summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/Makefile39
-rw-r--r--src/lib/libcrypto/rsa/rsa.h503
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c698
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c111
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c184
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c257
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c915
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c190
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c219
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c (renamed from src/lib/libcrypto/rsa/rsa_eng.c)189
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c233
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c224
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c723
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c93
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c300
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c150
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c285
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c154
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c177
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931g.c255
23 files changed, 5790 insertions, 312 deletions
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index f798d2f749..bb64223e05 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -20,11 +20,11 @@ LIB=$(TOP)/libcrypto.a
20LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \ 20LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
21 rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \ 21 rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
22 rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c \ 22 rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c \
23 rsa_pmeth.c rsa_crpt.c 23 rsa_pmeth.c
24LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \ 24LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
25 rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \ 25 rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
26 rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o rsa_ameth.o rsa_prn.o \ 26 rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o rsa_ameth.o rsa_prn.o \
27 rsa_pmeth.o rsa_crpt.o 27 rsa_pmeth.o
28 28
29SRC= $(LIBSRC) 29SRC= $(LIBSRC)
30 30
@@ -100,16 +100,11 @@ rsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
100rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h 100rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
101rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h 101rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
102rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 102rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
103rsa_asn1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h 103rsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
104rsa_asn1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
105rsa_asn1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
106rsa_asn1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
107rsa_asn1.o: ../../include/openssl/opensslconf.h 104rsa_asn1.o: ../../include/openssl/opensslconf.h
108rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 105rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
109rsa_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h 106rsa_asn1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
110rsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
111rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 107rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
112rsa_asn1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
113rsa_asn1.o: ../cryptlib.h rsa_asn1.c 108rsa_asn1.o: ../cryptlib.h rsa_asn1.c
114rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h 109rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
115rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h 110rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
@@ -119,21 +114,6 @@ rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
119rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 114rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
120rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 115rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
121rsa_chk.o: rsa_chk.c 116rsa_chk.o: rsa_chk.c
122rsa_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
123rsa_crpt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
124rsa_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
125rsa_crpt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
126rsa_crpt.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
127rsa_crpt.o: ../../include/openssl/engine.h ../../include/openssl/err.h
128rsa_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
129rsa_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
130rsa_crpt.o: ../../include/openssl/opensslconf.h
131rsa_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
132rsa_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
133rsa_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
134rsa_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
135rsa_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
136rsa_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_crpt.c
137rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h 117rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
138rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h 118rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
139rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 119rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -225,12 +205,11 @@ rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
225rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h 205rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h
226rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h 206rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
227rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h 207rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
228rsa_pmeth.o: ../../include/openssl/cms.h ../../include/openssl/crypto.h 208rsa_pmeth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
229rsa_pmeth.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 209rsa_pmeth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
230rsa_pmeth.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h 210rsa_pmeth.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
231rsa_pmeth.o: ../../include/openssl/err.h ../../include/openssl/evp.h 211rsa_pmeth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
232rsa_pmeth.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h 212rsa_pmeth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
233rsa_pmeth.o: ../../include/openssl/objects.h
234rsa_pmeth.o: ../../include/openssl/opensslconf.h 213rsa_pmeth.o: ../../include/openssl/opensslconf.h
235rsa_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 214rsa_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
236rsa_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h 215rsa_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
new file mode 100644
index 0000000000..cf74343657
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -0,0 +1,503 @@
1/* crypto/rsa/rsa.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/asn1.h>
63
64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h>
66#endif
67#include <openssl/crypto.h>
68#include <openssl/ossl_typ.h>
69#ifndef OPENSSL_NO_DEPRECATED
70#include <openssl/bn.h>
71#endif
72
73#ifdef OPENSSL_NO_RSA
74#error RSA is disabled.
75#endif
76
77#ifdef __cplusplus
78extern "C" {
79#endif
80
81/* Declared already in ossl_typ.h */
82/* typedef struct rsa_st RSA; */
83/* typedef struct rsa_meth_st RSA_METHOD; */
84
85struct rsa_meth_st
86 {
87 const char *name;
88 int (*rsa_pub_enc)(int flen,const unsigned char *from,
89 unsigned char *to,
90 RSA *rsa,int padding);
91 int (*rsa_pub_dec)(int flen,const unsigned char *from,
92 unsigned char *to,
93 RSA *rsa,int padding);
94 int (*rsa_priv_enc)(int flen,const unsigned char *from,
95 unsigned char *to,
96 RSA *rsa,int padding);
97 int (*rsa_priv_dec)(int flen,const unsigned char *from,
98 unsigned char *to,
99 RSA *rsa,int padding);
100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
102 const BIGNUM *m, BN_CTX *ctx,
103 BN_MONT_CTX *m_ctx); /* Can be null */
104 int (*init)(RSA *rsa); /* called at new */
105 int (*finish)(RSA *rsa); /* called at free */
106 int flags; /* RSA_METHOD_FLAG_* things */
107 char *app_data; /* may be needed! */
108/* New sign and verify functions: some libraries don't allow arbitrary data
109 * to be signed/verified: this allows them to be used. Note: for this to work
110 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
111 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
112 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
113 * option is set in 'flags'.
114 */
115 int (*rsa_sign)(int type,
116 const unsigned char *m, unsigned int m_length,
117 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
118 int (*rsa_verify)(int dtype,
119 const unsigned char *m, unsigned int m_length,
120 const unsigned char *sigbuf, unsigned int siglen,
121 const RSA *rsa);
122/* If this callback is NULL, the builtin software RSA key-gen will be used. This
123 * is for behavioural compatibility whilst the code gets rewired, but one day
124 * it would be nice to assume there are no such things as "builtin software"
125 * implementations. */
126 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
127 };
128
129struct rsa_st
130 {
131 /* The first parameter is used to pickup errors where
132 * this is passed instead of aEVP_PKEY, it is set to 0 */
133 int pad;
134 long version;
135 const RSA_METHOD *meth;
136 /* functional reference if 'meth' is ENGINE-provided */
137 ENGINE *engine;
138 BIGNUM *n;
139 BIGNUM *e;
140 BIGNUM *d;
141 BIGNUM *p;
142 BIGNUM *q;
143 BIGNUM *dmp1;
144 BIGNUM *dmq1;
145 BIGNUM *iqmp;
146 /* be careful using this if the RSA structure is shared */
147 CRYPTO_EX_DATA ex_data;
148 int references;
149 int flags;
150
151 /* Used to cache montgomery values */
152 BN_MONT_CTX *_method_mod_n;
153 BN_MONT_CTX *_method_mod_p;
154 BN_MONT_CTX *_method_mod_q;
155
156 /* all BIGNUM values are actually in the following data, if it is not
157 * NULL */
158 char *bignum_data;
159 BN_BLINDING *blinding;
160 BN_BLINDING *mt_blinding;
161 };
162
163#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
164# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
165#endif
166
167#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
168# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
169#endif
170#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
171# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
172#endif
173
174#define RSA_3 0x3L
175#define RSA_F4 0x10001L
176
177#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */
178
179#define RSA_FLAG_CACHE_PUBLIC 0x0002
180#define RSA_FLAG_CACHE_PRIVATE 0x0004
181#define RSA_FLAG_BLINDING 0x0008
182#define RSA_FLAG_THREAD_SAFE 0x0010
183/* This flag means the private key operations will be handled by rsa_mod_exp
184 * and that they do not depend on the private key components being present:
185 * for example a key stored in external hardware. Without this flag bn_mod_exp
186 * gets called when private key components are absent.
187 */
188#define RSA_FLAG_EXT_PKEY 0x0020
189
190/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
191 */
192#define RSA_FLAG_SIGN_VER 0x0040
193
194#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
195 * RSA implementation now uses blinding by
196 * default (ignoring RSA_FLAG_BLINDING),
197 * but other engines might not need it
198 */
199#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
200 * implementation now uses constant time
201 * operations by default in private key operations,
202 * e.g., constant time modular exponentiation,
203 * modular inverse without leaking branches,
204 * division without leaking branches. This
205 * flag disables these constant time
206 * operations and results in faster RSA
207 * private key operations.
208 */
209#ifndef OPENSSL_NO_DEPRECATED
210#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
211 /* new with 0.9.7h; the built-in RSA
212 * implementation now uses constant time
213 * modular exponentiation for secret exponents
214 * by default. This flag causes the
215 * faster variable sliding window method to
216 * be used for all exponents.
217 */
218#endif
219
220
221#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
223 pad, NULL)
224
225#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
227 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
228 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
229 len, NULL)
230
231#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
232 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
233 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
234
235#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
237 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
238
239#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
240#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
241
242#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
243#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
244
245#define RSA_PKCS1_PADDING 1
246#define RSA_SSLV23_PADDING 2
247#define RSA_NO_PADDING 3
248#define RSA_PKCS1_OAEP_PADDING 4
249#define RSA_X931_PADDING 5
250/* EVP_PKEY_ only */
251#define RSA_PKCS1_PSS_PADDING 6
252
253#define RSA_PKCS1_PADDING_SIZE 11
254
255#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
256#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
257
258RSA * RSA_new(void);
259RSA * RSA_new_method(ENGINE *engine);
260int RSA_size(const RSA *);
261
262/* Deprecated version */
263#ifndef OPENSSL_NO_DEPRECATED
264RSA * RSA_generate_key(int bits, unsigned long e,void
265 (*callback)(int,int,void *),void *cb_arg);
266#endif /* !defined(OPENSSL_NO_DEPRECATED) */
267
268/* New version */
269int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
270
271int RSA_check_key(const RSA *);
272 /* next 4 return -1 on error */
273int RSA_public_encrypt(int flen, const unsigned char *from,
274 unsigned char *to, RSA *rsa,int padding);
275int RSA_private_encrypt(int flen, const unsigned char *from,
276 unsigned char *to, RSA *rsa,int padding);
277int RSA_public_decrypt(int flen, const unsigned char *from,
278 unsigned char *to, RSA *rsa,int padding);
279int RSA_private_decrypt(int flen, const unsigned char *from,
280 unsigned char *to, RSA *rsa,int padding);
281void RSA_free (RSA *r);
282/* "up" the RSA object's reference count */
283int RSA_up_ref(RSA *r);
284
285int RSA_flags(const RSA *r);
286
287void RSA_set_default_method(const RSA_METHOD *meth);
288const RSA_METHOD *RSA_get_default_method(void);
289const RSA_METHOD *RSA_get_method(const RSA *rsa);
290int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
291
292/* This function needs the memory locking malloc callbacks to be installed */
293int RSA_memory_lock(RSA *r);
294
295/* these are the actual SSLeay RSA functions */
296const RSA_METHOD *RSA_PKCS1_SSLeay(void);
297
298const RSA_METHOD *RSA_null_method(void);
299
300DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
301DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
302
303#ifndef OPENSSL_NO_FP_API
304int RSA_print_fp(FILE *fp, const RSA *r,int offset);
305#endif
306
307#ifndef OPENSSL_NO_BIO
308int RSA_print(BIO *bp, const RSA *r,int offset);
309#endif
310
311#ifndef OPENSSL_NO_RC4
312int i2d_RSA_NET(const RSA *a, unsigned char **pp,
313 int (*cb)(char *buf, int len, const char *prompt, int verify),
314 int sgckey);
315RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
316 int (*cb)(char *buf, int len, const char *prompt, int verify),
317 int sgckey);
318
319int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
320 int (*cb)(char *buf, int len, const char *prompt,
321 int verify));
322RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
323 int (*cb)(char *buf, int len, const char *prompt,
324 int verify));
325#endif
326
327/* The following 2 functions sign and verify a X509_SIG ASN1 object
328 * inside PKCS#1 padded RSA encryption */
329int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
330 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
331int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
332 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
333
334/* The following 2 function sign and verify a ASN1_OCTET_STRING
335 * object inside PKCS#1 padded RSA encryption */
336int RSA_sign_ASN1_OCTET_STRING(int type,
337 const unsigned char *m, unsigned int m_length,
338 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
339int RSA_verify_ASN1_OCTET_STRING(int type,
340 const unsigned char *m, unsigned int m_length,
341 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
342
343int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
344void RSA_blinding_off(RSA *rsa);
345BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
346
347int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
348 const unsigned char *f,int fl);
349int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
350 const unsigned char *f,int fl,int rsa_len);
351int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
352 const unsigned char *f,int fl);
353int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
354 const unsigned char *f,int fl,int rsa_len);
355int PKCS1_MGF1(unsigned char *mask, long len,
356 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
357int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
358 const unsigned char *f,int fl,
359 const unsigned char *p,int pl);
360int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
361 const unsigned char *f,int fl,int rsa_len,
362 const unsigned char *p,int pl);
363int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
364 const unsigned char *f,int fl);
365int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
366 const unsigned char *f,int fl,int rsa_len);
367int RSA_padding_add_none(unsigned char *to,int tlen,
368 const unsigned char *f,int fl);
369int RSA_padding_check_none(unsigned char *to,int tlen,
370 const unsigned char *f,int fl,int rsa_len);
371int RSA_padding_add_X931(unsigned char *to,int tlen,
372 const unsigned char *f,int fl);
373int RSA_padding_check_X931(unsigned char *to,int tlen,
374 const unsigned char *f,int fl,int rsa_len);
375int RSA_X931_hash_id(int nid);
376
377int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
378 const EVP_MD *Hash, const unsigned char *EM, int sLen);
379int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
380 const unsigned char *mHash,
381 const EVP_MD *Hash, int sLen);
382
383int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
384 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
385int RSA_set_ex_data(RSA *r,int idx,void *arg);
386void *RSA_get_ex_data(const RSA *r, int idx);
387
388RSA *RSAPublicKey_dup(RSA *rsa);
389RSA *RSAPrivateKey_dup(RSA *rsa);
390
391/* BEGIN ERROR CODES */
392/* The following lines are auto generated by the script mkerr.pl. Any changes
393 * made after this point may be overwritten when the script is next run.
