6 files changed, 196 insertions, 39 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 98b3bd7cc5..e26a68b482 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -158,6 +158,11 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC           0x02
 #define RSA_FLAG_CACHE_PRIVATE          0x04
 #define RSA_FLAG_BLINDING               0x08
+#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 #define RSA_FLAG_THREAD_SAFE            0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
 * and that they do not depend on the private key components being present:
@@ -170,11 +175,15 @@ struct rsa_st
 */
 #define RSA_FLAG_SIGN_VER               0x40
+#define RSA_FLAG_NO_BLINDING            0x80
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
 #define RSA_NO_PADDING          3
 #define RSA_PKCS1_OAEP_PADDING  4
+#define RSA_PKCS1_PADDING_SIZE  11
 #define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 0eda816081..027b4dc754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
 #ifndef RSA_NULL
@@ -187,12 +186,65 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL) 
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
        }
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        int ret = 1;
+        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+        /* Check again inside the lock - the macro's check is racey */
+        if(rsa->blinding == NULL)
+                ret = RSA_blinding_on(rsa, ctx);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+        return ret;
+        }
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+        do { \
+                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+                    ((rsa)->blinding == NULL) && \
+                    !rsa_eay_blinding(rsa, ctx)) \
+                    err_instr \
+        } while(0)
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *A, *Ai;
+        BN_BLINDING *ret = NULL;
+        /* added in OpenSSL 0.9.6j and 0.9.7b */
+        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+                goto err;
+        ret = BN_BLINDING_new(A,Ai,rsa->n);
+        BN_free(Ai);
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
@@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+        BLINDING_HELPER(rsa, ctx, goto err;);
-                RSA_blinding_on(rsa,ctx);
+        blinding = rsa->blinding;
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                ((rsa->p != NULL) &&
@@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -269,9 +352,11 @@ err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
        BN_clear_free(&f);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
        unsigned char *p;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+        BLINDING_HELPER(rsa, ctx, goto err;);
-                RSA_blinding_on(rsa,ctx);
+        blinding = rsa->blinding;
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        /* do the decrypt */
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                        goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        p=buf;
        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -370,7 +486,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -467,7 +583,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 93235744f7..53c5092014 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -62,7 +62,10 @@
 #include <openssl/lhash.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
@@ -70,7 +73,9 @@ static const RSA_METHOD *default_RSA_meth=NULL;
 RSA *RSA_new(void)
        {
-        return(RSA_new_method(NULL));
+        RSA *r=RSA_new_method(NULL);
+        return r;
        }
 void RSA_set_default_method(const RSA_METHOD *meth)
@@ -108,11 +113,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
        const RSA_METHOD *mtmp;
        mtmp = rsa->meth;
        if (mtmp->finish) mtmp->finish(rsa);
+#ifndef OPENSSL_NO_ENGINE
        if (rsa->engine)
                {
                ENGINE_finish(rsa->engine);
                rsa->engine = NULL;
                }
+#endif
        rsa->meth = meth;
        if (meth->init) meth->init(rsa);
        return 1;
@@ -130,6 +137,7 @@ RSA *RSA_new_method(ENGINE *engine)
                }
