summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h603
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c1275
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c426
-rw-r--r--src/lib/libcrypto/rsa/rsa_blinding.c361
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c223
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c902
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c160
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c257
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c426
-rw-r--r--src/lib/libcrypto/rsa/rsa_local.h154
-rw-r--r--src/lib/libcrypto/rsa/rsa_meth.c309
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c368
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c283
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c911
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c99
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c291
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c143
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c280
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c164
20 files changed, 0 insertions, 7733 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
deleted file mode 100644
index 5620128998..0000000000
--- a/src/lib/libcrypto/rsa/rsa.h
+++ /dev/null
@@ -1,603 +0,0 @@
1/* $OpenBSD: rsa.h,v 1.67 2025/01/25 17:59:44 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/asn1.h>
65
66#ifndef OPENSSL_NO_BIO
67#include <openssl/bio.h>
68#endif
69#include <openssl/bn.h>
70#include <openssl/crypto.h>
71
72#include <openssl/ossl_typ.h>
73
74#ifdef __cplusplus
75extern "C" {
76#endif
77
78struct rsa_pss_params_st {
79 X509_ALGOR *hashAlgorithm;
80 X509_ALGOR *maskGenAlgorithm;
81 ASN1_INTEGER *saltLength;
82 ASN1_INTEGER *trailerField;
83
84 /* Hash algorithm decoded from maskGenAlgorithm. */
85 X509_ALGOR *maskHash;
86} /* RSA_PSS_PARAMS */;
87
88typedef struct rsa_oaep_params_st {
89 X509_ALGOR *hashFunc;
90 X509_ALGOR *maskGenFunc;
91 X509_ALGOR *pSourceFunc;
92
93 /* Hash algorithm decoded from maskGenFunc. */
94 X509_ALGOR *maskHash;
95} RSA_OAEP_PARAMS;
96
97#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
98# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
99#endif
100
101#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
102# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
103#endif
104#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
105# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
106#endif
107
108#define RSA_3 0x3L
109#define RSA_F4 0x10001L
110
111/* Don't check pub/private match. */
112#define RSA_METHOD_FLAG_NO_CHECK 0x0001
113
114#define RSA_FLAG_CACHE_PUBLIC 0x0002
115#define RSA_FLAG_CACHE_PRIVATE 0x0004
116#define RSA_FLAG_BLINDING 0x0008
117#define RSA_FLAG_THREAD_SAFE 0x0010
118
119/*
120 * This flag means the private key operations will be handled by rsa_mod_exp
121 * and that they do not depend on the private key components being present:
122 * for example a key stored in external hardware. Without this flag bn_mod_exp
123 * gets called when private key components are absent.
124 */
125#define RSA_FLAG_EXT_PKEY 0x0020
126
127/*
128 * This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
129 */
130#define RSA_FLAG_SIGN_VER 0x0040
131
132/*
133 * The built-in RSA implementation uses blinding by default, but other engines
134 * might not need it.
135 */
136#define RSA_FLAG_NO_BLINDING 0x0080
137
138/* Salt length matches digest */
139#define RSA_PSS_SALTLEN_DIGEST -1
140/* Verify only: auto detect salt length */
141#define RSA_PSS_SALTLEN_AUTO -2
142/* Set salt length to maximum possible */
143#define RSA_PSS_SALTLEN_MAX -3
144
145#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
146 RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL)
147
148#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
149 RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
150
151#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
152 RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
153 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL)
154
155#define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \
156 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
157 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL)
158
159#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
160 RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
161 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, plen)
162
163#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
164 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \
165 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
166
167#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
168 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \
169 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
170
171#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
172 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
173 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
174
175#define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \
176 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
177 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
178
179#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \
180 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
181 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md))
182
183#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
184 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
185 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(pmd))
186
187#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \
188 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
189 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd))
190
191#define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \
192 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
193 EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l))
194
195#define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \
196 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
197 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l))
198
199#define EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \
200 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, \
201 EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD, 0, (void *)(md))
202
203#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
204#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
205
206#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
207#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
208#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
209
210#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
211#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
212#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
213
214#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9)
215#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10)
216
217#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 11)
218#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
219
220#define RSA_PKCS1_PADDING 1
221#define RSA_SSLV23_PADDING 2
222#define RSA_NO_PADDING 3
223#define RSA_PKCS1_OAEP_PADDING 4
224/* rust-openssl and erlang expose this and salt even uses it. */
225#define RSA_X931_PADDING 5
226/* EVP_PKEY_ only */
227#define RSA_PKCS1_PSS_PADDING 6
228
229#define RSA_PKCS1_PADDING_SIZE 11
230
231#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
232#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
233
234RSA *RSA_new(void);
235RSA *RSA_new_method(ENGINE *engine);
236int RSA_bits(const RSA *rsa);
237int RSA_size(const RSA *rsa);
238
239/*
240 * Wrapped in OPENSSL_NO_DEPRECATED in 0.9.8. Still used for libressl bindings
241 * in rust-openssl.