394 */
395void ERR_load_RSA_strings(void);
396
397/* Error codes for the RSA functions. */
398
399/* Function codes. */
400#define RSA_F_CHECK_PADDING_MD 140
401#define RSA_F_DO_RSA_PRINT 146
402#define RSA_F_INT_RSA_VERIFY 145
403#define RSA_F_MEMORY_LOCK 100
404#define RSA_F_OLD_RSA_PRIV_DECODE 147
405#define RSA_F_PKEY_RSA_CTRL 143
406#define RSA_F_PKEY_RSA_CTRL_STR 144
407#define RSA_F_PKEY_RSA_SIGN 142
408#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
409#define RSA_F_RSA_BUILTIN_KEYGEN 129
410#define RSA_F_RSA_CHECK_KEY 123
411#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
412#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
413#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
414#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
415#define RSA_F_RSA_GENERATE_KEY 105
416#define RSA_F_RSA_MEMORY_LOCK 130
417#define RSA_F_RSA_NEW_METHOD 106
418#define RSA_F_RSA_NULL 124
419#define RSA_F_RSA_NULL_MOD_EXP 131
420#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
421#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
422#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
423#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
424#define RSA_F_RSA_PADDING_ADD_NONE 107
425#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
426#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
427#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
428#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
429#define RSA_F_RSA_PADDING_ADD_SSLV23 110
430#define RSA_F_RSA_PADDING_ADD_X931 127
431#define RSA_F_RSA_PADDING_CHECK_NONE 111
432#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
433#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
434#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
435#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
436#define RSA_F_RSA_PADDING_CHECK_X931 128
437#define RSA_F_RSA_PRINT 115
438#define RSA_F_RSA_PRINT_FP 116
439#define RSA_F_RSA_PRIV_DECODE 137
440#define RSA_F_RSA_PRIV_ENCODE 138
441#define RSA_F_RSA_PUB_DECODE 139
442#define RSA_F_RSA_SETUP_BLINDING 136
443#define RSA_F_RSA_SIGN 117
444#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
445#define RSA_F_RSA_VERIFY 119
446#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
447#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
448
449/* Reason codes. */
450#define RSA_R_ALGORITHM_MISMATCH 100
451#define RSA_R_BAD_E_VALUE 101
452#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
453#define RSA_R_BAD_PAD_BYTE_COUNT 103
454#define RSA_R_BAD_SIGNATURE 104
455#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
456#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
457#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
458#define RSA_R_DATA_TOO_LARGE 109
459#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
460#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
461#define RSA_R_DATA_TOO_SMALL 111
462#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
463#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
464#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
465#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
466#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
467#define RSA_R_FIRST_OCTET_INVALID 133
468#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
469#define RSA_R_INVALID_DIGEST_LENGTH 143
470#define RSA_R_INVALID_HEADER 137
471#define RSA_R_INVALID_KEYBITS 145
472#define RSA_R_INVALID_MESSAGE_LENGTH 131
473#define RSA_R_INVALID_PADDING 138
474#define RSA_R_INVALID_PADDING_MODE 141
475#define RSA_R_INVALID_PSS_SALTLEN 146
476#define RSA_R_INVALID_TRAILER 139
477#define RSA_R_INVALID_X931_DIGEST 142
478#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
479#define RSA_R_KEY_SIZE_TOO_SMALL 120
480#define RSA_R_LAST_OCTET_INVALID 134
481#define RSA_R_MODULUS_TOO_LARGE 105
482#define RSA_R_NO_PUBLIC_EXPONENT 140
483#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
484#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
485#define RSA_R_OAEP_DECODING_ERROR 121
486#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
487#define RSA_R_PADDING_CHECK_FAILED 114
488#define RSA_R_P_NOT_PRIME 128
489#define RSA_R_Q_NOT_PRIME 129
490#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
491#define RSA_R_SLEN_CHECK_FAILED 136
492#define RSA_R_SLEN_RECOVERY_FAILED 135
493#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
494#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
495#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
496#define RSA_R_UNKNOWN_PADDING_TYPE 118
497#define RSA_R_VALUE_MISSING 147
498#define RSA_R_WRONG_SIGNATURE_LENGTH 119
499
500#ifdef __cplusplus
501}
502#endif
503#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
new file mode 100644
index 0000000000..2460910ab2
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -0,0 +1,698 @@
1/* crypto/rsa/rsa_ameth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#ifndef OPENSSL_NO_CMS
66#include <openssl/cms.h>
67#endif
68#include "asn1_locl.h"
69
70static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
71 {
72 unsigned char *penc = NULL;
73 int penclen;
74 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75 if (penclen <= 0)
76 return 0;
77 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78 V_ASN1_NULL, NULL, penc, penclen))
79 return 1;
80
81 OPENSSL_free(penc);
82 return 0;
83 }
84
85static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
86 {
87 const unsigned char *p;
88 int pklen;
89 RSA *rsa = NULL;
90 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91 return 0;
92 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen)))
93 {
94 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95 return 0;
96 }
97 EVP_PKEY_assign_RSA (pkey, rsa);
98 return 1;
99 }
100
101static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
102 {
103 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0
104 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
105 return 0;
106 return 1;
107 }
108
109static int old_rsa_priv_decode(EVP_PKEY *pkey,
110 const unsigned char **pder, int derlen)
111 {
112 RSA *rsa;
113 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen)))
114 {
115 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116 return 0;
117 }
118 EVP_PKEY_assign_RSA(pkey, rsa);
119 return 1;
120 }
121
122static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
123 {
124 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125 }
126
127static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
128 {
129 unsigned char *rk = NULL;
130 int rklen;
131 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132
133 if (rklen <= 0)
134 {
135 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136 return 0;
137 }
138
139 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140 V_ASN1_NULL, NULL, rk, rklen))
141 {
142 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143 return 0;
144 }
145
146 return 1;
147 }
148
149static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
150 {
151 const unsigned char *p;
152 int pklen;
153 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154 return 0;
155 return old_rsa_priv_decode(pkey, &p, pklen);
156 }
157
158static int int_rsa_size(const EVP_PKEY *pkey)
159 {
160 return RSA_size(pkey->pkey.rsa);
161 }
162
163static int rsa_bits(const EVP_PKEY *pkey)
164 {
165 return BN_num_bits(pkey->pkey.rsa->n);
166 }
167
168static void int_rsa_free(EVP_PKEY *pkey)
169 {
170 RSA_free(pkey->pkey.rsa);
171 }
172
173
174static void update_buflen(const BIGNUM *b, size_t *pbuflen)
175 {
176 size_t i;
177 if (!b)
178 return;
179 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180 *pbuflen = i;
181 }
182
183static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
184 {
185 char *str;
186 const char *s;
187 unsigned char *m=NULL;
188 int ret=0, mod_len = 0;
189 size_t buf_len=0;
190
191 update_buflen(x->n, &buf_len);
192 update_buflen(x->e, &buf_len);
193
194 if (priv)
195 {
196 update_buflen(x->d, &buf_len);
197 update_buflen(x->p, &buf_len);
198 update_buflen(x->q, &buf_len);
199 update_buflen(x->dmp1, &buf_len);
200 update_buflen(x->dmq1, &buf_len);
201 update_buflen(x->iqmp, &buf_len);
202 }
203
204 m=(unsigned char *)OPENSSL_malloc(buf_len+10);
205 if (m == NULL)
206 {
207 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208 goto err;
209 }
210
211 if (x->n != NULL)
212 mod_len = BN_num_bits(x->n);
213
214 if(!BIO_indent(bp,off,128))
215 goto err;
216
217 if (priv && x->d)
218 {
219 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
220 <= 0) goto err;
221 str = "modulus:";
222 s = "publicExponent:";
223 }
224 else
225 {
226 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227 <= 0) goto err;
228 str = "Modulus:";
229 s= "Exponent:";
230 }
231 if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err;
232 if (!ASN1_bn_print(bp,s,x->e,m,off))
233 goto err;
234 if (priv)
235 {
236 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off))
237 goto err;
238 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off))
239 goto err;
240 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off))
241 goto err;
242 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off))
243 goto err;
244 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off))
245 goto err;
246 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off))
247 goto err;
248 }
249 ret=1;
250err:
251 if (m != NULL) OPENSSL_free(m);
252 return(ret);
253 }
254
255static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
256 ASN1_PCTX *ctx)
257 {
258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259 }
260
261
262static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
263 ASN1_PCTX *ctx)
264 {
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 }
267
268static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
269 X509_ALGOR **pmaskHash)
270 {
271 const unsigned char *p;
272 int plen;
273 RSA_PSS_PARAMS *pss;
274
275 *pmaskHash = NULL;
276
277 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
278 return NULL;
279 p = alg->parameter->value.sequence->data;
280 plen = alg->parameter->value.sequence->length;
281 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
282
283 if (!pss)
284 return NULL;
285
286 if (pss->maskGenAlgorithm)
287 {
288 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
289 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
290 && param->type == V_ASN1_SEQUENCE)
291 {
292 p = param->value.sequence->data;
293 plen = param->value.sequence->length;
294 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
295 }
296 }
297
298 return pss;
299 }
300
301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
302 X509_ALGOR *maskHash, int indent)
303 {
304 int rv = 0;
305 if (!pss)
306 {
307 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
308 return 0;
309 return 1;
310 }
311 if (BIO_puts(bp, "\n") <= 0)
312 goto err;
313 if (!BIO_indent(bp, indent, 128))
314 goto err;
315 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
316 goto err;
317
318 if (pss->hashAlgorithm)
319 {
320 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
321 goto err;
322 }
323 else if (BIO_puts(bp, "sha1 (default)") <= 0)
324 goto err;
325
326 if (BIO_puts(bp, "\n") <= 0)
327 goto err;
328
329 if (!BIO_indent(bp, indent, 128))
330 goto err;
331
332 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
333 goto err;
334 if (pss->maskGenAlgorithm)
335 {
336 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
337 goto err;
338 if (BIO_puts(bp, " with ") <= 0)
339 goto err;
340 if (maskHash)
341 {
342 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
343 goto err;
344 }
345 else if (BIO_puts(bp, "INVALID") <= 0)
346 goto err;
347 }
348 else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
349 goto err;
350 BIO_puts(bp, "\n");
351
352 if (!BIO_indent(bp, indent, 128))
353 goto err;
354 if (BIO_puts(bp, "Salt Length: ") <= 0)
355 goto err;
356 if (pss->saltLength)
357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err;
360 }
361 else if (BIO_puts(bp, "20 (default)") <= 0)
362 goto err;
363 BIO_puts(bp, "\n");
364
365 if (!BIO_indent(bp, indent, 128))
366 goto err;
367 if (BIO_puts(bp, "Trailer Field: ") <= 0)
368 goto err;
369 if (pss->trailerField)
370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err;
373 }
374 else if (BIO_puts(bp, "0xbc (default)") <= 0)
375 goto err;
376 BIO_puts(bp, "\n");
377
378 rv = 1;
379
380 err:
381 return rv;
382
383 }
384
385static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
386 const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
388 {
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss)
390 {
391 int rv;
392 RSA_PSS_PARAMS *pss;
393 X509_ALGOR *maskHash;
394 pss = rsa_pss_decode(sigalg, &maskHash);
395 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
396 if (pss)
397 RSA_PSS_PARAMS_free(pss);
398 if (maskHash)
399 X509_ALGOR_free(maskHash);
400 if (!rv)
401 return 0;
402 }
403 else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return 0;
405 if (sig)
406 return X509_signature_dump(bp, sig, indent);
407 return 1;
408 }
409
410static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
411 {
412 X509_ALGOR *alg = NULL;
413 switch (op)
414 {
415
416 case ASN1_PKEY_CTRL_PKCS7_SIGN:
417 if (arg1 == 0)
418 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
419 break;
420
421 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
422 if (arg1 == 0)
423 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
424 break;
425#ifndef OPENSSL_NO_CMS
426 case ASN1_PKEY_CTRL_CMS_SIGN:
427 if (arg1 == 0)
428 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
429 break;
430
431 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
432 if (arg1 == 0)
433 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
434 break;
435#endif
436
437 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
438 *(int *)arg2 = NID_sha1;
439 return 1;
440
441 default:
442 return -2;
443
444 }
445
446 if (alg)
447 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
448 V_ASN1_NULL, 0);
449
450 return 1;
451
452 }
453
454/* Customised RSA item verification routine. This is called
455 * when a signature is encountered requiring special handling. We
456 * currently only handle PSS.
457 */
458
459
460static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
461 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
462 EVP_PKEY *pkey)
463 {
464 int rv = -1;
465 int saltlen;
466 const EVP_MD *mgf1md = NULL, *md = NULL;
467 RSA_PSS_PARAMS *pss;
468 X509_ALGOR *maskHash;
469 EVP_PKEY_CTX *pkctx;
470 /* Sanity check: make sure it is PSS */
471 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss)
472 {
473 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
474 return -1;
475 }
476 /* Decode PSS parameters */
477 pss = rsa_pss_decode(sigalg, &maskHash);
478
479 if (pss == NULL)
480 {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
482 goto err;
483 }
484 /* Check mask and lookup mask hash algorithm */
485 if (pss->maskGenAlgorithm)
486 {
487 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1)
488 {
489 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
490 goto err;
491 }
492 if (!maskHash)
493 {
494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_PARAMETER);
495 goto err;
496 }
497 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
498 if (mgf1md == NULL)
499 {
500 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_MASK_DIGEST);
501 goto err;
502 }
503 }
504 else
505 mgf1md = EVP_sha1();
506
507 if (pss->hashAlgorithm)
508 {
509 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
510 if (md == NULL)
511 {
512 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
513 goto err;
514 }
515 }
516 else
517 md = EVP_sha1();
518
519 if (pss->saltLength)
520 {
521 saltlen = ASN1_INTEGER_get(pss->saltLength);
522
523 /* Could perform more salt length sanity checks but the main
524 * RSA routines will trap other invalid values anyway.
525 */
526 if (saltlen < 0)
527 {
528 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_SALT_LENGTH);
529 goto err;
530 }
531 }
532 else
533 saltlen = 20;
534
535 /* low-level routines support only trailer field 0xbc (value 1)
536 * and PKCS#1 says we should reject any other value anyway.
