (i=0; i<j; i++)
126 if (*(p++) == 0) break;
127
128 if ((i == j) || (i < 8))
129 {
130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
131 return(-1);
132 }
133 for (k = -9; k<-1; k++)
134 {
135 if (p[k] != 0x03) break;
136 }
137 if (k == -1)
138 {
139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
140 return(-1);
141 }
142
143 i++; /* Skip over the '\0' */
144 j-=i;
145 if (j > tlen)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
148 return(-1);
149 }
150 memcpy(to,p,(unsigned int)j);
151
152 return(j);
153 }
154
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
deleted file mode 100644
index 21548e37ed..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ /dev/null
@@ -1,177 +0,0 @@
1/* rsa_x931.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64#include <openssl/objects.h>
65
66int RSA_padding_add_X931(unsigned char *to, int tlen,
67 const unsigned char *from, int flen)
68 {
69 int j;
70 unsigned char *p;
71
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */
75
76 j = tlen - flen - 2;
77
78 if (j < 0)
79 {
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1;
82 }
83
84 p=(unsigned char *)to;
85
86 /* If no padding start and end nibbles are in one byte */
87 if (j == 0)
88 *p++ = 0x6A;
89 else
90 {
91 *p++ = 0x6B;
92 if (j > 1)
93 {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p,from,(unsigned int)flen);
100 p += flen;
101 *p = 0xCC;
102 return(1);
103 }
104
105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i = 0,j;
109 const unsigned char *p;
110
111 p=from;
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1;
116 }
117
118 if (*p++ == 0x6B)
119 {
120 j=flen-3;
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++;
124 if (c == 0xBA)
125 break;
126 if (c != 0xBB)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING);
130 return -1;
131 }
132 }
133
134 j -= i;
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1;
140 }
141
142 }
143 else j = flen - 2;
144
145 if (p[j] != 0xCC)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1;
149 }
150
151 memcpy(to,p,(unsigned int)j);
152
153 return(j);
154 }
155
156/* Translate between X931 hash ids and NIDs */
157
158int RSA_X931_hash_id(int nid)
159 {
160 switch (nid)
161 {
162 case NID_sha1:
163 return 0x33;
164
165 case NID_sha256:
166 return 0x34;
167
168 case NID_sha384:
169 return 0x36;
170
171 case NID_sha512:
172 return 0x35;
173
174 }
175 return -1;
176 }
177
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 16:41:27 +0000