242 */
243RSA *RSA_generate_key(int bits, unsigned long e,
244 void (*callback)(int, int, void *), void *cb_arg);
245
246/* New version */
247int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
248
249int RSA_check_key(const RSA *);
250/* next 4 return -1 on error */
251int RSA_public_encrypt(int flen, const unsigned char *from,
252 unsigned char *to, RSA *rsa, int padding);
253int RSA_private_encrypt(int flen, const unsigned char *from,
254 unsigned char *to, RSA *rsa, int padding);
255int RSA_public_decrypt(int flen, const unsigned char *from,
256 unsigned char *to, RSA *rsa, int padding);
257int RSA_private_decrypt(int flen, const unsigned char *from,
258 unsigned char *to, RSA *rsa, int padding);
259void RSA_free(RSA *r);
260/* "up" the RSA object's reference count */
261int RSA_up_ref(RSA *r);
262
263int RSA_flags(const RSA *r);
264
265void RSA_set_default_method(const RSA_METHOD *meth);
266const RSA_METHOD *RSA_get_default_method(void);
267const RSA_METHOD *RSA_get_method(const RSA *rsa);
268int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
269
270const RSA_METHOD *RSA_PKCS1_OpenSSL(void);
271const RSA_METHOD *RSA_PKCS1_SSLeay(void);
272
273int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
274
275RSA *d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len);
276int i2d_RSAPublicKey(const RSA *a, unsigned char **out);
277extern const ASN1_ITEM RSAPublicKey_it;
278RSA *d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len);
279int i2d_RSAPrivateKey(const RSA *a, unsigned char **out);
280extern const ASN1_ITEM RSAPrivateKey_it;
281
282RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void);
283void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a);
284RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len);
285int i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out);
286extern const ASN1_ITEM RSA_PSS_PARAMS_it;
287
288RSA_OAEP_PARAMS *RSA_OAEP_PARAMS_new(void);
289void RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a);
290RSA_OAEP_PARAMS *d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len);
291int i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out);
292extern const ASN1_ITEM RSA_OAEP_PARAMS_it;
293
294int RSA_print_fp(FILE *fp, const RSA *r, int offset);
295
296#ifndef OPENSSL_NO_BIO
297int RSA_print(BIO *bp, const RSA *r, int offset);
298#endif
299
300/* The following 2 functions sign and verify a X509_SIG ASN1 object
301 * inside PKCS#1 padded RSA encryption */
302int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
303 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
304int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
305 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
306
307/* The following 2 function sign and verify a ASN1_OCTET_STRING
308 * object inside PKCS#1 padded RSA encryption */
309int RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m,
310 unsigned int m_length, unsigned char *sigret, unsigned int *siglen,
311 RSA *rsa);
312int RSA_verify_ASN1_OCTET_STRING(int type, const unsigned char *m,
313 unsigned int m_length, unsigned char *sigbuf, unsigned int siglen,
314 RSA *rsa);
315
316int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
317void RSA_blinding_off(RSA *rsa);
318
319int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
320 const unsigned char *f, int fl);
321int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
322 const unsigned char *f, int fl, int rsa_len);
323int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
324 const unsigned char *f, int fl);