537 */
538 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1)
539 {
540 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
541 goto err;
542 }
543
544 /* We have all parameters now set up context */
545
546 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
547 goto err;
548
549 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
550 goto err;
551
552 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
553 goto err;
554
555 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
556 goto err;
557 /* Carry on */
558 rv = 2;
559
560 err:
561 RSA_PSS_PARAMS_free(pss);
562 if (maskHash)
563 X509_ALGOR_free(maskHash);
564 return rv;
565 }
566
567static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
568 X509_ALGOR *alg1, X509_ALGOR *alg2,
569 ASN1_BIT_STRING *sig)
570 {
571 int pad_mode;
572 EVP_PKEY_CTX *pkctx = ctx->pctx;
573 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
574 return 0;
575 if (pad_mode == RSA_PKCS1_PADDING)
576 return 2;
577 if (pad_mode == RSA_PKCS1_PSS_PADDING)
578 {
579 const EVP_MD *sigmd, *mgf1md;
580 RSA_PSS_PARAMS *pss = NULL;
581 X509_ALGOR *mgf1alg = NULL;
582 ASN1_STRING *os1 = NULL, *os2 = NULL;
583 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
584 int saltlen, rv = 0;
585 sigmd = EVP_MD_CTX_md(ctx);
586 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
587 goto err;
588 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
589 goto err;
590 if (saltlen == -1)
591 saltlen = EVP_MD_size(sigmd);
592 else if (saltlen == -2)
593 {
594 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
595 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
596 saltlen--;
597 }
598 pss = RSA_PSS_PARAMS_new();
599 if (!pss)
600 goto err;
601 if (saltlen != 20)
602 {
603 pss->saltLength = ASN1_INTEGER_new();
604 if (!pss->saltLength)
605 goto err;
606 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
607 goto err;
608 }
609 if (EVP_MD_type(sigmd) != NID_sha1)
610 {
611 pss->hashAlgorithm = X509_ALGOR_new();
612 if (!pss->hashAlgorithm)
613 goto err;
614 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
615 }
616 if (EVP_MD_type(mgf1md) != NID_sha1)
617 {
618 ASN1_STRING *stmp = NULL;
619 /* need to embed algorithm ID inside another */
620 mgf1alg = X509_ALGOR_new();
621 X509_ALGOR_set_md(mgf1alg, mgf1md);
622 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
623 &stmp))
624 goto err;
625 pss->maskGenAlgorithm = X509_ALGOR_new();
626 if (!pss->maskGenAlgorithm)
627 goto err;
628 X509_ALGOR_set0(pss->maskGenAlgorithm,
629 OBJ_nid2obj(NID_mgf1),
630 V_ASN1_SEQUENCE, stmp);
631 }
632 /* Finally create string with pss parameter encoding. */
633 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
634 goto err;
635 if (alg2)
636 {
637 os2 = ASN1_STRING_dup(os1);
638 if (!os2)
639 goto err;
640 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
641 V_ASN1_SEQUENCE, os2);
642 }
643 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
644 V_ASN1_SEQUENCE, os1);
645 os1 = os2 = NULL;
646 rv = 3;
647 err:
648 if (mgf1alg)
649 X509_ALGOR_free(mgf1alg);
650 if (pss)
651 RSA_PSS_PARAMS_free(pss);
652 if (os1)
653 ASN1_STRING_free(os1);
654 return rv;
655
656 }
657 return 2;
658 }
659
660const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
661 {
662 {
663 EVP_PKEY_RSA,
664 EVP_PKEY_RSA,
665 ASN1_PKEY_SIGPARAM_NULL,
666
667 "RSA",
668 "OpenSSL RSA method",
669
670 rsa_pub_decode,
671 rsa_pub_encode,
672 rsa_pub_cmp,
673 rsa_pub_print,
674
675 rsa_priv_decode,
676 rsa_priv_encode,
677 rsa_priv_print,
678
679 int_rsa_size,
680 rsa_bits,
681
682 0,0,0,0,0,0,
683
684 rsa_sig_print,
685 int_rsa_free,
686 rsa_pkey_ctrl,
687 old_rsa_priv_decode,
688 old_rsa_priv_encode,
689 rsa_item_verify,
690 rsa_item_sign
691 },
692
693 {
694 EVP_PKEY_RSA2,
695 EVP_PKEY_RSA,
696 ASN1_PKEY_ALIAS
697 }
698 };
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
new file mode 100644
index 0000000000..4efca8cdc8
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -0,0 +1,111 @@
1/* rsa_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/asn1t.h>
64
65/* Override the default free and new methods */
66static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
67 void *exarg)
68{
69 if(operation == ASN1_OP_NEW_PRE) {
70 *pval = (ASN1_VALUE *)RSA_new();
71 if(*pval) return 2;
72 return 0;
73 } else if(operation == ASN1_OP_FREE_PRE) {
74 RSA_free((RSA *)*pval);
75 *pval = NULL;
76 return 2;
77 }
78 return 1;
79}
80
81ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
82 ASN1_SIMPLE(RSA, version, LONG),
83 ASN1_SIMPLE(RSA, n, BIGNUM),
84 ASN1_SIMPLE(RSA, e, BIGNUM),
85 ASN1_SIMPLE(RSA, d, BIGNUM),
86 ASN1_SIMPLE(RSA, p, BIGNUM),
87 ASN1_SIMPLE(RSA, q, BIGNUM),
88 ASN1_SIMPLE(RSA, dmp1, BIGNUM),
89 ASN1_SIMPLE(RSA, dmq1, BIGNUM),
90 ASN1_SIMPLE(RSA, iqmp, BIGNUM)
91} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
92
93
94ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
95 ASN1_SIMPLE(RSA, n, BIGNUM),
96 ASN1_SIMPLE(RSA, e, BIGNUM),
97} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
98
99IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
100
101IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
102
103RSA *RSAPublicKey_dup(RSA *rsa)
104 {
105 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
106 }
107
108RSA *RSAPrivateKey_dup(RSA *rsa)
109 {
110 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
111 }
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
new file mode 100644
index 0000000000..9d848db8c6
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -0,0 +1,184 @@
1/* crypto/rsa/rsa_chk.c -*- Mode: C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55
56int RSA_check_key(const RSA *key)
57 {
58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx;
60 int r;
61 int ret=1;
62
63 i = BN_new();
64 j = BN_new();
65 k = BN_new();
66 l = BN_new();
67 m = BN_new();
68 ctx = BN_CTX_new();
69 if (i == NULL || j == NULL || k == NULL || l == NULL ||
70 m == NULL || ctx == NULL)
71 {
72 ret = -1;
73 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
74 goto err;
75 }
76
77 /* p prime? */
78 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
79 if (r != 1)
80 {
81 ret = r;
82 if (r != 0)
83 goto err;
84 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
85 }
86
87 /* q prime? */
88 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
89 if (r != 1)
90 {
91 ret = r;
92 if (r != 0)
93 goto err;
94 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
95 }
96
97 /* n = p*q? */
98 r = BN_mul(i, key->p, key->q, ctx);
99 if (!r) { ret = -1; goto err; }
100
101 if (BN_cmp(i, key->n) != 0)
102 {
103 ret = 0;
104 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
105 }
106
107 /* d*e = 1 mod lcm(p-1,q-1)? */
108
109 r = BN_sub(i, key->p, BN_value_one());
110 if (!r) { ret = -1; goto err; }
111 r = BN_sub(j, key->q, BN_value_one());
112 if (!r) { ret = -1; goto err; }
113
114 /* now compute k = lcm(i,j) */
115 r = BN_mul(l, i, j, ctx);
116 if (!r) { ret = -1; goto err; }
117 r = BN_gcd(m, i, j, ctx);
118 if (!r) { ret = -1; goto err; }
119 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
120 if (!r) { ret = -1; goto err; }
121
122 r = BN_mod_mul(i, key->d, key->e, k, ctx);
123 if (!r) { ret = -1; goto err; }
124
125 if (!BN_is_one(i))
126 {
127 ret = 0;
128 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
129 }
130
131 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
132 {
133 /* dmp1 = d mod (p-1)? */
134 r = BN_sub(i, key->p, BN_value_one());
135 if (!r) { ret = -1; goto err; }
136
137 r = BN_mod(j, key->d, i, ctx);
138 if (!r) { ret = -1; goto err; }
139
140 if (BN_cmp(j, key->dmp1) != 0)
141 {
142 ret = 0;
143 RSAerr(RSA_F_RSA_CHECK_KEY,
144 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
145 }
146
147 /* dmq1 = d mod (q-1)? */
148 r = BN_sub(i, key->q, BN_value_one());
149 if (!r) { ret = -1; goto err; }
150
151 r = BN_mod(j, key->d, i, ctx);
152 if (!r) { ret = -1; goto err; }
153
154 if (BN_cmp(j, key->dmq1) != 0)
155 {
156 ret = 0;
157 RSAerr(RSA_F_RSA_CHECK_KEY,
158 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
159 }
160
161 /* iqmp = q^-1 mod p? */
162 if(!BN_mod_inverse(i, key->q, key->p, ctx))
163 {
164 ret = -1;
165 goto err;
166 }
167
168 if (BN_cmp(i, key->iqmp) != 0)
169 {
170 ret = 0;
171 RSAerr(RSA_F_RSA_CHECK_KEY,
172 RSA_R_IQMP_NOT_INVERSE_OF_Q);
173 }
174 }
175
176 err:
177 if (i != NULL) BN_free(i);
178 if (j != NULL) BN_free(j);
179 if (k != NULL) BN_free(k);
180 if (l != NULL) BN_free(l);
181 if (m != NULL) BN_free(m);
182 if (ctx != NULL) BN_CTX_free(ctx);
183 return (ret);
184 }
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
new file mode 100644
index 0000000000..d3e44785dc
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -0,0 +1,257 @@
1/* crypto/rsa/rsa_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/crypto.h>
61#include "cryptlib.h"
62#include <openssl/lhash.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65#include <openssl/rand.h>
66#ifndef OPENSSL_NO_ENGINE
67#include <openssl/engine.h>
68#endif
69
70int RSA_size(const RSA *r)
71 {
72 return(BN_num_bytes(r->n));
73 }
74
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76 RSA *rsa, int padding)
77 {
78#ifdef OPENSSL_FIPS
79 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81 {
82 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83 return -1;
84 }
85#endif
86 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87 }
88
89int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90 RSA *rsa, int padding)
91 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95 {
96 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97 return -1;
98 }
99#endif
100 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101 }
102
103int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104 RSA *rsa, int padding)
105 {
106#ifdef OPENSSL_FIPS
107 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109 {
110 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111 return -1;
112 }
113#endif
114 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115 }
116
117int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118 RSA *rsa, int padding)
119 {
120#ifdef OPENSSL_FIPS
121 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123 {
124 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125 return -1;
126 }
127#endif
128 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129 }
130
131int RSA_flags(const RSA *r)
132 {
133 return((r == NULL)?0:r->meth->flags);
134 }
135
136void RSA_blinding_off(RSA *rsa)
137 {
138 if (rsa->blinding != NULL)
139 {
140 BN_BLINDING_free(rsa->blinding);
141 rsa->blinding=NULL;
142 }
143 rsa->flags &= ~RSA_FLAG_BLINDING;
144 rsa->flags |= RSA_FLAG_NO_BLINDING;
145 }
146
147int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
148 {
149 int ret=0;
150
151 if (rsa->blinding != NULL)
152 RSA_blinding_off(rsa);
153
154 rsa->blinding = RSA_setup_blinding(rsa, ctx);
155 if (rsa->blinding == NULL)
156 goto err;
157
158 rsa->flags |= RSA_FLAG_BLINDING;
159 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
160 ret=1;
161err:
162 return(ret);
163 }
164
165static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
166 const BIGNUM *q, BN_CTX *ctx)
167{
168 BIGNUM *ret = NULL, *r0, *r1, *r2;
169
170 if (d == NULL || p == NULL || q == NULL)
171 return NULL;
172
173 BN_CTX_start(ctx);
174 r0 = BN_CTX_get(ctx);
175 r1 = BN_CTX_get(ctx);
176 r2 = BN_CTX_get(ctx);
177 if (r2 == NULL)
178 goto err;
179
180 if (!BN_sub(r1, p, BN_value_one())) goto err;
181 if (!BN_sub(r2, q, BN_value_one())) goto err;
182 if (!BN_mul(r0, r1, r2, ctx)) goto err;
183
184 ret = BN_mod_inverse(NULL, d, r0, ctx);
185err:
186 BN_CTX_end(ctx);
187 return ret;
188}
189
190BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
191{
192 BIGNUM local_n;
193 BIGNUM *e,*n;
194 BN_CTX *ctx;
195 BN_BLINDING *ret = NULL;
196
197 if (in_ctx == NULL)
198 {
199 if ((ctx = BN_CTX_new()) == NULL) return 0;
200 }
201 else
202 ctx = in_ctx;
203
204 BN_CTX_start(ctx);
205 e = BN_CTX_get(ctx);
206 if (e == NULL)
207 {
208 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
209 goto err;
210 }
211
212 if (rsa->e == NULL)
213 {
214 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
215 if (e == NULL)
216 {
217 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
218 goto err;
219 }
220 }
221 else
222 e = rsa->e;
223
224
225 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
226 {
227 /* if PRNG is not properly seeded, resort to secret
228 * exponent as unpredictable seed */
229 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
230 }
231
232 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
233 {
234 /* Set BN_FLG_CONSTTIME flag */
235 n = &local_n;
236 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
237 }
238 else
239 n = rsa->n;
240
241 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
242 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
243 if (ret == NULL)
244 {
245 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
246 goto err;
247 }
248 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
249err:
250 BN_CTX_end(ctx);
251 if (in_ctx == NULL)
252 BN_CTX_free(ctx);
253 if(rsa->e == NULL)
254 BN_free(e);
255
256 return ret;
257}
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
new file mode 100644
index 0000000000..a859ded987
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_depr.c
@@ -0,0 +1,101 @@
1/* crypto/rsa/rsa_depr.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61#include "cryptlib.h"
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64
65#ifdef OPENSSL_NO_DEPRECATED
66
67static void *dummy=&dummy;
68
69#else
70
71RSA *RSA_generate_key(int bits, unsigned long e_value,
72 void (*callback)(int,int,void *), void *cb_arg)
73 {
74 BN_GENCB cb;
75 int i;
76 RSA *rsa = RSA_new();
77 BIGNUM *e = BN_new();
78
79 if(!rsa || !e) goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i=0; i<(int)sizeof(unsigned long)*8; i++)
84 {
85 if (e_value & (1UL<<i))
86 if (BN_set_bit(e,i) == 0)
87 goto err;
88 }
89
90 BN_GENCB_set_old(&cb, callback, cb_arg);
91
92 if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
93 BN_free(e);
94 return rsa;
95 }
96err:
97 if(e) BN_free(e);
98 if(rsa) RSA_free(rsa);
99 return 0;
100 }
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
new file mode 100644
index 0000000000..2e1ddd48d3
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -0,0 +1,915 @@
1/* crypto/rsa/rsa_eay.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include "cryptlib.h"
114#include <openssl/bn.h>
115#include <openssl/rsa.h>
116#include <openssl/rand.h>
117
118#ifndef RSA_NULL
119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding);
122static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123 unsigned char *to, RSA *rsa,int padding);
124static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={
132 "Eric Young's PKCS#1 RSA",
133 RSA_eay_public_encrypt,
134 RSA_eay_public_decrypt, /* signature verification */
135 RSA_eay_private_encrypt, /* signing */
136 RSA_eay_private_decrypt,
137 RSA_eay_mod_exp,
138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
139 RSA_eay_init,
140 RSA_eay_finish,
141 0, /* flags */
142 NULL,
143 0, /* rsa_sign */
144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
146 };
147
148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 {
150 return(&rsa_pkcs1_eay_meth);
151 }
152
153static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
154 unsigned char *to, RSA *rsa, int padding)
155 {
156 BIGNUM *f,*ret;
157 int i,j,k,num=0,r= -1;
158 unsigned char *buf=NULL;
159 BN_CTX *ctx=NULL;
160
161 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
162 {
163 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
164 return -1;
165 }
166
167 if (BN_ucmp(rsa->n, rsa->e) <= 0)
168 {
169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
170 return -1;
171 }
172