        ret->meth = RSA_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
        if (engine)
                {
                if (!ENGINE_init(engine))
@@ -154,6 +162,7 @@ RSA *RSA_new_method(ENGINE *engine)
                        return NULL;
                        }
                }
+#endif
        ret->pad=0;
        ret->version=0;
@@ -175,8 +184,10 @@ RSA *RSA_new_method(ENGINE *engine)
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                {
+#ifndef OPENSSL_NO_ENGINE
                if (ret->engine)
                        ENGINE_finish(ret->engine);
+#endif
                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
                OPENSSL_free(ret);
                ret=NULL;
@@ -205,8 +216,10 @@ void RSA_free(RSA *r)
        if (r->meth->finish)
                r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
        if (r->engine)
                ENGINE_finish(r->engine);
+#endif
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
@@ -297,7 +310,8 @@ void RSA_blinding_off(RSA *rsa)
                BN_BLINDING_free(rsa->blinding);
                rsa->blinding=NULL;
                }
-        rsa->flags&= ~RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_BLINDING;
+        rsa->flags |= RSA_FLAG_NO_BLINDING;
        }
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -316,15 +330,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
        if (rsa->blinding != NULL)
                BN_BLINDING_free(rsa->blinding);
+        /* NB: similar code appears in setup_blinding (rsa_eay.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
        BN_CTX_start(ctx);
        A = BN_CTX_get(ctx);
-        if (!BN_rand_range(A,rsa->n)) goto err;
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-            goto err;
+                goto err;
-        rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
+        if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
-        rsa->flags|=RSA_FLAG_BLINDING;
+        /* to make things thread-safe without excessive locking,
+         * rsa->blinding will be used just by the current thread: */
+        rsa->blinding->thread_id = CRYPTO_thread_id();
+        rsa->flags |= RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_NO_BLINDING;
        BN_free(Ai);
        ret=1;
 err:
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index c1edd6764f..8560755f1d 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
        int j;
        unsigned char *p;
-        if (flen > (tlen-11))
+        if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
                {
                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                return(0);
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 85adacc08f..f462716a57 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
        i=i2d_ASN1_OCTET_STRING(&sig,NULL);
        j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                {
                RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                return(0);
@@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
        else
                *siglen=i;
-        memset(s,0,(unsigned int)j+1);
+        OPENSSL_cleanse(s,(unsigned int)j+1);
        OPENSSL_free(s);
        return(ret);
        }
@@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
                ret=1;
 err:
        if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
        OPENSSL_free(s);
        return(ret);
        }
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 2a440901de..8a1e642183 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -62,7 +62,6 @@
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include <openssl/engine.h>
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH  36
@@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
        const unsigned char *s = NULL;
        X509_ALGOR algor;
        ASN1_OCTET_STRING digest;
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
-              && ENGINE_get_RSA(rsa->engine)->rsa_sign)
+                {
-              return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
+                return rsa->meth->rsa_sign(type, m, m_len,
-                        m, m_len, sigret, siglen, rsa);