325int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
326 const unsigned char *f, int fl, int rsa_len);
327int PKCS1_MGF1(unsigned char *mask, long len,
328 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
329int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
330 const unsigned char *f, int fl,
331 const unsigned char *p, int pl);
332int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
333 const unsigned char *f, int fl, int rsa_len,
334 const unsigned char *p, int pl);
335int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
336 const unsigned char *from, int flen, const unsigned char *param, int plen,
337 const EVP_MD *md, const EVP_MD *mgf1md);
338int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
339 const unsigned char *from, int flen, int num, const unsigned char *param,
340 int plen, const EVP_MD *md, const EVP_MD *mgf1md);
341int RSA_padding_add_none(unsigned char *to, int tlen,
342 const unsigned char *f, int fl);
343int RSA_padding_check_none(unsigned char *to, int tlen,
344 const unsigned char *f, int fl, int rsa_len);
345
346int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
347 const EVP_MD *Hash, const unsigned char *EM, int sLen);
348int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
349 const unsigned char *mHash, const EVP_MD *Hash, int sLen);
350
351int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
352 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
353 int sLen);
354
355int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
356 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
357 int sLen);
358
359int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
360 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
361int RSA_set_ex_data(RSA *r, int idx, void *arg);
362void *RSA_get_ex_data(const RSA *r, int idx);
363
364int RSA_security_bits(const RSA *rsa);
365
366void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
367 const BIGNUM **d);
368int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
369void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
370 const BIGNUM **iqmp);
371int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
372void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
373int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
374const BIGNUM *RSA_get0_n(const RSA *r);
375const BIGNUM *RSA_get0_e(const RSA *r);
376const BIGNUM *RSA_get0_d(const RSA *r);
377const BIGNUM *RSA_get0_p(const RSA *r);
378const BIGNUM *RSA_get0_q(const RSA *r);
379const BIGNUM *RSA_get0_dmp1(const RSA *r);
380const BIGNUM *RSA_get0_dmq1(const RSA *r);
381const BIGNUM *RSA_get0_iqmp(const RSA *r);
382const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r);
383void RSA_clear_flags(RSA *r, int flags);
384int RSA_test_flags(const RSA *r, int flags);
385void RSA_set_flags(RSA *r, int flags);
386
387RSA *RSAPublicKey_dup(RSA *rsa);
388RSA *RSAPrivateKey_dup(RSA *rsa);
389
390/* If this flag is set the RSA method is FIPS compliant and can be used
391 * in FIPS mode. This is set in the validated module method. If an
392 * application sets this flag in its own methods it is its responsibility
393 * to ensure the result is compliant.
394 */
395
396#define RSA_FLAG_FIPS_METHOD 0x0400
397
398/* If this flag is set the operations normally disabled in FIPS mode are
399 * permitted it is then the applications responsibility to ensure that the
400 * usage is compliant.
401 */
402
403#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
404/* Application has decided PRNG is good enough to generate a key: don't
405 * check.