173 /* for large moduli, enforce exponent limit */
174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
175 {
176 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
177 {
178 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
179 return -1;
180 }
181 }
182
183 if ((ctx=BN_CTX_new()) == NULL) goto err;
184 BN_CTX_start(ctx);
185 f = BN_CTX_get(ctx);
186 ret = BN_CTX_get(ctx);
187 num=BN_num_bytes(rsa->n);
188 buf = OPENSSL_malloc(num);
189 if (!f || !ret || !buf)
190 {
191 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
192 goto err;
193 }
194
195 switch (padding)
196 {
197 case RSA_PKCS1_PADDING:
198 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
199 break;
200#ifndef OPENSSL_NO_SHA
201 case RSA_PKCS1_OAEP_PADDING:
202 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
203 break;
204#endif
205 case RSA_SSLV23_PADDING:
206 i=RSA_padding_add_SSLv23(buf,num,from,flen);
207 break;
208 case RSA_NO_PADDING:
209 i=RSA_padding_add_none(buf,num,from,flen);
210 break;
211 default:
212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
213 goto err;
214 }
215 if (i <= 0) goto err;
216
217 if (BN_bin2bn(buf,num,f) == NULL) goto err;
218
219 if (BN_ucmp(f, rsa->n) >= 0)
220 {
221 /* usually the padding functions would catch this */
222 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
223 goto err;
224 }
225
226 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
227 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
228 goto err;
229
230 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
231 rsa->_method_mod_n)) goto err;
232
233 /* put in leading 0 bytes if the number is less than the
234 * length of the modulus */
235 j=BN_num_bytes(ret);
236 i=BN_bn2bin(ret,&(to[num-j]));
237 for (k=0; k<(num-i); k++)
238 to[k]=0;
239
240 r=num;
241err:
242 if (ctx != NULL)
243 {
244 BN_CTX_end(ctx);
245 BN_CTX_free(ctx);
246 }
247 if (buf != NULL)
248 {
249 OPENSSL_cleanse(buf,num);
250 OPENSSL_free(buf);
251 }
252 return(r);
253 }
254
255static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
256{
257 BN_BLINDING *ret;
258 int got_write_lock = 0;
259 CRYPTO_THREADID cur;
260
261 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
262
263 if (rsa->blinding == NULL)
264 {
265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267 got_write_lock = 1;
268
269 if (rsa->blinding == NULL)
270 rsa->blinding = RSA_setup_blinding(rsa, ctx);
271 }
272
273 ret = rsa->blinding;
274 if (ret == NULL)
275 goto err;
276
277 CRYPTO_THREADID_current(&cur);
278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret)))
279 {
280 /* rsa->blinding is ours! */
281
282 *local = 1;
283 }
284 else
285 {
286 /* resort to rsa->mt_blinding instead */
287
288 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
289 * that the BN_BLINDING is shared, meaning that accesses
290 * require locks, and that the blinding factor must be
291 * stored outside the BN_BLINDING
292 */
293
294 if (rsa->mt_blinding == NULL)
295 {
296 if (!got_write_lock)
297 {
298 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
299 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
300 got_write_lock = 1;
301 }
302
303 if (rsa->mt_blinding == NULL)
304 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
305 }
306 ret = rsa->mt_blinding;
307 }
308
309 err:
310 if (got_write_lock)
311 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
312 else
313 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
314 return ret;
315}
316
317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BN_CTX *ctx)
319 {
320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
324 else
325 {
326 /* Shared blinding: store the unblinding factor
327 * outside BN_BLINDING. */
328 int ret;
329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
332 return ret;
333 }
334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
348
349/* signing */
350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
351 unsigned char *to, RSA *rsa, int padding)
352 {
353 BIGNUM *f, *ret, *res;
354 int i,j,k,num=0,r= -1;
355 unsigned char *buf=NULL;
356 BN_CTX *ctx=NULL;
357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
362 BN_BLINDING *blinding = NULL;
363
364 if ((ctx=BN_CTX_new()) == NULL) goto err;
365 BN_CTX_start(ctx);
366 f = BN_CTX_get(ctx);
367 ret = BN_CTX_get(ctx);
368 num = BN_num_bytes(rsa->n);
369 buf = OPENSSL_malloc(num);
370 if(!f || !ret || !buf)
371 {
372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
373 goto err;
374 }
375
376 switch (padding)
377 {
378 case RSA_PKCS1_PADDING:
379 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
380 break;
381 case RSA_X931_PADDING:
382 i=RSA_padding_add_X931(buf,num,from,flen);
383 break;
384 case RSA_NO_PADDING:
385 i=RSA_padding_add_none(buf,num,from,flen);
386 break;
387 case RSA_SSLV23_PADDING:
388 default:
389 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
390 goto err;
391 }
392 if (i <= 0) goto err;
393
394 if (BN_bin2bn(buf,num,f) == NULL) goto err;
395
396 if (BN_ucmp(f, rsa->n) >= 0)
397 {
398 /* usually the padding functions would catch this */
399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
400 goto err;
401 }
402
403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
404 {
405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
406 if (blinding == NULL)
407 {
408 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
409 goto err;
410 }
411 }
412
413 if (blinding != NULL)
414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
421 goto err;
422 }
423
424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
425 ((rsa->p != NULL) &&
426 (rsa->q != NULL) &&
427 (rsa->dmp1 != NULL) &&
428 (rsa->dmq1 != NULL) &&
429 (rsa->iqmp != NULL)) )
430 {
431 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
432 }
433 else
434 {
435 BIGNUM local_d;
436 BIGNUM *d = NULL;
437
438 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
439 {
440 BN_init(&local_d);
441 d = &local_d;
442 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
443 }
444 else
445 d= rsa->d;
446
447 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
448 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
449 goto err;
450
451 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
452 rsa->_method_mod_n)) goto err;
453 }
454
455 if (blinding)
456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
457 goto err;
458
459 if (padding == RSA_X931_PADDING)
460 {
461 BN_sub(f, rsa->n, ret);
462 if (BN_cmp(ret, f))
463 res = f;
464 else
465 res = ret;
466 }
467 else
468 res = ret;
469
470 /* put in leading 0 bytes if the number is less than the
471 * length of the modulus */
472 j=BN_num_bytes(res);
473 i=BN_bn2bin(res,&(to[num-j]));
474 for (k=0; k<(num-i); k++)
475 to[k]=0;
476
477 r=num;
478err:
479 if (ctx != NULL)
480 {
481 BN_CTX_end(ctx);
482 BN_CTX_free(ctx);
483 }
484 if (buf != NULL)
485 {
486 OPENSSL_cleanse(buf,num);
487 OPENSSL_free(buf);
488 }
489 return(r);
490 }
491
492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
493 unsigned char *to, RSA *rsa, int padding)
494 {
495 BIGNUM *f, *ret;
496 int j,num=0,r= -1;
497 unsigned char *p;
498 unsigned char *buf=NULL;
499 BN_CTX *ctx=NULL;
500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
505 BN_BLINDING *blinding = NULL;
506
507 if((ctx = BN_CTX_new()) == NULL) goto err;
508 BN_CTX_start(ctx);
509 f = BN_CTX_get(ctx);
510 ret = BN_CTX_get(ctx);
511 num = BN_num_bytes(rsa->n);
512 buf = OPENSSL_malloc(num);
513 if(!f || !ret || !buf)
514 {
515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
516 goto err;
517 }
518
519 /* This check was for equality but PGP does evil things
520 * and chops off the top '0' bytes */
521 if (flen > num)
522 {
523 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
524 goto err;
525 }
526
527 /* make data into a big number */
528 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
529
530 if (BN_ucmp(f, rsa->n) >= 0)
531 {
532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
533 goto err;
534 }
535
536 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
537 {
538 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
539 if (blinding == NULL)
540 {
541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
542 goto err;
543 }
544 }
545
546 if (blinding != NULL)
547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
556
557 /* do the decrypt */
558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
559 ((rsa->p != NULL) &&
560 (rsa->q != NULL) &&
561 (rsa->dmp1 != NULL) &&
562 (rsa->dmq1 != NULL) &&
563 (rsa->iqmp != NULL)) )
564 {
565 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
566 }
567 else
568 {
569 BIGNUM local_d;
570 BIGNUM *d = NULL;
571
572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
573 {
574 d = &local_d;
575 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
576 }
577 else
578 d = rsa->d;
579
580 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
581 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
582 goto err;
583 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
584 rsa->_method_mod_n))
585 goto err;
586 }
587
588 if (blinding)
589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
590 goto err;
591
592 p=buf;
593 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
594
595 switch (padding)
596 {
597 case RSA_PKCS1_PADDING:
598 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
599 break;
600#ifndef OPENSSL_NO_SHA
601 case RSA_PKCS1_OAEP_PADDING:
602 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
603 break;
604#endif
605 case RSA_SSLV23_PADDING:
606 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
607 break;
608 case RSA_NO_PADDING:
609 r=RSA_padding_check_none(to,num,buf,j,num);
610 break;
611 default:
612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
613 goto err;
614 }
615 if (r < 0)
616 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
617
618err:
619 if (ctx != NULL)
620 {
621 BN_CTX_end(ctx);
622 BN_CTX_free(ctx);
623 }
624 if (buf != NULL)
625 {
626 OPENSSL_cleanse(buf,num);
627 OPENSSL_free(buf);
628 }
629 return(r);
630 }
631
632/* signature verification */
633static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
634 unsigned char *to, RSA *rsa, int padding)
635 {
636 BIGNUM *f,*ret;
637 int i,num=0,r= -1;
638 unsigned char *p;
639 unsigned char *buf=NULL;
640 BN_CTX *ctx=NULL;
641
642 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
643 {
644 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
645 return -1;
646 }
647
648 if (BN_ucmp(rsa->n, rsa->e) <= 0)
649 {
650 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
651 return -1;
652 }
653
654 /* for large moduli, enforce exponent limit */
655 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
656 {
657 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
658 {
659 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
660 return -1;
661 }
662 }
663
664 if((ctx = BN_CTX_new()) == NULL) goto err;
665 BN_CTX_start(ctx);
666 f = BN_CTX_get(ctx);
667 ret = BN_CTX_get(ctx);
668 num=BN_num_bytes(rsa->n);
669 buf = OPENSSL_malloc(num);
670 if(!f || !ret || !buf)
671 {
672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
673 goto err;
674 }
675
676 /* This check was for equality but PGP does evil things
677 * and chops off the top '0' bytes */
678 if (flen > num)
679 {
680 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
681 goto err;
682 }
683
684 if (BN_bin2bn(from,flen,f) == NULL) goto err;
685
686 if (BN_ucmp(f, rsa->n) >= 0)
687 {
688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
689 goto err;
690 }
691
692 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
693 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
694 goto err;
695
696 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
697 rsa->_method_mod_n)) goto err;
698
699 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
700 if (!BN_sub(ret, rsa->n, ret)) goto err;
701
702 p=buf;
703 i=BN_bn2bin(ret,p);
704
705 switch (padding)
706 {
707 case RSA_PKCS1_PADDING:
708 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
709 break;
710 case RSA_X931_PADDING:
711 r=RSA_padding_check_X931(to,num,buf,i,num);
712 break;
713 case RSA_NO_PADDING:
714 r=RSA_padding_check_none(to,num,buf,i,num);
715 break;
716 default:
717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
718 goto err;
719 }
720 if (r < 0)
721 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
722
723err:
724 if (ctx != NULL)
725 {
726 BN_CTX_end(ctx);
727 BN_CTX_free(ctx);
728 }
729 if (buf != NULL)
730 {
731 OPENSSL_cleanse(buf,num);
732 OPENSSL_free(buf);
733 }
734 return(r);
735 }
736
737static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
738 {
739 BIGNUM *r1,*m1,*vrfy;
740 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
741 BIGNUM *dmp1,*dmq1,*c,*pr1;
742 int ret=0;
743
744 BN_CTX_start(ctx);
745 r1 = BN_CTX_get(ctx);
746 m1 = BN_CTX_get(ctx);
747 vrfy = BN_CTX_get(ctx);
748
749 {
750 BIGNUM local_p, local_q;
751 BIGNUM *p = NULL, *q = NULL;
752
753 /* Make sure BN_mod_inverse in Montgomery intialization uses the
754 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
755 */
756 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
757 {
758 BN_init(&local_p);
759 p = &local_p;
760 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
761
762 BN_init(&local_q);
763 q = &local_q;
764 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
765 }
766 else
767 {
768 p = rsa->p;
769 q = rsa->q;
770 }
771
772 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
773 {
774 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
775 goto err;
776 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
777 goto err;
778 }
779 }
780
781 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
782 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
783 goto err;
784
785 /* compute I mod q */
786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
787 {
788 c = &local_c;
789 BN_with_flags(c, I, BN_FLG_CONSTTIME);
790 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
791 }
792 else
793 {
794 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
795 }
796
797 /* compute r1^dmq1 mod q */
798 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
799 {
800 dmq1 = &local_dmq1;
801 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
802 }
803 else
804 dmq1 = rsa->dmq1;
805 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
806 rsa->_method_mod_q)) goto err;
807
808 /* compute I mod p */
809 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
810 {
811 c = &local_c;
812 BN_with_flags(c, I, BN_FLG_CONSTTIME);
813 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
814 }
815 else
816 {
817 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
818 }
819
820 /* compute r1^dmp1 mod p */
821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
822 {
823 dmp1 = &local_dmp1;
824 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
825 }
826 else
827 dmp1 = rsa->dmp1;
828 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
829 rsa->_method_mod_p)) goto err;
830
831 if (!BN_sub(r0,r0,m1)) goto err;
832 /* This will help stop the size of r0 increasing, which does
833 * affect the multiply if it optimised for a power of 2 size */
834 if (BN_is_negative(r0))
835 if (!BN_add(r0,r0,rsa->p)) goto err;
836
837 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
838
839 /* Turn BN_FLG_CONSTTIME flag on before division operation */
840 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
841 {
842 pr1 = &local_r1;
843 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
844 }
845 else
846 pr1 = r1;
847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
848
849 /* If p < q it is occasionally possible for the correction of
850 * adding 'p' if r0 is negative above to leave the result still
851 * negative. This can break the private key operations: the following
852 * second correction should *always* correct this rare occurrence.