+                        sigret, siglen, rsa);
+                }
        /* Special case: SSL signature, just check the length */
        if(type == NID_md5_sha1) {
                if(m_len != SSL_SIG_LENGTH) {
@@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                i=i2d_X509_SIG(&sig,NULL);
        }
        j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                {
                RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                return(0);
@@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                *siglen=i;
        if(type != NID_md5_sha1) {
-                memset(tmps,0,(unsigned int)j+1);
+                OPENSSL_cleanse(tmps,(unsigned int)j+1);
                OPENSSL_free(tmps);
        }
        return(ret);
@@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                return(0);
                }
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
-            && ENGINE_get_RSA(rsa->engine)->rsa_verify)
+                {
-            return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
+                return rsa->meth->rsa_verify(dtype, m, m_len,
-                        m, m_len, sigbuf, siglen, rsa);
+                        sigbuf, siglen, rsa);
+                }
        s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
        if (s == NULL)
@@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
        }
 err:
        if (sig != NULL) X509_SIG_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
        OPENSSL_free(s);
        return(ret);
        }

diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index 98b3bd7cc5..e26a68b482 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h
@@ -158,6 +158,11 @@ struct rsa_st
158	#define RSA_FLAG_CACHE_PUBLIC 0x02	158	#define RSA_FLAG_CACHE_PUBLIC 0x02
159	#define RSA_FLAG_CACHE_PRIVATE 0x04	159	#define RSA_FLAG_CACHE_PRIVATE 0x04
160	#define RSA_FLAG_BLINDING 0x08	160	#define RSA_FLAG_BLINDING 0x08
		161	#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in
		162	* RSA implementation now uses blinding by
		163	* default (ignoring RSA_FLAG_BLINDING),
		164	* but other engines might not need it
		165	*/
161	#define RSA_FLAG_THREAD_SAFE 0x10	166	#define RSA_FLAG_THREAD_SAFE 0x10
162	/* This flag means the private key operations will be handled by rsa_mod_exp	167	/* This flag means the private key operations will be handled by rsa_mod_exp
163	* and that they do not depend on the private key components being present:	168	* and that they do not depend on the private key components being present:
@@ -170,11 +175,15 @@ struct rsa_st
170	*/	175	*/
171	#define RSA_FLAG_SIGN_VER 0x40	176	#define RSA_FLAG_SIGN_VER 0x40
172		177
		178	#define RSA_FLAG_NO_BLINDING 0x80
		179
173	#define RSA_PKCS1_PADDING 1	180	#define RSA_PKCS1_PADDING 1
174	#define RSA_SSLV23_PADDING 2	181	#define RSA_SSLV23_PADDING 2
175	#define RSA_NO_PADDING 3	182	#define RSA_NO_PADDING 3
176	#define RSA_PKCS1_OAEP_PADDING 4	183	#define RSA_PKCS1_OAEP_PADDING 4
177		184
		185	#define RSA_PKCS1_PADDING_SIZE 11
		186
178	#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)	187	#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
179	#define RSA_get_app_data(s) RSA_get_ex_data(s,0)	188	#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
180		189


diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 0eda816081..027b4dc754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
61	#include <openssl/bn.h>	61	#include <openssl/bn.h>
62	#include <openssl/rsa.h>	62	#include <openssl/rsa.h>
63	#include <openssl/rand.h>	63	#include <openssl/rand.h>
64	#include <openssl/engine.h>
65		64
66	#ifndef RSA_NULL	65	#ifndef RSA_NULL
67		66
@@ -187,12 +186,65 @@ err:
187	BN_clear_free(&ret);	186	BN_clear_free(&ret);
188	if (buf != NULL)	187	if (buf != NULL)
189	{	188	{
190	memset(buf,0,num);	189	OPENSSL_cleanse(buf,num);
191	OPENSSL_free(buf);	190	OPENSSL_free(buf);
192	}	191	}
193	return(r);	192	return(r);
194	}	193	}
195		194
		195	static int rsa_eay_blinding(RSA rsa, BN_CTX ctx)
		196	{
		197	int ret = 1;
		198	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		199	/* Check again inside the lock - the macro's check is racey */
		200	if(rsa->blinding == NULL)
		201	ret = RSA_blinding_on(rsa, ctx);