406 */
407#define RSA_FLAG_CHECKED 0x0800
408
409RSA_METHOD *RSA_meth_new(const char *name, int flags);
410void RSA_meth_free(RSA_METHOD *meth);
411RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
412int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
413int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
414 const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
415int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
416 const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
417int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
418int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
419int RSA_meth_set_pub_enc(RSA_METHOD *meth, int (*pub_enc)(int flen,
420 const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
421int RSA_meth_set_pub_dec(RSA_METHOD *meth, int (*pub_dec)(int flen,
422 const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
423int RSA_meth_set_mod_exp(RSA_METHOD *meth, int (*mod_exp)(BIGNUM *r0,
424 const BIGNUM *i, RSA *rsa, BN_CTX *ctx));
425int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)(BIGNUM *r,
426 const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
427 BN_MONT_CTX *m_ctx));
428int RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa));
429int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)(RSA *rsa, int bits,
430 BIGNUM *e, BN_GENCB *cb));
431int RSA_meth_set_flags(RSA_METHOD *meth, int flags);
432int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data);
433const char *RSA_meth_get0_name(const RSA_METHOD *);
434int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen,
435 const unsigned char *from, unsigned char *to, RSA *rsa, int padding);
436int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))(int flen,
437 const unsigned char *from, unsigned char *to, RSA *rsa, int padding);
438int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen,
439 const unsigned char *from, unsigned char *to, RSA *rsa, int padding);
440int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen,
441 const unsigned char *from, unsigned char *to, RSA *rsa, int padding);
442int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i,
443 RSA *rsa, BN_CTX *ctx);
444int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r,
445 const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
446 BN_MONT_CTX *m_ctx);
447int (*RSA_meth_get_init(const RSA_METHOD *meth))(RSA *rsa);
448int (*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e,
449 BN_GENCB *cb);
450int RSA_meth_get_flags(const RSA_METHOD *meth);
451void *RSA_meth_get0_app_data(const RSA_METHOD *meth);
452int (*RSA_meth_get_sign(const RSA_METHOD *meth))(int type,
453 const unsigned char *m, unsigned int m_length,
454 unsigned char *sigret, unsigned int *siglen,
455 const RSA *rsa);
456int RSA_meth_set_sign(RSA_METHOD *rsa, int (*sign)(int type,
457 const unsigned char *m, unsigned int m_length, unsigned char *sigret,
458 unsigned int *siglen, const RSA *rsa));
459int (*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype,
460 const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf,
461 unsigned int siglen, const RSA *rsa);
462int RSA_meth_set_verify(RSA_METHOD *rsa, int (*verify)(int dtype,
463 const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf,
464 unsigned int siglen, const RSA *rsa));
465
466
467void ERR_load_RSA_strings(void);
468
469/* Error codes for the RSA functions. */
470
471/* Function codes. */
472#define RSA_F_CHECK_PADDING_MD 140
473#define RSA_F_DO_RSA_PRINT 146
474#define RSA_F_INT_RSA_VERIFY 145
475#define RSA_F_MEMORY_LOCK 100
476#define RSA_F_OLD_RSA_PRIV_DECODE 147
477#define RSA_F_PKEY_RSA_CTRL 143
478#define RSA_F_PKEY_RSA_CTRL_STR 144
479#define RSA_F_PKEY_RSA_SIGN 142
480#define RSA_F_PKEY_RSA_VERIFY 154
481#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
482#define RSA_F_RSA_BUILTIN_KEYGEN 129
483#define RSA_F_RSA_CHECK_KEY 123
484#define RSA_F_RSA_EAY_MOD_EXP 157
485#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
486#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
487#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
488#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
489#define RSA_F_RSA_GENERATE_KEY 105
490#define RSA_F_RSA_GENERATE_KEY_EX 155
491#define RSA_F_RSA_ITEM_VERIFY 156
492#define RSA_F_RSA_MEMORY_LOCK 130
493#define RSA_F_RSA_NEW_METHOD 106