853 * This will *never* happen with OpenSSL generated keys because
854 * they ensure p > q [steve]
855 */
856 if (BN_is_negative(r0))
857 if (!BN_add(r0,r0,rsa->p)) goto err;
858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
859 if (!BN_add(r0,r1,m1)) goto err;
860
861 if (rsa->e && rsa->n)
862 {
863 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
864 /* If 'I' was greater than (or equal to) rsa->n, the operation
865 * will be equivalent to using 'I mod n'. However, the result of
866 * the verify will *always* be less than 'n' so we don't check
867 * for absolute equality, just congruency. */
868 if (!BN_sub(vrfy, vrfy, I)) goto err;
869 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
870 if (BN_is_negative(vrfy))
871 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
872 if (!BN_is_zero(vrfy))
873 {
874 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
875 * miscalculated CRT output, just do a raw (slower)
876 * mod_exp and return that instead. */
877
878 BIGNUM local_d;
879 BIGNUM *d = NULL;
880
881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
882 {
883 d = &local_d;
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885 }
886 else
887 d = rsa->d;
888 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
889 rsa->_method_mod_n)) goto err;
890 }
891 }
892 ret=1;
893err:
894 BN_CTX_end(ctx);
895 return(ret);
896 }
897
898static int RSA_eay_init(RSA *rsa)
899 {
900 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
901 return(1);
902 }
903
904static int RSA_eay_finish(RSA *rsa)
905 {
906 if (rsa->_method_mod_n != NULL)
907 BN_MONT_CTX_free(rsa->_method_mod_n);
908 if (rsa->_method_mod_p != NULL)
909 BN_MONT_CTX_free(rsa->_method_mod_p);
910 if (rsa->_method_mod_q != NULL)
911 BN_MONT_CTX_free(rsa->_method_mod_q);
912 return(1);
913 }
914
915#endif
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
new file mode 100644
index 0000000000..cf9f1106b0
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -0,0 +1,190 @@
1/* crypto/rsa/rsa_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/rsa.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
70
71static ERR_STRING_DATA RSA_str_functs[]=
72 {
73{ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
74{ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
75{ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
76{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
77{ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
82{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
83{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
84{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
85{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
86{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
88{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
89{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
90{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
91{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
92{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
93{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
94{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
95{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
96{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
97{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
98{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
99{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
103{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
104{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
105{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
106{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
107{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
108{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
109{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
110{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
111{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
112{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
113{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
114{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
115{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
116{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
117{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
118{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
119{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
120{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
121{0,NULL}
122 };
123
124static ERR_STRING_DATA RSA_str_reasons[]=
125 {
126{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"},
127{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"},
128{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
129{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"},
130{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"},
131{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"},
132{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"},
133{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
134{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"},
135{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
136{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
137{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"},
138{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
139{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
140{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
141{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
142{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
143{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"},
144{ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),"illegal or unsupported padding mode"},
145{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) ,"invalid digest length"},
146{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
147{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
148{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
149{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
150{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
151{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},
152{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
153{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"},
154{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
155{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
156{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
157{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
158{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
159{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
160{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
161{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
162{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
163{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
164{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
165{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
166{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
167{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
168{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
169{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
170{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
171{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
172{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
173{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"},
174{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
175{0,NULL}
176 };
177
178#endif
179
180void ERR_load_RSA_strings(void)
181 {
182#ifndef OPENSSL_NO_ERR
183
184 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL)
185 {
186 ERR_load_strings(0,RSA_str_functs);
187 ERR_load_strings(0,RSA_str_reasons);
188 }
189#endif
190 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
new file mode 100644
index 0000000000..767f7ab682
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -0,0 +1,219 @@
1/* crypto/rsa/rsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
65#include <stdio.h>
66#include <time.h>
67#include "cryptlib.h"
68#include <openssl/bn.h>
69#include <openssl/rsa.h>
70
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72
73/* NB: this wrapper would normally be placed in rsa_lib.c and the static
74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 {
80 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 }
84
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
86 {
87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
88 BIGNUM local_r0,local_d,local_p;
89 BIGNUM *pr0,*d,*p;
90 int bitsp,bitsq,ok= -1,n=0;
91 BN_CTX *ctx=NULL;
92
93 ctx=BN_CTX_new();
94 if (ctx == NULL) goto err;
95 BN_CTX_start(ctx);
96 r0 = BN_CTX_get(ctx);
97 r1 = BN_CTX_get(ctx);
98 r2 = BN_CTX_get(ctx);
99 r3 = BN_CTX_get(ctx);
100 if (r3 == NULL) goto err;
101
102 bitsp=(bits+1)/2;
103 bitsq=bits-bitsp;
104
105 /* We need the RSA components non-NULL */
106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
114
115 BN_copy(rsa->e, e_value);
116
117 /* generate p and q */
118 for (;;)
119 {
120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
121 goto err;
122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
124 if (BN_is_one(r1)) break;
125 if(!BN_GENCB_call(cb, 2, n++))
126 goto err;
127 }
128 if(!BN_GENCB_call(cb, 3, 0))
129 goto err;
130 for (;;)
131 {
132 /* When generating ridiculously small keys, we can get stuck
133 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */
135 unsigned int degenerate = 0;
136 do
137 {
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
139 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
141 if(degenerate == 3)
142 {
143 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
145 goto err;
146 }
147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
149 if (BN_is_one(r1))
150 break;
151 if(!BN_GENCB_call(cb, 2, n++))
152 goto err;
153 }
154 if(!BN_GENCB_call(cb, 3, 1))
155 goto err;
156 if (BN_cmp(rsa->p,rsa->q) < 0)
157 {
158 tmp=rsa->p;
159 rsa->p=rsa->q;
160 rsa->q=tmp;
161 }
162
163 /* calculate n */
164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
165
166 /* calculate d */
167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
171 {
172 pr0 = &local_r0;
173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 }
175 else
176 pr0 = r0;
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
178
179 /* set up d for correct BN_FLG_CONSTTIME flag */
180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
181 {
182 d = &local_d;
183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
184 }
185 else
186 d = rsa->d;
187
188 /* calculate d mod (p-1) */
189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
190
191 /* calculate d mod (q-1) */
192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
193
194 /* calculate inverse of q mod p */
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
196 {
197 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 }
200 else
201 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
203
204 ok=1;
205err:
206 if (ok == -1)
207 {
208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
209 ok=0;
210 }
211 if (ctx != NULL)
212 {
213 BN_CTX_end(ctx);
214 BN_CTX_free(ctx);
215 }
216
217 return ok;
218 }
219
diff --git a/src/lib/libcrypto/rsa/rsa_eng.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 383a7045b2..de45088d76 100644
--- a/src/lib/libcrypto/rsa/rsa_eng.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -80,13 +80,6 @@ RSA *RSA_new(void)
80 80
81void RSA_set_default_method(const RSA_METHOD *meth) 81void RSA_set_default_method(const RSA_METHOD *meth)
82 { 82 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
85 {
86 RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
87 return;
88 }
89#endif
90 default_RSA_meth = meth; 83 default_RSA_meth = meth;
91 } 84 }
92 85
@@ -118,13 +111,6 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
118 /* NB: The caller is specifically setting a method, so it's not up to us 111 /* NB: The caller is specifically setting a method, so it's not up to us
119 * to deal with which ENGINE it comes from. */ 112 * to deal with which ENGINE it comes from. */
120 const RSA_METHOD *mtmp; 113 const RSA_METHOD *mtmp;
121#ifdef OPENSSL_FIPS
122 if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
123 {
124 RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
125 return 0;
126 }
127#endif
128 mtmp = rsa->meth; 114 mtmp = rsa->meth;
129 if (mtmp->finish) mtmp->finish(rsa); 115 if (mtmp->finish) mtmp->finish(rsa);
130#ifndef OPENSSL_NO_ENGINE 116#ifndef OPENSSL_NO_ENGINE
@@ -177,18 +163,6 @@ RSA *RSA_new_method(ENGINE *engine)
177 } 163 }
178 } 164 }
179#endif 165#endif
180#ifdef OPENSSL_FIPS
181 if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
182 {
183 RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
184#ifndef OPENSSL_NO_ENGINE
185 if (ret->engine)
186 ENGINE_finish(ret->engine);
187#endif
188 OPENSSL_free(ret);
189 return NULL;
190 }
191#endif
192 166
193 ret->pad=0; 167 ret->pad=0;
194 ret->version=0; 168 ret->version=0;
@@ -208,7 +182,16 @@ RSA *RSA_new_method(ENGINE *engine)
208 ret->mt_blinding=NULL; 182 ret->mt_blinding=NULL;
209 ret->bignum_data=NULL; 183 ret->bignum_data=NULL;
210 ret->flags=ret->meth->flags; 184 ret->flags=ret->meth->flags;
211 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); 185 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
186 {
187#ifndef OPENSSL_NO_ENGINE
188 if (ret->engine)
189 ENGINE_finish(ret->engine);
190#endif
191 OPENSSL_free(ret);
192 return(NULL);
193 }
194
212 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 195 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
213 { 196 {
214#ifndef OPENSSL_NO_ENGINE 197#ifndef OPENSSL_NO_ENGINE
@@ -297,11 +280,163 @@ void *RSA_get_ex_data(const RSA *r, int idx)
297 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 280 return(CRYPTO_get_ex_data(&r->ex_data,idx));
298 } 281 }
299 282
283int RSA_size(const RSA *r)
284 {
285 return(BN_num_bytes(r->n));
286 }
287
288int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
289 RSA *rsa, int padding)
290 {
291 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
292 }
293
294int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
295 RSA *rsa, int padding)
296 {
297 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
298 }
299
300int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
301 RSA *rsa, int padding)
302 {
303 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
304 }
305
306int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
307 RSA *rsa, int padding)
308 {
309 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
310 }
311
300int RSA_flags(const RSA *r) 312int RSA_flags(const RSA *r)
301 { 313 {
302 return((r == NULL)?0:r->meth->flags); 314 return((r == NULL)?0:r->meth->flags);
303 } 315 }
304 316
317void RSA_blinding_off(RSA *rsa)
318 {
319 if (rsa->blinding != NULL)
320 {
321 BN_BLINDING_free(rsa->blinding);
322 rsa->blinding=NULL;
323 }
324 rsa->flags &= ~RSA_FLAG_BLINDING;
325 rsa->flags |= RSA_FLAG_NO_BLINDING;
326 }
327
328int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
329 {
330 int ret=0;
331
332 if (rsa->blinding != NULL)
333 RSA_blinding_off(rsa);
334
335 rsa->blinding = RSA_setup_blinding(rsa, ctx);
336 if (rsa->blinding == NULL)
337 goto err;
338
339 rsa->flags |= RSA_FLAG_BLINDING;
340 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
341 ret=1;
342err:
343 return(ret);
344 }
345
346static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
347 const BIGNUM *q, BN_CTX *ctx)
348{
349 BIGNUM *ret = NULL, *r0, *r1, *r2;
350
351 if (d == NULL || p == NULL || q == NULL)
352 return NULL;
353
354 BN_CTX_start(ctx);
355 r0 = BN_CTX_get(ctx);
356 r1 = BN_CTX_get(ctx);
357 r2 = BN_CTX_get(ctx);
358 if (r2 == NULL)
359 goto err;
360
361 if (!BN_sub(r1, p, BN_value_one())) goto err;
362 if (!BN_sub(r2, q, BN_value_one())) goto err;
363 if (!BN_mul(r0, r1, r2, ctx)) goto err;
364
365 ret = BN_mod_inverse(NULL, d, r0, ctx);
366err:
367 BN_CTX_end(ctx);
368 return ret;
369}
370
371BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
372{
373 BIGNUM local_n;
374 BIGNUM *e,*n;
375 BN_CTX *ctx;
376 BN_BLINDING *ret = NULL;
377
378 if (in_ctx == NULL)
379 {
380 if ((ctx = BN_CTX_new()) == NULL) return 0;
381 }
382 else
383 ctx = in_ctx;
384
385 BN_CTX_start(ctx);
386 e = BN_CTX_get(ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