		202	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		203	return ret;
		204	}
		205
		206	#define BLINDING_HELPER(rsa, ctx, err_instr) \
		207	do { \
		208	if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
		209	((rsa)->blinding == NULL) && \
		210	!rsa_eay_blinding(rsa, ctx)) \
		211	err_instr \
		212	} while(0)
		213
		214	static BN_BLINDING setup_blinding(RSA rsa, BN_CTX *ctx)
		215	{
		216	BIGNUM A, Ai;
		217	BN_BLINDING *ret = NULL;
		218
		219	/* added in OpenSSL 0.9.6j and 0.9.7b */
		220
		221	/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
		222	* this should be placed in a new function of its own, but for reasons
		223	* of binary compatibility can't */
		224
		225	BN_CTX_start(ctx);
		226	A = BN_CTX_get(ctx);
		227	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
		228	{
		229	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
		230	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
		231	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
		232	}
		233	else
		234	{
		235	if (!BN_rand_range(A,rsa->n)) goto err;
		236	}
		237	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
		238
		239	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
		240	goto err;
		241	ret = BN_BLINDING_new(A,Ai,rsa->n);
		242	BN_free(Ai);
		243	err:
		244	BN_CTX_end(ctx);
		245	return ret;
		246	}
		247
196	/* signing */	248	/* signing */
197	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
198	unsigned char to, RSA rsa, int padding)	250	unsigned char to, RSA rsa, int padding)
@@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
201	int i,j,k,num=0,r= -1;	253	int i,j,k,num=0,r= -1;
202	unsigned char *buf=NULL;	254	unsigned char *buf=NULL;
203	BN_CTX *ctx=NULL;	255	BN_CTX *ctx=NULL;
		256	int local_blinding = 0;
		257	BN_BLINDING *blinding = NULL;
204		258
205	BN_init(&f);	259	BN_init(&f);
206	BN_init(&ret);	260	BN_init(&ret);
@@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
237	goto err;	291	goto err;
238	}	292	}
239		293
240	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))	294	BLINDING_HELPER(rsa, ctx, goto err;);
241	RSA_blinding_on(rsa,ctx);	295	blinding = rsa->blinding;
242	if (rsa->flags & RSA_FLAG_BLINDING)	296
243	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	297	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		298	* But the BN_BLINDING object may be owned by some other thread
		299	* (we don't want to keep it constant and we don't want to use
		300	* lots of locking to avoid race conditions, so only a single
		301	* thread can use it; other threads have to use local blinding
		302	* factors) */
		303	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		304	{
		305	if (blinding == NULL)
		306	{
		307	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
		308	goto err;
		309	}
		310	}
		311
		312	if (blinding != NULL)
		313	{
		314	if (blinding->thread_id != CRYPTO_thread_id())
		315	{
		316	/* we need a local one-time blinding factor */
		317
		318	blinding = setup_blinding(rsa, ctx);
		319	if (blinding == NULL)
		320	goto err;
		321	local_blinding = 1;
		322	}
		323	}
		324
		325	if (blinding)
		326	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
244		327
245	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	328	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
246	((rsa->p != NULL) &&	329	((rsa->p != NULL) &&
@@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
254	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;	337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
255	}	338	}
256		339
257	if (rsa->flags & RSA_FLAG_BLINDING)	340	if (blinding)
258	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
259		342
260	/* put in leading 0 bytes if the number is less than the	343	/* put in leading 0 bytes if the number is less than the
261	* length of the modulus */	344	* length of the modulus */
@@ -269,9 +352,11 @@ err:
269	if (ctx != NULL) BN_CTX_free(ctx);	352	if (ctx != NULL) BN_CTX_free(ctx);
270	BN_clear_free(&ret);	353	BN_clear_free(&ret);
271	BN_clear_free(&f);	354	BN_clear_free(&f);
		355	if (local_blinding)
		356	BN_BLINDING_free(blinding);
272	if (buf != NULL)	357	if (buf != NULL)
273	{	358	{
274	memset(buf,0,num);	359	OPENSSL_cleanse(buf,num);