494#define RSA_F_RSA_NULL 124
495#define RSA_F_RSA_NULL_MOD_EXP 131
496#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
497#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
498#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
499#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
500#define RSA_F_RSA_PADDING_ADD_NONE 107
501#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
502#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
503#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
504#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
505#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
506#define RSA_F_RSA_PADDING_ADD_X931 127
507#define RSA_F_RSA_PADDING_CHECK_NONE 111
508#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
509#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
510#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
511#define RSA_F_RSA_PADDING_CHECK_X931 128
512#define RSA_F_RSA_PRINT 115
513#define RSA_F_RSA_PRINT_FP 116
514#define RSA_F_RSA_PRIVATE_DECRYPT 150
515#define RSA_F_RSA_PRIVATE_ENCRYPT 151
516#define RSA_F_RSA_PRIV_DECODE 137
517#define RSA_F_RSA_PRIV_ENCODE 138
518#define RSA_F_RSA_PUBLIC_DECRYPT 152
519#define RSA_F_RSA_PUBLIC_ENCRYPT 153
520#define RSA_F_RSA_PUB_DECODE 139
521#define RSA_F_RSA_SETUP_BLINDING 136
522#define RSA_F_RSA_SIGN 117
523#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
524#define RSA_F_RSA_VERIFY 119
525#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
526#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
527#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
528
529/* Reason codes. */
530#define RSA_R_ALGORITHM_MISMATCH 100
531#define RSA_R_BAD_E_VALUE 101
532#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
533#define RSA_R_BAD_PAD_BYTE_COUNT 103
534#define RSA_R_BAD_SIGNATURE 104
535#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
536#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
537#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
538#define RSA_R_DATA_TOO_LARGE 109
539#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
540#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
541#define RSA_R_DATA_TOO_SMALL 111
542#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
543#define RSA_R_DIGEST_DOES_NOT_MATCH 158
544#define RSA_R_DIGEST_NOT_ALLOWED 145
545#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
546#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
547#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
548#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
549#define RSA_R_FIRST_OCTET_INVALID 133
550#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
551#define RSA_R_INVALID_DIGEST 157
552#define RSA_R_INVALID_DIGEST_LENGTH 143
553#define RSA_R_INVALID_HEADER 137
554#define RSA_R_INVALID_KEYBITS 145
555#define RSA_R_INVALID_LABEL 160
556#define RSA_R_INVALID_MESSAGE_LENGTH 131
557#define RSA_R_INVALID_MGF1_MD 156
558#define RSA_R_INVALID_OAEP_PARAMETERS 161
559#define RSA_R_INVALID_PADDING 138
560#define RSA_R_INVALID_PADDING_MODE 141
561#define RSA_R_INVALID_PSS_PARAMETERS 149
562#define RSA_R_INVALID_PSS_SALTLEN 146
563#define RSA_R_INVALID_SALT_LENGTH 150
564#define RSA_R_INVALID_TRAILER 139
565#define RSA_R_INVALID_X931_DIGEST 142
566#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
567#define RSA_R_KEY_SIZE_TOO_SMALL 120
568#define RSA_R_LAST_OCTET_INVALID 134
569#define RSA_R_MODULUS_TOO_LARGE 105
570#define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152
571#define RSA_R_NON_FIPS_RSA_METHOD 157
572#define RSA_R_NO_PUBLIC_EXPONENT 140
573#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
574#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
575#define RSA_R_OAEP_DECODING_ERROR 121
576#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
577#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
578#define RSA_R_PADDING_CHECK_FAILED 114
579#define RSA_R_PSS_SALTLEN_TOO_SMALL 164
580#define RSA_R_P_NOT_PRIME 128
581#define RSA_R_Q_NOT_PRIME 129
582#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
583#define RSA_R_SLEN_CHECK_FAILED 136
584#define RSA_R_SLEN_RECOVERY_FAILED 135
585#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
586#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
587#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