390 goto err;
391 }
392
393 if (rsa->e == NULL)
394 {
395 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
396 if (e == NULL)
397 {
398 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
399 goto err;
400 }
401 }
402 else
403 e = rsa->e;
404
405
406 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
407 {
408 /* if PRNG is not properly seeded, resort to secret
409 * exponent as unpredictable seed */
410 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
411 }
412
413 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
414 {
415 /* Set BN_FLG_CONSTTIME flag */
416 n = &local_n;
417 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
418 }
419 else
420 n = rsa->n;
421
422 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
423 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
424 if (ret == NULL)
425 {
426 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
427 goto err;
428 }
429 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
430err:
431 BN_CTX_end(ctx);
432 if (in_ctx == NULL)
433 BN_CTX_free(ctx);
434 if(rsa->e == NULL)
435 BN_free(e);
436
437 return ret;
438}
439
305int RSA_memory_lock(RSA *r) 440int RSA_memory_lock(RSA *r)
306 { 441 {
307 int i,j,k,off; 442 int i,j,k,off;
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
new file mode 100644
index 0000000000..f5d2d56628
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_locl.h
@@ -0,0 +1,4 @@
1extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
2 unsigned char *rm, size_t *prm_len,
3 const unsigned char *sigbuf, size_t siglen,
4 RSA *rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
new file mode 100644
index 0000000000..e6f3e627ca
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -0,0 +1,98 @@
1/* crypto/rsa/rsa_none.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_none(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 if (flen > tlen)
69 {
70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
71 return(0);
72 }
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
79
80 memcpy(to,from,(unsigned int)flen);
81 return(1);
82 }
83
84int RSA_padding_check_none(unsigned char *to, int tlen,
85 const unsigned char *from, int flen, int num)
86 {
87
88 if (flen > tlen)
89 {
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE);
91 return(-1);
92 }
93
94 memset(to,0,tlen-flen);
95 memcpy(to+tlen-flen,from,flen);
96 return(tlen);
97 }
98
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000000..18d307ea9e
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,233 @@
1/* crypto/rsa/rsa_oaep.c */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4
5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6
7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21
22#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
23#include <stdio.h>
24#include "cryptlib.h"
25#include <openssl/bn.h>
26#include <openssl/rsa.h>
27#include <openssl/evp.h>
28#include <openssl/rand.h>
29#include <openssl/sha.h>
30
31static int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
35 const unsigned char *from, int flen,
36 const unsigned char *param, int plen)
37 {
38 int i, emlen = tlen - 1;
39 unsigned char *db, *seed;
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
41
42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
43 {
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
46 return 0;
47 }
48
49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
50 {
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
52 return 0;
53 }
54
55 to[0] = 0;
56 seed = to + 1;
57 db = to + SHA_DIGEST_LENGTH + 1;
58
59 EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
60 memset(db + SHA_DIGEST_LENGTH, 0,
61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
63 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
64 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
65 return 0;
66#ifdef PKCS_TESTVECT
67 memcpy(seed,
68 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
69 20);
70#endif
71
72 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
73 if (dbmask == NULL)
74 {
75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
76 return 0;
77 }
78
79 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
80 return 0;
81 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
82 db[i] ^= dbmask[i];
83
84 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
85 return 0;
86 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
87 seed[i] ^= seedmask[i];
88
89 OPENSSL_free(dbmask);
90 return 1;
91 }
92
93int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
94 const unsigned char *from, int flen, int num,
95 const unsigned char *param, int plen)
96 {
97 int i, dblen, mlen = -1;
98 const unsigned char *maskeddb;
99 int lzero;
100 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
101 unsigned char *padded_from;
102 int bad = 0;
103
104 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
105 /* 'num' is the length of the modulus, i.e. does not depend on the
106 * particular ciphertext. */
107 goto decoding_err;
108
109 lzero = num - flen;
110 if (lzero < 0)
111 {
112 /* signalling this error immediately after detection might allow
113 * for side-channel attacks (e.g. timing if 'plen' is huge
114 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
115 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
116 * so we use a 'bad' flag */
117 bad = 1;
118 lzero = 0;
119 flen = num; /* don't overflow the memcpy to padded_from */
120 }
121
122 dblen = num - SHA_DIGEST_LENGTH;
123 db = OPENSSL_malloc(dblen + num);
124 if (db == NULL)
125 {
126 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
127 return -1;
128 }
129
130 /* Always do this zero-padding copy (even when lzero == 0)
131 * to avoid leaking timing info about the value of lzero. */
132 padded_from = db + dblen;
133 memset(padded_from, 0, lzero);
134 memcpy(padded_from + lzero, from, flen);
135
136 maskeddb = padded_from + SHA_DIGEST_LENGTH;
137
138 if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
139 return -1;
140 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
141 seed[i] ^= padded_from[i];
142
143 if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
144 return -1;
145 for (i = 0; i < dblen; i++)
146 db[i] ^= maskeddb[i];
147
148 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
149
150 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
151 goto decoding_err;
152 else
153 {
154 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
155 if (db[i] != 0x00)
156 break;
157 if (i == dblen || db[i] != 0x01)
158 goto decoding_err;
159 else
160 {
161 /* everything looks OK */
162
163 mlen = dblen - ++i;
164 if (tlen < mlen)
165 {
166 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
167 mlen = -1;
168 }
169 else
170 memcpy(to, db + i, mlen);
171 }
172 }
173 OPENSSL_free(db);
174 return mlen;
175
176decoding_err:
177 /* to avoid chosen ciphertext attacks, the error message should not reveal
178 * which kind of decoding error happened */
179 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
180 if (db != NULL) OPENSSL_free(db);
181 return -1;
182 }
183
184int PKCS1_MGF1(unsigned char *mask, long len,
185 const unsigned char *seed, long seedlen, const EVP_MD *dgst)
186 {
187 long i, outlen = 0;
188 unsigned char cnt[4];
189 EVP_MD_CTX c;
190 unsigned char md[EVP_MAX_MD_SIZE];
191 int mdlen;
192 int rv = -1;
193
194 EVP_MD_CTX_init(&c);
195 mdlen = EVP_MD_size(dgst);
196 if (mdlen < 0)
197 goto err;
198 for (i = 0; outlen < len; i++)
199 {
200 cnt[0] = (unsigned char)((i >> 24) & 255);
201 cnt[1] = (unsigned char)((i >> 16) & 255);
202 cnt[2] = (unsigned char)((i >> 8)) & 255;
203 cnt[3] = (unsigned char)(i & 255);
204 if (!EVP_DigestInit_ex(&c,dgst, NULL)
205 || !EVP_DigestUpdate(&c, seed, seedlen)
206 || !EVP_DigestUpdate(&c, cnt, 4))
207 goto err;
208 if (outlen + mdlen <= len)
209 {
210 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
211 goto err;
212 outlen += mdlen;
213 }
214 else
215 {
216 if (!EVP_DigestFinal_ex(&c, md, NULL))
217 goto err;
218 memcpy(mask + outlen, md, len - outlen);
219 outlen = len;
220 }
221 }
222 rv = 0;
223 err:
224 EVP_MD_CTX_cleanup(&c);
225 return rv;
226 }
227
228static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
229 long seedlen)
230 {
231 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
232 }
233#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
new file mode 100644
index 0000000000..8560755f1d
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -0,0 +1,224 @@
1/* crypto/rsa/rsa_pk1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int j;
69 unsigned char *p;
70
71 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=1; /* Private Key BT (Block Type) */
81
82 /* pad out with 0xff data */
83 j=tlen-3-flen;
84 memset(p,0xff,j);
85 p+=j;
86 *(p++)='\0';
87 memcpy(p,from,(unsigned int)flen);
88 return(1);
89 }
90
91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
92 const unsigned char *from, int flen, int num)
93 {
94 int i,j;
95 const unsigned char *p;
96
97 p=from;
98 if ((num != (flen+1)) || (*(p++) != 01))
99 {
100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
101 return(-1);
102 }
103
104 /* scan over padding data */
105 j=flen-1; /* one for type. */
106 for (i=0; i<j; i++)
107 {
108 if (*p != 0xff) /* should decrypt to 0xff */
109 {
110 if (*p == 0)
111 { p++; break; }
112 else {
113 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT);
114 return(-1);
115 }
116 }
117 p++;
118 }
119
120 if (i == j)
121 {
122 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING);
123 return(-1);
124 }
125
126 if (i < 8)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT);
129 return(-1);
130 }
131 i++; /* Skip over the '\0' */
132 j-=i;
133 if (j > tlen)
134 {
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
136 return(-1);
137 }
138 memcpy(to,p,(unsigned int)j);
139
140 return(j);
141 }
142
143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
144 const unsigned char *from, int flen)
145 {
146 int i,j;
147 unsigned char *p;
148
149 if (flen > (tlen-11))
150 {
151 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
152 return(0);
153 }
154
155 p=(unsigned char *)to;
156
157 *(p++)=0;
158 *(p++)=2; /* Public Key BT (Block Type) */
159
160 /* pad out with non-zero random data */
161 j=tlen-3-flen;
162
163 if (RAND_bytes(p,j) <= 0)
164 return(0);
165 for (i=0; i<j; i++)
166 {
167 if (*p == '\0')
168 do {
169 if (RAND_bytes(p,1) <= 0)
170 return(0);
171 } while (*p == '\0');
172 p++;
173 }
174
175 *(p++)='\0';
176
177 memcpy(p,from,(unsigned int)flen);
178 return(1);
179 }
180
181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
182 const unsigned char *from, int flen, int num)
183 {
184 int i,j;
185 const unsigned char *p;
186
187 p=from;
188 if ((num != (flen+1)) || (*(p++) != 02))
189 {
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1);
192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
196
197 /* scan over padding data */
198 j=flen-1; /* one for type. */
199 for (i=0; i<j; i++)
200 if (*(p++) == 0) break;
201
202 if (i == j)
203 {
204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING);
205 return(-1);
206 }
207
208 if (i < 8)
209 {
210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT);
211 return(-1);
212 }
213 i++; /* Skip over the '\0' */
214 j-=i;
215 if (j > tlen)
216 {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
218 return(-1);
219 }
220 memcpy(to,p,(unsigned int)j);
221
222 return(j);
223 }
224
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
new file mode 100644
index 0000000000..5b2ecf56ad
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -0,0 +1,723 @@
1/* crypto/rsa/rsa_pmeth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#include <openssl/evp.h>
66#ifndef OPENSSL_NO_CMS
67#include <openssl/cms.h>
68#endif
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72#include "evp_locl.h"
73#include "rsa_locl.h"
74
75/* RSA pkey context structure */
76
77typedef struct
78 {
79 /* Key gen parameters */
80 int nbits;
81 BIGNUM *pub_exp;
82 /* Keygen callback info */
83 int gentmp[2];
84 /* RSA padding mode */
85 int pad_mode;
86 /* message digest */
87 const EVP_MD *md;
88 /* message digest for MGF1 */
89 const EVP_MD *mgf1md;
90 /* PSS/OAEP salt length */
91 int saltlen;
92 /* Temp buffer */
93 unsigned char *tbuf;
94 } RSA_PKEY_CTX;
95
96static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
97 {
98 RSA_PKEY_CTX *rctx;
99 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
100 if (!rctx)
101 return 0;
102 rctx->nbits = 1024;
103 rctx->pub_exp = NULL;
104 rctx->pad_mode = RSA_PKCS1_PADDING;
105 rctx->md = NULL;
106 rctx->mgf1md = NULL;
107 rctx->tbuf = NULL;
108
109 rctx->saltlen = -2;
110
111 ctx->data = rctx;
112 ctx->keygen_info = rctx->gentmp;
113 ctx->keygen_info_count = 2;
114
115 return 1;
116 }
117
118static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
119 {
120 RSA_PKEY_CTX *dctx, *sctx;
121 if (!pkey_rsa_init(dst))
122 return 0;
123 sctx = src->data;
124 dctx = dst->data;
125 dctx->nbits = sctx->nbits;
126 if (sctx->pub_exp)
127 {
128 dctx->pub_exp = BN_dup(sctx->pub_exp);
129 if (!dctx->pub_exp)
130 return 0;
131 }
132 dctx->pad_mode = sctx->pad_mode;
133 dctx->md = sctx->md;
134 return 1;
135 }
136
137static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
138 {
139 if (ctx->tbuf)
140 return 1;
141 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
142 if (!ctx->tbuf)
143 return 0;
144 return 1;
145 }
146
147static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
148 {
149 RSA_PKEY_CTX *rctx = ctx->data;
150 if (rctx)
151 {
152 if (rctx->pub_exp)
153 BN_free(rctx->pub_exp);
154 if (rctx->tbuf)
155 OPENSSL_free(rctx->tbuf);
156 OPENSSL_free(rctx);
157 }
158 }
159#ifdef OPENSSL_FIPS
160/* FIP checker. Return value indicates status of context parameters:
161 * 1 : redirect to FIPS.
162 * 0 : don't redirect to FIPS.
163 * -1 : illegal operation in FIPS mode.
164 */
165
166static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167 {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 int rv = -1;
171 if (!FIPS_mode())
172 return 0;
173 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174 rv = 0;
175 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176 return -1;
177 if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178 return rv;
179 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180 return rv;
181 return 1;
182 }
183#endif
184
185static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
186 const unsigned char *tbs, size_t tbslen)
187 {
188 int ret;
189 RSA_PKEY_CTX *rctx = ctx->data;
190 RSA *rsa = ctx->pkey->pkey.rsa;
191
192#ifdef OPENSSL_FIPS
193 ret = pkey_fips_check_ctx(ctx);
194 if (ret < 0)
195 {
196 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197 return -1;
198 }
199#endif
200
201 if (rctx->md)
202 {
203 if (tbslen != (size_t)EVP_MD_size(rctx->md))
204 {
205 RSAerr(RSA_F_PKEY_RSA_SIGN,
206 RSA_R_INVALID_DIGEST_LENGTH);
207 return -1;
208 }
209#ifdef OPENSSL_FIPS
210 if (ret > 0)
211 {
212 unsigned int slen;
213 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214 rctx->pad_mode,
215 rctx->saltlen,
216 rctx->mgf1md,
217 sig, &slen);
218 if (ret > 0)
219 *siglen = slen;
220 else
221 *siglen = 0;
222 return ret;
223 }
224#endif
225
226 if (EVP_MD_type(rctx->md) == NID_mdc2)
227 {
228 unsigned int sltmp;
229 if (rctx->pad_mode != RSA_PKCS1_PADDING)
230 return -1;
231 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
232 tbs, tbslen, sig, &sltmp, rsa);
233
234 if (ret <= 0)
235 return ret;
236 ret = sltmp;
237 }
238 else if (rctx->pad_mode == RSA_X931_PADDING)
239 {
240 if (!setup_tbuf(rctx, ctx))
241 return -1;
242 memcpy(rctx->tbuf, tbs, tbslen);
243 rctx->tbuf[tbslen] =
244 RSA_X931_hash_id(EVP_MD_type(rctx->md));
245 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
246 sig, rsa, RSA_X931_PADDING);
247 }
248 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
249 {
250 unsigned int sltmp;
251 ret = RSA_sign(EVP_MD_type(rctx->md),
252 tbs, tbslen, sig, &sltmp, rsa);
253 if (ret <= 0)
254 return ret;
255 ret = sltmp;
256 }
257 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
258 {
259 if (!setup_tbuf(rctx, ctx))
260 return -1;
261 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
262 rctx->tbuf, tbs,
263 rctx->md, rctx->mgf1md,
264 rctx->saltlen))
265 return -1;
266 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