275	OPENSSL_free(buf);	360	OPENSSL_free(buf);
276	}	361	}
277	return(r);	362	return(r);
@@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
285	unsigned char *p;	370	unsigned char *p;
286	unsigned char *buf=NULL;	371	unsigned char *buf=NULL;
287	BN_CTX *ctx=NULL;	372	BN_CTX *ctx=NULL;
		373	int local_blinding = 0;
		374	BN_BLINDING *blinding = NULL;
288		375
289	BN_init(&f);	376	BN_init(&f);
290	BN_init(&ret);	377	BN_init(&ret);
@@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
316	goto err;	403	goto err;
317	}	404	}
318		405
319	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))	406	BLINDING_HELPER(rsa, ctx, goto err;);
320	RSA_blinding_on(rsa,ctx);	407	blinding = rsa->blinding;
321	if (rsa->flags & RSA_FLAG_BLINDING)	408
322	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	409	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		410	* But the BN_BLINDING object may be owned by some other thread
		411	* (we don't want to keep it constant and we don't want to use
		412	* lots of locking to avoid race conditions, so only a single
		413	* thread can use it; other threads have to use local blinding
		414	* factors) */
		415	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		416	{
		417	if (blinding == NULL)
		418	{
		419	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
		420	goto err;
		421	}
		422	}
		423
		424	if (blinding != NULL)
		425	{
		426	if (blinding->thread_id != CRYPTO_thread_id())
		427	{
		428	/* we need a local one-time blinding factor */
		429
		430	blinding = setup_blinding(rsa, ctx);
		431	if (blinding == NULL)
		432	goto err;
		433	local_blinding = 1;
		434	}
		435	}
		436
		437	if (blinding)
		438	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
323		439
324	/* do the decrypt */	440	/* do the decrypt */
325	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	441	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
@@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
335	goto err;	451	goto err;
336	}	452	}
337		453
338	if (rsa->flags & RSA_FLAG_BLINDING)	454	if (blinding)
339	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	455	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
340		456
341	p=buf;	457	p=buf;
342	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */	458	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -370,7 +486,7 @@ err:
370	BN_clear_free(&ret);	486	BN_clear_free(&ret);
371	if (buf != NULL)	487	if (buf != NULL)
372	{	488	{
373	memset(buf,0,num);	489	OPENSSL_cleanse(buf,num);
374	OPENSSL_free(buf);	490	OPENSSL_free(buf);
375	}	491	}
376	return(r);	492	return(r);
@@ -467,7 +583,7 @@ err:
467	BN_clear_free(&ret);	583	BN_clear_free(&ret);
468	if (buf != NULL)	584	if (buf != NULL)
469	{	585	{
470	memset(buf,0,num);	586	OPENSSL_cleanse(buf,num);
471	OPENSSL_free(buf);	587	OPENSSL_free(buf);
472	}	588	}
473	return(r);	589	return(r);


diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index 93235744f7..53c5092014 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -62,7 +62,10 @@
62	#include <openssl/lhash.h>	62	#include <openssl/lhash.h>
63	#include <openssl/bn.h>	63	#include <openssl/bn.h>
64	#include <openssl/rsa.h>	64	#include <openssl/rsa.h>
		65	#include <openssl/rand.h>
		66	#ifndef OPENSSL_NO_ENGINE
65	#include <openssl/engine.h>	67	#include <openssl/engine.h>
		68	#endif
66		69
67	const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;	70	const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
68		71
@@ -70,7 +73,9 @@ static const RSA_METHOD *default_RSA_meth=NULL;
70		73
71	RSA *RSA_new(void)	74	RSA *RSA_new(void)
72	{	75	{
73	return(RSA_new_method(NULL));	76	RSA *r=RSA_new_method(NULL);
		77
		78	return r;
74	}	79	}
75		80
76	void RSA_set_default_method(const RSA_METHOD *meth)	81	void RSA_set_default_method(const RSA_METHOD *meth)
@@ -108,11 +113,13 @@ int RSA_set_method(RSA rsa, const RSA_METHOD meth)
108	const RSA_METHOD *mtmp;	113	const RSA_METHOD *mtmp;
109	mtmp = rsa->meth;	114	mtmp = rsa->meth;
110	if (mtmp->finish) mtmp->finish(rsa);	115	if (mtmp->finish) mtmp->finish(rsa);
		116	#ifndef OPENSSL_NO_ENGINE
111	if (rsa->engine)	117	if (rsa->engine)
112	{	118	{
113	ENGINE_finish(rsa->engine);	119	ENGINE_finish(rsa->engine);
114	rsa->engine = NULL;	120	rsa->engine = NULL;
115	}	121	}