588#define RSA_R_UNKNOWN_DIGEST 166
589#define RSA_R_UNKNOWN_MASK_DIGEST 151
590#define RSA_R_UNKNOWN_PADDING_TYPE 118
591#define RSA_R_UNKNOWN_PSS_DIGEST 152
592#define RSA_R_UNSUPPORTED_ENCRYPTION_TYPE 162
593#define RSA_R_UNSUPPORTED_LABEL_SOURCE 163
594#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
595#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
596#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
597#define RSA_R_VALUE_MISSING 147
598#define RSA_R_WRONG_SIGNATURE_LENGTH 119
599
600#ifdef __cplusplus
601}
602#endif
603#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index 5a87522289..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,1275 +0,0 @@
1/* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdint.h>
60#include <stdio.h>
61#include <stdlib.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/asn1.h>
66#include <openssl/bio.h>
67#include <openssl/bn.h>
68#include <openssl/cms.h>
69#include <openssl/err.h>
70#include <openssl/evp.h>
71#include <openssl/objects.h>
72#include <openssl/pkcs7.h>
73#include <openssl/rsa.h>
74#include <openssl/sha.h>
75#include <openssl/x509.h>
76
77#include "asn1_local.h"
78#include "bn_local.h"
79#include "evp_local.h"
80#include "rsa_local.h"
81#include "x509_local.h"
82
83#ifndef OPENSSL_NO_CMS
84static int rsa_cms_sign(CMS_SignerInfo *si);
85static int rsa_cms_verify(CMS_SignerInfo *si);
86static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
87static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
88#endif
89
90static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
91
92static int rsa_alg_set_pkcs1_padding(X509_ALGOR *alg);
93
94/* Set any parameters associated with pkey */
95static int
96rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype)
97{
98 const RSA *rsa = pkey->pkey.rsa;
99
100 *pstr = NULL;
101
102 /* If RSA it's just NULL type */
103 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
104 *pstrtype = V_ASN1_NULL;
105 return 1;
106 }
107
108 /* If no PSS parameters we omit parameters entirely */
109 if (rsa->pss == NULL) {
110 *pstrtype = V_ASN1_UNDEF;
111 return 1;
112 }
113
114 /* Encode PSS parameters */
115 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL)
116 return 0;
117
118 *pstrtype = V_ASN1_SEQUENCE;
119 return 1;
120}
121
122/* Decode any parameters and set them in RSA structure */
123static int
124rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
125{
126 const ASN1_OBJECT *algoid;
127 const void *algp;
128 int algptype;
129
130 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
131 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
132 return 1;
133 if (algptype == V_ASN1_UNDEF)
134 return 1;
135 if (algptype != V_ASN1_SEQUENCE) {
136 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
137 return 0;
138 }
139 rsa->pss = rsa_pss_decode(alg);
140 if (rsa->pss == NULL)
141 return 0;
142 return 1;
143}
144
145static int
146rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
147{
148 ASN1_STRING *str = NULL;
149 int strtype;
150 unsigned char *penc = NULL;
151 int penclen = 0;
152 ASN1_OBJECT *aobj;
153
154 if (!rsa_param_encode(pkey, &str, &strtype))
155 goto err;
156 if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) {
157 penclen = 0;
158 goto err;
159 }
160 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
161 goto err;
162 if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen))
163 goto err;
164
165 return 1;
166
167 err:
168 ASN1_STRING_free(str);
169 freezero(penc, penclen);
170
171 return 0;
172}
173
174static int
175rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
176{
177 const unsigned char *p;
178 int pklen;
179 X509_ALGOR *alg;
180 RSA *rsa = NULL;
181
182 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
183 return 0;
184 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
185 RSAerror(ERR_R_RSA_LIB);
186 return 0;
187 }
188 if (!rsa_param_decode(rsa, alg)) {
189 RSA_free(rsa);
190 return 0;
191 }
192 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
193 RSA_free(rsa);
194 return 0;
195 }
196 return 1;
197}
198
199static int
200rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
201{
202 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
203 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
204 return 0;
205
206 return 1;
207}
208
209static int