267 sig, rsa, RSA_NO_PADDING);
268 }
269 else
270 return -1;
271 }
272 else
273 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
274 rctx->pad_mode);
275 if (ret < 0)
276 return ret;
277 *siglen = ret;
278 return 1;
279 }
280
281
282static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
283 unsigned char *rout, size_t *routlen,
284 const unsigned char *sig, size_t siglen)
285 {
286 int ret;
287 RSA_PKEY_CTX *rctx = ctx->data;
288
289 if (rctx->md)
290 {
291 if (rctx->pad_mode == RSA_X931_PADDING)
292 {
293 if (!setup_tbuf(rctx, ctx))
294 return -1;
295 ret = RSA_public_decrypt(siglen, sig,
296 rctx->tbuf, ctx->pkey->pkey.rsa,
297 RSA_X931_PADDING);
298 if (ret < 1)
299 return 0;
300 ret--;
301 if (rctx->tbuf[ret] !=
302 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
303 {
304 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
305 RSA_R_ALGORITHM_MISMATCH);
306 return 0;
307 }
308 if (ret != EVP_MD_size(rctx->md))
309 {
310 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
311 RSA_R_INVALID_DIGEST_LENGTH);
312 return 0;
313 }
314 if (rout)
315 memcpy(rout, rctx->tbuf, ret);
316 }
317 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
318 {
319 size_t sltmp;
320 ret = int_rsa_verify(EVP_MD_type(rctx->md),
321 NULL, 0, rout, &sltmp,
322 sig, siglen, ctx->pkey->pkey.rsa);
323 if (ret <= 0)
324 return 0;
325 ret = sltmp;
326 }
327 else
328 return -1;
329 }
330 else
331 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
332 rctx->pad_mode);
333 if (ret < 0)
334 return ret;
335 *routlen = ret;
336 return 1;
337 }
338
339static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
340 const unsigned char *sig, size_t siglen,
341 const unsigned char *tbs, size_t tbslen)
342 {
343 RSA_PKEY_CTX *rctx = ctx->data;
344 RSA *rsa = ctx->pkey->pkey.rsa;
345 size_t rslen;
346#ifdef OPENSSL_FIPS
347 int rv;
348 rv = pkey_fips_check_ctx(ctx);
349 if (rv < 0)
350 {
351 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352 return -1;
353 }
354#endif
355 if (rctx->md)
356 {
357#ifdef OPENSSL_FIPS
358 if (rv > 0)
359 {
360 return FIPS_rsa_verify_digest(rsa,
361 tbs, tbslen,
362 rctx->md,
363 rctx->pad_mode,
364 rctx->saltlen,
365 rctx->mgf1md,
366 sig, siglen);
367
368 }
369#endif
370 if (rctx->pad_mode == RSA_PKCS1_PADDING)
371 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
372 sig, siglen, rsa);
373 if (rctx->pad_mode == RSA_X931_PADDING)
374 {
375 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
376 sig, siglen) <= 0)
377 return 0;
378 }
379 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
380 {
381 int ret;
382 if (!setup_tbuf(rctx, ctx))
383 return -1;
384 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
385 rsa, RSA_NO_PADDING);
386 if (ret <= 0)
387 return 0;
388 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
389 rctx->md, rctx->mgf1md,
390 rctx->tbuf, rctx->saltlen);
391 if (ret <= 0)
392 return 0;
393 return 1;
394 }
395 else
396 return -1;
397 }
398 else
399 {
400 if (!setup_tbuf(rctx, ctx))
401 return -1;
402 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
403 rsa, rctx->pad_mode);
404 if (rslen == 0)
405 return 0;
406 }
407
408 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
409 return 0;
410
411 return 1;
412
413 }
414
415
416static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
417 unsigned char *out, size_t *outlen,
418 const unsigned char *in, size_t inlen)
419 {
420 int ret;
421 RSA_PKEY_CTX *rctx = ctx->data;
422 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
423 rctx->pad_mode);
424 if (ret < 0)
425 return ret;
426 *outlen = ret;
427 return 1;
428 }
429
430static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
431 unsigned char *out, size_t *outlen,
432 const unsigned char *in, size_t inlen)
433 {
434 int ret;
435 RSA_PKEY_CTX *rctx = ctx->data;
436 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
437 rctx->pad_mode);
438 if (ret < 0)
439 return ret;
440 *outlen = ret;
441 return 1;
442 }
443
444static int check_padding_md(const EVP_MD *md, int padding)
445 {
446 if (!md)
447 return 1;
448
449 if (padding == RSA_NO_PADDING)
450 {
451 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
452 return 0;
453 }
454
455 if (padding == RSA_X931_PADDING)
456 {
457 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
458 {
459 RSAerr(RSA_F_CHECK_PADDING_MD,
460 RSA_R_INVALID_X931_DIGEST);
461 return 0;
462 }
463 return 1;
464 }
465
466 return 1;
467 }
468
469
470static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
471 {
472 RSA_PKEY_CTX *rctx = ctx->data;
473 switch (type)
474 {
475 case EVP_PKEY_CTRL_RSA_PADDING:
476 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
477 {
478 if (!check_padding_md(rctx->md, p1))
479 return 0;
480 if (p1 == RSA_PKCS1_PSS_PADDING)
481 {
482 if (!(ctx->operation &
483 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
484 goto bad_pad;
485 if (!rctx->md)
486 rctx->md = EVP_sha1();
487 }
488 if (p1 == RSA_PKCS1_OAEP_PADDING)
489 {
490 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
491 goto bad_pad;
492 if (!rctx->md)
493 rctx->md = EVP_sha1();
494 }
495 rctx->pad_mode = p1;
496 return 1;
497 }
498 bad_pad:
499 RSAerr(RSA_F_PKEY_RSA_CTRL,
500 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
501 return -2;
502
503 case EVP_PKEY_CTRL_GET_RSA_PADDING:
504 *(int *)p2 = rctx->pad_mode;
505 return 1;
506
507 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
508 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
509 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
510 {
511 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
512 return -2;
513 }
514 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
515 *(int *)p2 = rctx->saltlen;
516 else
517 {
518 if (p1 < -2)
519 return -2;
520 rctx->saltlen = p1;
521 }
522 return 1;
523
524 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
525 if (p1 < 256)
526 {
527 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
528 return -2;
529 }
530 rctx->nbits = p1;
531 return 1;
532
533 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
534 if (!p2)
535 return -2;
536 rctx->pub_exp = p2;
537 return 1;
538
539 case EVP_PKEY_CTRL_MD:
540 if (!check_padding_md(p2, rctx->pad_mode))
541 return 0;
542 rctx->md = p2;
543 return 1;
544
545 case EVP_PKEY_CTRL_RSA_MGF1_MD:
546 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
547 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
548 {
549 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
550 return -2;
551 }
552 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
553 {
554 if (rctx->mgf1md)
555 *(const EVP_MD **)p2 = rctx->mgf1md;
556 else
557 *(const EVP_MD **)p2 = rctx->md;
558 }
559 else
560 rctx->mgf1md = p2;
561 return 1;
562
563 case EVP_PKEY_CTRL_DIGESTINIT:
564 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
565 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
566 case EVP_PKEY_CTRL_PKCS7_SIGN:
567 return 1;
568#ifndef OPENSSL_NO_CMS
569 case EVP_PKEY_CTRL_CMS_DECRYPT:
570 {
571 X509_ALGOR *alg = NULL;
572 ASN1_OBJECT *encalg = NULL;
573 if (p2)
574 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
575 if (alg)
576 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
577 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
578 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
579 }
580 case EVP_PKEY_CTRL_CMS_ENCRYPT:
581 case EVP_PKEY_CTRL_CMS_SIGN:
582 return 1;
583#endif
584 case EVP_PKEY_CTRL_PEER_KEY:
585 RSAerr(RSA_F_PKEY_RSA_CTRL,
586 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
587 return -2;
588
589 default:
590 return -2;
591
592 }
593 }
594
595static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
596 const char *type, const char *value)
597 {
598 if (!value)
599 {
600 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
601 return 0;
602 }
603 if (!strcmp(type, "rsa_padding_mode"))
604 {
605 int pm;
606 if (!strcmp(value, "pkcs1"))
607 pm = RSA_PKCS1_PADDING;
608 else if (!strcmp(value, "sslv23"))
609 pm = RSA_SSLV23_PADDING;
610 else if (!strcmp(value, "none"))
611 pm = RSA_NO_PADDING;
612 else if (!strcmp(value, "oeap"))
613 pm = RSA_PKCS1_OAEP_PADDING;
614 else if (!strcmp(value, "x931"))
615 pm = RSA_X931_PADDING;
616 else if (!strcmp(value, "pss"))
617 pm = RSA_PKCS1_PSS_PADDING;
618 else
619 {
620 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
621 RSA_R_UNKNOWN_PADDING_TYPE);
622 return -2;
623 }
624 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
625 }
626
627 if (!strcmp(type, "rsa_pss_saltlen"))
628 {
629 int saltlen;
630 saltlen = atoi(value);
631 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
632 }
633
634 if (!strcmp(type, "rsa_keygen_bits"))
635 {
636 int nbits;
637 nbits = atoi(value);
638 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
639 }
640
641 if (!strcmp(type, "rsa_keygen_pubexp"))
642 {
643 int ret;
644 BIGNUM *pubexp = NULL;
645 if (!BN_asc2bn(&pubexp, value))
646 return 0;
647 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
648 if (ret <= 0)
649 BN_free(pubexp);
650 return ret;
651 }
652
653 return -2;
654 }
655
656static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
657 {
658 RSA *rsa = NULL;
659 RSA_PKEY_CTX *rctx = ctx->data;
660 BN_GENCB *pcb, cb;
661 int ret;
662 if (!rctx->pub_exp)
663 {
664 rctx->pub_exp = BN_new();
665 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
666 return 0;
667 }
668 rsa = RSA_new();
669 if (!rsa)
670 return 0;
671 if (ctx->pkey_gencb)
672 {
673 pcb = &cb;
674 evp_pkey_set_cb_translate(pcb, ctx);
675 }
676 else
677 pcb = NULL;
678 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
679 if (ret > 0)
680 EVP_PKEY_assign_RSA(pkey, rsa);
681 else
682 RSA_free(rsa);
683 return ret;
684 }
685
686const EVP_PKEY_METHOD rsa_pkey_meth =
687 {
688 EVP_PKEY_RSA,
689 EVP_PKEY_FLAG_AUTOARGLEN,
690 pkey_rsa_init,
691 pkey_rsa_copy,
692 pkey_rsa_cleanup,
693
694 0,0,
695
696 0,
697 pkey_rsa_keygen,
698
699 0,
700 pkey_rsa_sign,
701
702 0,
703 pkey_rsa_verify,
704
705 0,
706 pkey_rsa_verifyrecover,
707
708
709 0,0,0,0,
710
711 0,
712 pkey_rsa_encrypt,
713
714 0,
715 pkey_rsa_decrypt,
716
717 0,0,
718
719 pkey_rsa_ctrl,
720 pkey_rsa_ctrl_str
721
722
723 };
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
new file mode 100644
index 0000000000..224db0fae5
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_prn.c
@@ -0,0 +1,93 @@
1/* crypto/rsa/rsa_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/rsa.h>
62#include <openssl/evp.h>
63
64#ifndef OPENSSL_NO_FP_API
65int RSA_print_fp(FILE *fp, const RSA *x, int off)
66 {
67 BIO *b;
68 int ret;
69
70 if ((b=BIO_new(BIO_s_file())) == NULL)
71 {
72 RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB);
73 return(0);
74 }
75 BIO_set_fp(b,fp,BIO_NOCLOSE);
76 ret=RSA_print(b,x,off);
77 BIO_free(b);
78 return(ret);
79 }
80#endif
81
82int RSA_print(BIO *bp, const RSA *x, int off)
83 {
84 EVP_PKEY *pk;
85 int ret;
86 pk = EVP_PKEY_new();
87 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
88 return 0;
89 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
90 EVP_PKEY_free(pk);
91 return ret;
92 }
93
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
new file mode 100644
index 0000000000..5f9f533d0c
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -0,0 +1,300 @@
1/* rsa_pss.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/evp.h>
64#include <openssl/rand.h>
65#include <openssl/sha.h>
66
67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69#if defined(_MSC_VER) && defined(_ARM_)
70#pragma optimize("g", off)
71#endif
72
73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
75 {
76 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
77 }
78
79int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
81 const unsigned char *EM, int sLen)
82 {
83 int i;
84 int ret = 0;
85 int hLen, maskedDBLen, MSBits, emLen;
86 const unsigned char *H;
87 unsigned char *DB = NULL;
88 EVP_MD_CTX ctx;
89 unsigned char H_[EVP_MAX_MD_SIZE];
90 EVP_MD_CTX_init(&ctx);
91
92 if (mgf1Hash == NULL)
93 mgf1Hash = Hash;
94
95 hLen = EVP_MD_size(Hash);
96 if (hLen < 0)
97 goto err;
98 /*
99 * Negative sLen has special meanings:
100 * -1 sLen == hLen
101 * -2 salt length is autorecovered from signature
102 * -N reserved
103 */
104 if (sLen == -1) sLen = hLen;
105 else if (sLen == -2) sLen = -2;
106 else if (sLen < -2)
107 {
108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
109 goto err;
110 }
111
112 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
113 emLen = RSA_size(rsa);
114 if (EM[0] & (0xFF << MSBits))
115 {
116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
117 goto err;
118 }
119 if (MSBits == 0)
120 {
121 EM++;
122 emLen--;
123 }
124 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
125 {
126 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
127 goto err;
128 }
129 if (EM[emLen - 1] != 0xbc)
130 {
131 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
132 goto err;
133 }
134 maskedDBLen = emLen - hLen - 1;
135 H = EM + maskedDBLen;
136 DB = OPENSSL_malloc(maskedDBLen);
137 if (!DB)
138 {
139 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
140 goto err;
141 }
142 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
143 goto err;
144 for (i = 0; i < maskedDBLen; i++)
145 DB[i] ^= EM[i];
146 if (MSBits)
147 DB[0] &= 0xFF >> (8 - MSBits);
148 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
149 if (DB[i++] != 0x1)
150 {
151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
152 goto err;
153 }
154 if (sLen >= 0 && (maskedDBLen - i) != sLen)
155 {
156 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
157 goto err;
158 }
159 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
160 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
161 || !EVP_DigestUpdate(&ctx, mHash, hLen))
162 goto err;
163 if (maskedDBLen - i)
164 {
165 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
166 goto err;
167 }
168 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
169 goto err;
170 if (memcmp(H_, H, hLen))
171 {
172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
173 ret = 0;
174 }
175 else
176 ret = 1;
177
178 err:
179 if (DB)
180 OPENSSL_free(DB);
181 EVP_MD_CTX_cleanup(&ctx);
182
183 return ret;
184
185 }
186
187int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
188 const unsigned char *mHash,
189 const EVP_MD *Hash, int sLen)
190 {
191 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
192 }
193
194int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
195 const unsigned char *mHash,
196 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
197 {
198 int i;
199 int ret = 0;
200 int hLen, maskedDBLen, MSBits, emLen;
201 unsigned char *H, *salt = NULL, *p;
202 EVP_MD_CTX ctx;
203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
207 hLen = EVP_MD_size(Hash);
208 if (hLen < 0)
209 goto err;
210 /*
211 * Negative sLen has special meanings:
212 * -1 sLen == hLen
213 * -2 salt length is maximized
214 * -N reserved
215 */
216 if (sLen == -1) sLen = hLen;
217 else if (sLen == -2) sLen = -2;
218 else if (sLen < -2)
219 {
220 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
221 goto err;
222 }
223
224 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
225 emLen = RSA_size(rsa);
226 if (MSBits == 0)
227 {
228 *EM++ = 0;
229 emLen--;
230 }
231 if (sLen == -2)
232 {
233 sLen = emLen - hLen - 2;
234 }
235 else if (emLen < (hLen + sLen + 2))
236 {
237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
238 goto err;
239 }
240 if (sLen > 0)
241 {
242 salt = OPENSSL_malloc(sLen);
243 if (!salt)
244 {
245 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
246 goto err;
247 }
248 if (RAND_bytes(salt, sLen) <= 0)
249 goto err;
250 }
251 maskedDBLen = emLen - hLen - 1;
252 H = EM + maskedDBLen;
253 EVP_MD_CTX_init(&ctx);
254 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
255 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
256 || !EVP_DigestUpdate(&ctx, mHash, hLen))
257 goto err;
258 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
259 goto err;
260 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
261 goto err;
262 EVP_MD_CTX_cleanup(&ctx);
263
264 /* Generate dbMask in place then perform XOR on it */
265 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
266 goto err;
267
268 p = EM;
269
270 /* Initial PS XORs with all zeroes which is a NOP so just update
271 * pointer. Note from a test above this value is guaranteed to
272 * be non-negative.