		122	#endif
116	rsa->meth = meth;	123	rsa->meth = meth;
117	if (meth->init) meth->init(rsa);	124	if (meth->init) meth->init(rsa);
118	return 1;	125	return 1;
@@ -130,6 +137,7 @@ RSA RSA_new_method(ENGINE engine)
130	}	137	}
131		138
132	ret->meth = RSA_get_default_method();	139	ret->meth = RSA_get_default_method();
		140	#ifndef OPENSSL_NO_ENGINE
133	if (engine)	141	if (engine)
134	{	142	{
135	if (!ENGINE_init(engine))	143	if (!ENGINE_init(engine))
@@ -154,6 +162,7 @@ RSA RSA_new_method(ENGINE engine)
154	return NULL;	162	return NULL;
155	}	163	}
156	}	164	}
		165	#endif
157		166
158	ret->pad=0;	167	ret->pad=0;
159	ret->version=0;	168	ret->version=0;
@@ -175,8 +184,10 @@ RSA RSA_new_method(ENGINE engine)
175	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);	184	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
176	if ((ret->meth->init != NULL) && !ret->meth->init(ret))	185	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
177	{	186	{
		187	#ifndef OPENSSL_NO_ENGINE
178	if (ret->engine)	188	if (ret->engine)
179	ENGINE_finish(ret->engine);	189	ENGINE_finish(ret->engine);
		190	#endif
180	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);	191	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
181	OPENSSL_free(ret);	192	OPENSSL_free(ret);
182	ret=NULL;	193	ret=NULL;
@@ -205,8 +216,10 @@ void RSA_free(RSA *r)
205		216
206	if (r->meth->finish)	217	if (r->meth->finish)
207	r->meth->finish(r);	218	r->meth->finish(r);
		219	#ifndef OPENSSL_NO_ENGINE
208	if (r->engine)	220	if (r->engine)
209	ENGINE_finish(r->engine);	221	ENGINE_finish(r->engine);
		222	#endif
210		223
211	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);	224	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
212		225
@@ -297,7 +310,8 @@ void RSA_blinding_off(RSA *rsa)
297	BN_BLINDING_free(rsa->blinding);	310	BN_BLINDING_free(rsa->blinding);
298	rsa->blinding=NULL;	311	rsa->blinding=NULL;
299	}	312	}
300	rsa->flags&= ~RSA_FLAG_BLINDING;	313	rsa->flags &= ~RSA_FLAG_BLINDING;
		314	rsa->flags \|= RSA_FLAG_NO_BLINDING;
301	}	315	}
302		316
303	int RSA_blinding_on(RSA rsa, BN_CTX p_ctx)	317	int RSA_blinding_on(RSA rsa, BN_CTX p_ctx)
@@ -316,15 +330,32 @@ int RSA_blinding_on(RSA rsa, BN_CTX p_ctx)
316	if (rsa->blinding != NULL)	330	if (rsa->blinding != NULL)
317	BN_BLINDING_free(rsa->blinding);	331	BN_BLINDING_free(rsa->blinding);
318		332
		333	/* NB: similar code appears in setup_blinding (rsa_eay.c);
		334	* this should be placed in a new function of its own, but for reasons
		335	* of binary compatibility can't */
		336
319	BN_CTX_start(ctx);	337	BN_CTX_start(ctx);
320	A = BN_CTX_get(ctx);	338	A = BN_CTX_get(ctx);
321	if (!BN_rand_range(A,rsa->n)) goto err;	339	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
		340	{
		341	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
		342	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
		343	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
		344	}
		345	else
		346	{
		347	if (!BN_rand_range(A,rsa->n)) goto err;
		348	}
322	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;	349	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
323		350
324	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))	351	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
325	goto err;	352	goto err;
326	rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);	353	if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
327	rsa->flags\|=RSA_FLAG_BLINDING;	354	/* to make things thread-safe without excessive locking,
		355	* rsa->blinding will be used just by the current thread: */
		356	rsa->blinding->thread_id = CRYPTO_thread_id();
		357	rsa->flags \|= RSA_FLAG_BLINDING;
		358	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
328	BN_free(Ai);	359	BN_free(Ai);
329	ret=1;	360	ret=1;
330	err:	361	err:


diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c index c1edd6764f..8560755f1d 100644 --- a/src/lib/libcrypto/rsa/rsa_pk1.c +++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
68	int j;	68	int j;
69	unsigned char *p;	69	unsigned char *p;
70		70
71	if (flen > (tlen-11))	71	if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
72	{	72	{
73	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);	73	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74	return(0);	74	return(0);


diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c index 85adacc08f..f462716a57 100644 --- a/src/lib/libcrypto/rsa/rsa_saos.c +++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
77		77
78	i=i2d_ASN1_OCTET_STRING(&sig,NULL);	78	i=i2d_ASN1_OCTET_STRING(&sig,NULL);
79	j=RSA_size(rsa);	79	j=RSA_size(rsa);
80	if ((i-RSA_PKCS1_PADDING) > j)	80	if (i > (j-RSA_PKCS1_PADDING_SIZE))
81	{	81	{
82	RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);	82	RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83	return(0);	83	return(0);
@@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
96	else	96	else
97	*siglen=i;	97	*siglen=i;
98		98
99	memset(s,0,(unsigned int)j+1);	99	OPENSSL_cleanse(s,(unsigned int)j+1);
100	OPENSSL_free(s);	100	OPENSSL_free(s);
101	return(ret);	101	return(ret);
102	}	102	}
@@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
139	ret=1;	139	ret=1;
140	err:	140	err:
141	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);	141	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
142	memset(s,0,(unsigned int)siglen);	142	OPENSSL_cleanse(s,(unsigned int)siglen);
143	OPENSSL_free(s);	143	OPENSSL_free(s);
144	return(ret);	144	return(ret);
145	}	145	}


diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c index 2a440901de..8a1e642183 100644 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -62,7 +62,6 @@
62	#include <openssl/rsa.h>	62	#include <openssl/rsa.h>
63	#include <openssl/objects.h>	63	#include <openssl/objects.h>
64	#include <openssl/x509.h>	64	#include <openssl/x509.h>
65	#include <openssl/engine.h>
66		65
67	/* Size of an SSL signature: MD5+SHA1 */	66	/* Size of an SSL signature: MD5+SHA1 */
68	#define SSL_SIG_LENGTH 36	67	#define SSL_SIG_LENGTH 36
@@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77	const unsigned char *s = NULL;	76	const unsigned char *s = NULL;
78	X509_ALGOR algor;	77	X509_ALGOR algor;
79	ASN1_OCTET_STRING digest;	78	ASN1_OCTET_STRING digest;
80	if((rsa->flags & RSA_FLAG_SIGN_VER)	79	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
81	&& ENGINE_get_RSA(rsa->engine)->rsa_sign)	80	{
82	return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,	81	return rsa->meth->rsa_sign(type, m, m_len,
83	m, m_len, sigret, siglen, rsa);	82	sigret, siglen, rsa);
		83	}
84	/* Special case: SSL signature, just check the length */	84	/* Special case: SSL signature, just check the length */
85	if(type == NID_md5_sha1) {	85	if(type == NID_md5_sha1) {
86	if(m_len != SSL_SIG_LENGTH) {	86	if(m_len != SSL_SIG_LENGTH) {
@@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
113	i=i2d_X509_SIG(&sig,NULL);	113	i=i2d_X509_SIG(&sig,NULL);
114	}	114	}
115	j=RSA_size(rsa);	115	j=RSA_size(rsa);
116	if ((i-RSA_PKCS1_PADDING) > j)	116	if (i > (j-RSA_PKCS1_PADDING_SIZE))
117	{	117	{
118	RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);	118	RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
119	return(0);	119	return(0);
@@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
136	*siglen=i;	136	*siglen=i;
137		137
138	if(type != NID_md5_sha1) {	138	if(type != NID_md5_sha1) {
139	memset(tmps,0,(unsigned int)j+1);	139	OPENSSL_cleanse(tmps,(unsigned int)j+1);
140	OPENSSL_free(tmps);	140	OPENSSL_free(tmps);
141	}	141	}
142	return(ret);	142	return(ret);
@@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
155	return(0);	155	return(0);
156	}	156	}
157		157
158	if((rsa->flags & RSA_FLAG_SIGN_VER)	158	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
159	&& ENGINE_get_RSA(rsa->engine)->rsa_verify)	159	{
160	return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,	160	return rsa->meth->rsa_verify(dtype, m, m_len,
161	m, m_len, sigbuf, siglen, rsa);	161	sigbuf, siglen, rsa);
		162	}
162		163
163	s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);	164	s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
164	if (s == NULL)	165	if (s == NULL)
@@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
221	}	222	}
222	err:	223	err:
223	if (sig != NULL) X509_SIG_free(sig);	224	if (sig != NULL) X509_SIG_free(sig);
224	memset(s,0,(unsigned int)siglen);	225	OPENSSL_cleanse(s,(unsigned int)siglen);
225	OPENSSL_free(s);	226	OPENSSL_free(s);
226	return(ret);	227	return(ret);
227	}	228	}