210old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
211{
212 RSA *rsa;
213 int ret = 0;
214
215 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
216 RSAerror(ERR_R_RSA_LIB);
217 goto err;
218 }
219 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
220 goto err;
221 rsa = NULL;
222
223 ret = 1;
224
225 err:
226 RSA_free(rsa);
227
228 return ret;
229}
230
231static int
232old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
233{
234 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
235}
236
237static int
238rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
239{
240 ASN1_STRING *str = NULL;
241 ASN1_OBJECT *aobj;
242 int strtype;
243 unsigned char *rk = NULL;
244 int rklen = 0;
245
246 if (!rsa_param_encode(pkey, &str, &strtype))
247 goto err;
248 if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) {
249 RSAerror(ERR_R_MALLOC_FAILURE);
250 rklen = 0;
251 goto err;
252 }
253 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
254 goto err;
255 if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) {
256 RSAerror(ERR_R_MALLOC_FAILURE);
257 goto err;
258 }
259
260 return 1;
261
262 err:
263 ASN1_STRING_free(str);
264 freezero(rk, rklen);
265
266 return 0;
267}
268
269static int
270rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
271{
272 const unsigned char *p;
273 RSA *rsa = NULL;
274 int pklen;
275 const X509_ALGOR *alg;
276 int ret = 0;
277
278 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
279 goto err;
280 if ((rsa = d2i_RSAPrivateKey(NULL, &p, pklen)) == NULL)
281 goto err;
282 if (!rsa_param_decode(rsa, alg))
283 goto err;
284 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
285 goto err;
286 rsa = NULL;
287
288 ret = 1;
289
290 err:
291 RSA_free(rsa);
292
293 return ret;
294}
295
296static int
297rsa_size(const EVP_PKEY *pkey)
298{
299 return RSA_size(pkey->pkey.rsa);
300}
301
302static int
303rsa_bits(const EVP_PKEY *pkey)
304{
305 return BN_num_bits(pkey->pkey.rsa->n);
306}
307
308static int
309rsa_security_bits(const EVP_PKEY *pkey)
310{
311 return RSA_security_bits(pkey->pkey.rsa);
312}
313
314static void
315rsa_free(EVP_PKEY *pkey)
316{
317 RSA_free(pkey->pkey.rsa);
318}
319
320static X509_ALGOR *
321rsa_mgf1_decode(X509_ALGOR *alg)
322{
323 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
324 return NULL;
325
326 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter);
327}
328
329static RSA_PSS_PARAMS *
330rsa_pss_decode(const X509_ALGOR *alg)
331{
332 RSA_PSS_PARAMS *pss;
333
334 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter);
335 if (pss == NULL)
336 return NULL;
337
338 if (pss->maskGenAlgorithm != NULL) {
339 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
340 if (pss->maskHash == NULL) {
341 RSA_PSS_PARAMS_free(pss);
342 return NULL;
343 }
344 }
345
346 return pss;
347}
348
349static int
350rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent)
351{
352 int rv = 0;
353 X509_ALGOR *maskHash = NULL;
354
355 if (!BIO_indent(bp, indent, 128))
356 goto err;
357 if (pss_key) {
358 if (pss == NULL) {
359 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
360 return 0;
361 return 1;
362 } else {
363 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
364 return 0;
365 }
366 } else if (pss == NULL) {
367 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
368 return 0;
369 return 1;
370 }
371 if (BIO_puts(bp, "\n") <= 0)
372 goto err;
373 if (pss_key)
374 indent += 2;
375 if (!BIO_indent(bp, indent, 128))
376 goto err;
377 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
378 goto err;
379
380 if (pss->hashAlgorithm) {
381 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
382 goto err;
383 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
384 goto err;
385 }
386
387 if (BIO_puts(bp, "\n") <= 0)
388 goto err;
389
390 if (!BIO_indent(bp, indent, 128))
391 goto err;
392
393 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
394 goto err;
395 if (pss->maskGenAlgorithm) {
396 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
397 goto err;
398 if (BIO_puts(bp, " with ") <= 0)
399 goto err;
400 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
401 if (maskHash != NULL) {
402 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
403 goto err;
404 } else if (BIO_puts(bp, "INVALID") <= 0) {
405 goto err;
406 }
407 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