273 */
274 p += emLen - sLen - hLen - 2;
275 *p++ ^= 0x1;
276 if (sLen > 0)
277 {
278 for (i = 0; i < sLen; i++)
279 *p++ ^= salt[i];
280 }
281 if (MSBits)
282 EM[0] &= 0xFF >> (8 - MSBits);
283
284 /* H is already in place so just set final 0xbc */
285
286 EM[emLen - 1] = 0xbc;
287
288 ret = 1;
289
290 err:
291 if (salt)
292 OPENSSL_free(salt);
293
294 return ret;
295
296 }
297
298#if defined(_MSC_VER)
299#pragma optimize("",on)
300#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
new file mode 100644
index 0000000000..f98e0a80a6
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -0,0 +1,150 @@
1/* crypto/rsa/rsa_saos.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65
66int RSA_sign_ASN1_OCTET_STRING(int type,
67 const unsigned char *m, unsigned int m_len,
68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69 {
70 ASN1_OCTET_STRING sig;
71 int i,j,ret=1;
72 unsigned char *p,*s;
73
74 sig.type=V_ASN1_OCTET_STRING;
75 sig.length=m_len;
76 sig.data=(unsigned char *)m;
77
78 i=i2d_ASN1_OCTET_STRING(&sig,NULL);
79 j=RSA_size(rsa);
80 if (i > (j-RSA_PKCS1_PADDING_SIZE))
81 {
82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83 return(0);
84 }
85 s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
86 if (s == NULL)
87 {
88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
89 return(0);
90 }
91 p=s;
92 i2d_ASN1_OCTET_STRING(&sig,&p);
93 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
94 if (i <= 0)
95 ret=0;
96 else
97 *siglen=i;
98
99 OPENSSL_cleanse(s,(unsigned int)j+1);
100 OPENSSL_free(s);
101 return(ret);
102 }
103
104int RSA_verify_ASN1_OCTET_STRING(int dtype,
105 const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
107 RSA *rsa)
108 {
109 int i,ret=0;
110 unsigned char *s;
111 const unsigned char *p;
112 ASN1_OCTET_STRING *sig=NULL;
113
114 if (siglen != (unsigned int)RSA_size(rsa))
115 {
116 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH);
117 return(0);
118 }
119
120 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
121 if (s == NULL)
122 {
123 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
127
128 if (i <= 0) goto err;
129
130 p=s;
131 sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i);
132 if (sig == NULL) goto err;
133
134 if ( ((unsigned int)sig->length != m_len) ||
135 (memcmp(m,sig->data,m_len) != 0))
136 {
137 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE);
138 }
139 else
140 ret=1;
141err:
142 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
143 if (s != NULL)
144 {
145 OPENSSL_cleanse(s,(unsigned int)siglen);
146 OPENSSL_free(s);
147 }
148 return(ret);
149 }
150
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
new file mode 100644
index 0000000000..0be4ec7fb0
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -0,0 +1,285 @@
1/* crypto/rsa/rsa_sign.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include "rsa_locl.h"
66
67/* Size of an SSL signature: MD5+SHA1 */
68#define SSL_SIG_LENGTH 36
69
70int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
71 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
72 {
73 X509_SIG sig;
74 ASN1_TYPE parameter;
75 int i,j,ret=1;
76 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL;
78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest;
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
81 {
82 return rsa->meth->rsa_sign(type, m, m_len,
83 sigret, siglen, rsa);
84 }
85 /* Special case: SSL signature, just check the length */
86 if(type == NID_md5_sha1) {
87 if(m_len != SSL_SIG_LENGTH) {
88 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
89 return(0);
90 }
91 i = SSL_SIG_LENGTH;
92 s = m;
93 } else {
94 sig.algor= &algor;
95 sig.algor->algorithm=OBJ_nid2obj(type);
96 if (sig.algor->algorithm == NULL)
97 {
98 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
99 return(0);
100 }
101 if (sig.algor->algorithm->length == 0)
102 {
103 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
104 return(0);
105 }
106 parameter.type=V_ASN1_NULL;
107 parameter.value.ptr=NULL;
108 sig.algor->parameter= &parameter;
109
110 sig.digest= &digest;
111 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
112 sig.digest->length=m_len;
113
114 i=i2d_X509_SIG(&sig,NULL);
115 }
116 j=RSA_size(rsa);
117 if (i > (j-RSA_PKCS1_PADDING_SIZE))
118 {
119 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
120 return(0);
121 }
122 if(type != NID_md5_sha1) {
123 tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
124 if (tmps == NULL)
125 {
126 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
127 return(0);
128 }
129 p=tmps;
130 i2d_X509_SIG(&sig,&p);
131 s=tmps;
132 }
133 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
134 if (i <= 0)
135 ret=0;
136 else
137 *siglen=i;
138
139 if(type != NID_md5_sha1) {
140 OPENSSL_cleanse(tmps,(unsigned int)j+1);
141 OPENSSL_free(tmps);
142 }
143 return(ret);
144 }
145
146int int_rsa_verify(int dtype, const unsigned char *m,
147 unsigned int m_len,
148 unsigned char *rm, size_t *prm_len,
149 const unsigned char *sigbuf, size_t siglen,
150 RSA *rsa)
151 {
152 int i,ret=0,sigtype;
153 unsigned char *s;
154 X509_SIG *sig=NULL;
155
156 if (siglen != (unsigned int)RSA_size(rsa))
157 {
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
159 return(0);
160 }
161
162 if((dtype == NID_md5_sha1) && rm)
163 {
164 i = RSA_public_decrypt((int)siglen,
165 sigbuf,rm,rsa,RSA_PKCS1_PADDING);
166 if (i <= 0)
167 return 0;
168 *prm_len = i;
169 return 1;
170 }
171
172 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
173 if (s == NULL)
174 {
175 RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
176 goto err;
177 }
178 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
179 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
180 goto err;
181 }
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
183
184 if (i <= 0) goto err;
185
186 /* Special case: SSL signature */
187 if(dtype == NID_md5_sha1) {
188 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
189 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
190 else ret = 1;
191 } else {
192 const unsigned char *p=s;
193 sig=d2i_X509_SIG(NULL,&p,(long)i);
194
195 if (sig == NULL) goto err;
196
197 /* Excess data can be used to create forgeries */
198 if(p != s+i)
199 {
200 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
201 goto err;
202 }
203
204 /* Parameters to the signature algorithm can also be used to
205 create forgeries */
206 if(sig->algor->parameter
207 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
208 {
209 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
210 goto err;
211 }
212
213 sigtype=OBJ_obj2nid(sig->algor->algorithm);
214
215
216 #ifdef RSA_DEBUG
217 /* put a backward compatibility flag in EAY */
218 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
219 OBJ_nid2ln(dtype));
220 #endif
221 if (sigtype != dtype)
222 {
223 if (((dtype == NID_md5) &&
224 (sigtype == NID_md5WithRSAEncryption)) ||
225 ((dtype == NID_md2) &&
226 (sigtype == NID_md2WithRSAEncryption)))
227 {
228 /* ok, we will let it through */
229#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
230 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
231#endif
232 }
233 else
234 {
235 RSAerr(RSA_F_INT_RSA_VERIFY,
236 RSA_R_ALGORITHM_MISMATCH);
237 goto err;
238 }
239 }
240 if (rm)
241 {
242 const EVP_MD *md;
243 md = EVP_get_digestbynid(dtype);
244 if (md && (EVP_MD_size(md) != sig->digest->length))
245 RSAerr(RSA_F_INT_RSA_VERIFY,
246 RSA_R_INVALID_DIGEST_LENGTH);
247 else
248 {
249 memcpy(rm, sig->digest->data,
250 sig->digest->length);
251 *prm_len = sig->digest->length;
252 ret = 1;
253 }
254 }
255 else if (((unsigned int)sig->digest->length != m_len) ||
256 (memcmp(m,sig->digest->data,m_len) != 0))
257 {
258 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
259 }
260 else
261 ret=1;
262 }
263err:
264 if (sig != NULL) X509_SIG_free(sig);
265 if (s != NULL)
266 {
267 OPENSSL_cleanse(s,(unsigned int)siglen);
268 OPENSSL_free(s);
269 }
270 return(ret);
271 }
272
273int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
274 const unsigned char *sigbuf, unsigned int siglen,
275 RSA *rsa)
276 {
277
278 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
279 {
280 return rsa->meth->rsa_verify(dtype, m, m_len,
281 sigbuf, siglen, rsa);
282 }
283
284 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
285 }
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
new file mode 100644
index 0000000000..cfeff15bc9
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -0,0 +1,154 @@
1/* crypto/rsa/rsa_ssl.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int i,j;
69 unsigned char *p;
70
71 if (flen > (tlen-11))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=2; /* Public Key BT (Block Type) */
81
82 /* pad out with non-zero random data */
83 j=tlen-3-8-flen;
84
85 if (RAND_bytes(p,j) <= 0)
86 return(0);
87 for (i=0; i<j; i++)
88 {
89 if (*p == '\0')
90 do {
91 if (RAND_bytes(p,1) <= 0)
92 return(0);
93 } while (*p == '\0');
94 p++;
95 }
96
97 memset(p,3,8);
98 p+=8;
99 *(p++)='\0';
100
101 memcpy(p,from,(unsigned int)flen);
102 return(1);
103 }
104
105int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i,j,k;
109 const unsigned char *p;
110
111 p=from;
112 if (flen < 10)
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL);
115 return(-1);
116 }
117 if ((num != (flen+1)) || (*(p++) != 02))
118 {
119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02);
120 return(-1);
121 }
122
123 /* scan over padding data */
124 j=flen-1; /* one for type */
125 for (i=0; i<j; i++)
126 if (*(p++) == 0) break;
127
128 if ((i == j) || (i < 8))
129 {
130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
131 return(-1);
132 }
133 for (k = -9; k<-1; k++)
134 {
135 if (p[k] != 0x03) break;
136 }
137 if (k == -1)
138 {
139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
140 return(-1);
141 }
142
143 i++; /* Skip over the '\0' */
144 j-=i;
145 if (j > tlen)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
148 return(-1);
149 }
150 memcpy(to,p,(unsigned int)j);
151
152 return(j);
153 }
154
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
new file mode 100644
index 0000000000..21548e37ed
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -0,0 +1,177 @@
1/* rsa_x931.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64#include <openssl/objects.h>
65
66int RSA_padding_add_X931(unsigned char *to, int tlen,
67 const unsigned char *from, int flen)
68 {
69 int j;
70 unsigned char *p;
71
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */
75
76 j = tlen - flen - 2;
77
78 if (j < 0)
79 {
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1;
82 }
83
84 p=(unsigned char *)to;
85
86 /* If no padding start and end nibbles are in one byte */
87 if (j == 0)
88 *p++ = 0x6A;
89 else
90 {
91 *p++ = 0x6B;
92 if (j > 1)
93 {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p,from,(unsigned int)flen);
100 p += flen;
101 *p = 0xCC;
102 return(1);
103 }
104
105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i = 0,j;
109 const unsigned char *p;
110
111 p=from;
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1;
116 }
117
118 if (*p++ == 0x6B)
119 {
120 j=flen-3;
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++;
124 if (c == 0xBA)
125 break;
126 if (c != 0xBB)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING);
130 return -1;
131 }
132 }
133
134 j -= i;
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1;
140 }
141
142 }
143 else j = flen - 2;
144
145 if (p[j] != 0xCC)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1;
149 }
150
151 memcpy(to,p,(unsigned int)j);
152
153 return(j);
154 }
155
156/* Translate between X931 hash ids and NIDs */
157
158int RSA_X931_hash_id(int nid)
159 {
160 switch (nid)
161 {
162 case NID_sha1:
163 return 0x33;
164
165 case NID_sha256:
166 return 0x34;
167
168 case NID_sha384:
169 return 0x36;
170
171 case NID_sha512:
172 return 0x35;
173
174 }
175 return -1;
176 }
177
diff --git a/src/lib/libcrypto/rsa/rsa_x931g.c b/src/lib/libcrypto/rsa/rsa_x931g.c
deleted file mode 100644
index bf94f8be7a..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931g.c
+++ /dev/null
@@ -1,255 +0,0 @@
1/* crypto/rsa/rsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <time.h>
62#include <openssl/err.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65
66#ifndef OPENSSL_FIPS
67
68/* X9.31 RSA key derivation and generation */
69
70int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
71 const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
72 const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
73 const BIGNUM *e, BN_GENCB *cb)
74 {
75 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
76 BN_CTX *ctx=NULL,*ctx2=NULL;
77
78 if (!rsa)
79 goto err;
80
81 ctx = BN_CTX_new();
82 if (!ctx)
83 goto err;
84 BN_CTX_start(ctx);
85
86 r0 = BN_CTX_get(ctx);
87 r1 = BN_CTX_get(ctx);
88 r2 = BN_CTX_get(ctx);
89 r3 = BN_CTX_get(ctx);
90
91 if (r3 == NULL)
92 goto err;
93 if (!rsa->e)
94 {
95 rsa->e = BN_dup(e);
96 if (!rsa->e)
97 goto err;
98 }
99 else
100 e = rsa->e;
101
102 /* If not all parameters present only calculate what we can.
103 * This allows test programs to output selective parameters.
104 */
105
106 if (Xp && !rsa->p)
107 {
108 rsa->p = BN_new();
109 if (!rsa->p)
110 goto err;
111
112 if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
113 Xp, Xp1, Xp2, e, ctx, cb))
114 goto err;
115 }
116
117 if (Xq && !rsa->q)
118 {
119 rsa->q = BN_new();
120 if (!rsa->q)
121 goto err;
122 if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
123 Xq, Xq1, Xq2, e, ctx, cb))
124 goto err;
125 }
126
127 if (!rsa->p || !rsa->q)
128 {
129 BN_CTX_end(ctx);
130 BN_CTX_free(ctx);
131 return 2;
132 }
133
134 /* Since both primes are set we can now calculate all remaining
135 * components.
136 */
137
138 /* calculate n */
139 rsa->n=BN_new();
140 if (rsa->n == NULL)
141 goto err;
142 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
143 goto err;
144
145 /* calculate d */
146 if (!BN_sub(r1,rsa->p,BN_value_one()))
147 goto err; /* p-1 */
148 if (!BN_sub(r2,rsa->q,BN_value_one()))
149 goto err; /* q-1 */
150 if (!BN_mul(r0,r1,r2,ctx))
151 goto err; /* (p-1)(q-1) */
152
153 if (!BN_gcd(r3, r1, r2, ctx))
154 goto err;
155
156 if (!BN_div(r0, NULL, r0, r3, ctx))
157 goto err; /* LCM((p-1)(q-1)) */
158
159 ctx2 = BN_CTX_new();
160 if (!ctx2)
161 goto err;
162
163 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
164 if (rsa->d == NULL)
165 goto err;
166
167 /* calculate d mod (p-1) */
168 rsa->dmp1=BN_new();
169 if (rsa->dmp1 == NULL)
170 goto err;
171 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
172 goto err;
173
174 /* calculate d mod (q-1) */
175 rsa->dmq1=BN_new();
176 if (rsa->dmq1 == NULL)
177 goto err;
178 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
179 goto err;
180
181 /* calculate inverse of q mod p */
182 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
183
184 err:
185 if (ctx)
186 {
187 BN_CTX_end(ctx);
188 BN_CTX_free(ctx);
189 }
190 if (ctx2)
191 BN_CTX_free(ctx2);
192 /* If this is set all calls successful */
193 if (rsa && rsa->iqmp != NULL)
194 return 1;
195
196 return 0;
197
198 }
199
200int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
201 {
202 int ok = 0;
203 BIGNUM *Xp = NULL, *Xq = NULL;
204 BN_CTX *ctx = NULL;
205
206 ctx = BN_CTX_new();
207 if (!ctx)
208 goto error;
209
210 BN_CTX_start(ctx);
211 Xp = BN_CTX_get(ctx);
212 Xq = BN_CTX_get(ctx);
213 if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
214 goto error;
215
216 rsa->p = BN_new();
217 rsa->q = BN_new();
218 if (!rsa->p || !rsa->q)
219 goto error;
220
221 /* Generate two primes from Xp, Xq */
222
223 if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
224 e, ctx, cb))
225 goto error;
226
227 if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
228 e, ctx, cb))
229 goto error;
230
231 /* Since rsa->p and rsa->q are valid this call will just derive
232 * remaining RSA components.
233 */
234
235 if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
236 NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
237 goto error;
238
239 ok = 1;
240
241 error:
242 if (ctx)
243 {
244 BN_CTX_end(ctx);
245 BN_CTX_free(ctx);
246 }
247
248 if (ok)
249 return 1;
250
251 return 0;
252
253 }
254
255#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-29 06:03:31 +0000