408 goto err;
409 }
410 BIO_puts(bp, "\n");
411
412 if (!BIO_indent(bp, indent, 128))
413 goto err;
414 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
415 goto err;
416 if (pss->saltLength) {
417 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
418 goto err;
419 } else if (BIO_puts(bp, "14 (default)") <= 0) {
420 goto err;
421 }
422 BIO_puts(bp, "\n");
423
424 if (!BIO_indent(bp, indent, 128))
425 goto err;
426 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
427 goto err;
428 if (pss->trailerField) {
429 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
430 goto err;
431 } else if (BIO_puts(bp, "BC (default)") <= 0) {
432 goto err;
433 }
434 BIO_puts(bp, "\n");
435
436 rv = 1;
437
438 err:
439 X509_ALGOR_free(maskHash);
440 return rv;
441
442}
443
444static int
445pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
446{
447 const RSA *x = pkey->pkey.rsa;
448 char *str;
449 const char *s;
450 int ret = 0, mod_len = 0;
451
452 if (x->n != NULL)
453 mod_len = BN_num_bits(x->n);
454
455 if (!BIO_indent(bp, off, 128))
456 goto err;
457
458 if (BIO_printf(bp, "%s ",
459 pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0)
460 goto err;
461
462 if (priv && x->d != NULL) {
463 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
464 goto err;
465 str = "modulus:";
466 s = "publicExponent:";
467 } else {
468 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
469 goto err;
470 str = "Modulus:";
471 s = "Exponent:";
472 }
473 if (!bn_printf(bp, x->n, off, "%s", str))
474 goto err;
475 if (!bn_printf(bp, x->e, off, "%s", s))
476 goto err;
477 if (priv) {
478 if (!bn_printf(bp, x->d, off, "privateExponent:"))
479 goto err;
480 if (!bn_printf(bp, x->p, off, "prime1:"))
481 goto err;
482 if (!bn_printf(bp, x->q, off, "prime2:"))
483 goto err;
484 if (!bn_printf(bp, x->dmp1, off, "exponent1:"))
485 goto err;
486 if (!bn_printf(bp, x->dmq1, off, "exponent2:"))
487 goto err;
488 if (!bn_printf(bp, x->iqmp, off, "coefficient:"))
489 goto err;
490 }
491 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS &&
492 !rsa_pss_param_print(bp, 1, x->pss, off))
493 goto err;
494 ret = 1;
495 err:
496 return ret;
497}
498
499static int
500rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
501{
502 return pkey_rsa_print(bp, pkey, indent, 0);
503}
504
505static int
506rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
507{
508 return pkey_rsa_print(bp, pkey, indent, 1);
509}
510
511static int
512rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
513 int indent, ASN1_PCTX *pctx)
514{
515 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
516 int rv;
517 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
518
519 rv = rsa_pss_param_print(bp, 0, pss, indent);
520 RSA_PSS_PARAMS_free(pss);
521 if (!rv)
522 return 0;
523 } else if (!sig && BIO_puts(bp, "\n") <= 0) {
524 return 0;
525 }
526 if (sig)
527 return X509_signature_dump(bp, sig, indent);
528 return 1;
529}
530
531static int
532rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
533{
534 X509_ALGOR *alg = NULL;
535 const EVP_MD *md;
536 const EVP_MD *mgf1md;
537 int min_saltlen;
538
539 switch (op) {
540 case ASN1_PKEY_CTRL_PKCS7_SIGN:
541 if (arg1 == 0)
542 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
543 break;
544
545 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
546 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
547 return -2;
548 if (arg1 == 0)
549 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
550 break;
551#ifndef OPENSSL_NO_CMS
552 case ASN1_PKEY_CTRL_CMS_SIGN:
553 if (arg1 == 0)
554 return rsa_cms_sign(arg2);
555 else if (arg1 == 1)
556 return rsa_cms_verify(arg2);
557 break;
558
559 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
560 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
561 return -2;
562 if (arg1 == 0)
563 return rsa_cms_encrypt(arg2);
564 else if (arg1 == 1)
565 return rsa_cms_decrypt(arg2);
566 break;
567
568 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
569 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
570 return -2;
571 *(int *)arg2 = CMS_RECIPINFO_TRANS;
572 return 1;
573#endif
574
575 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
576 if (pkey->pkey.rsa->pss != NULL) {
577 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
578 &min_saltlen)) {
579 RSAerror(ERR_R_INTERNAL_ERROR);
580 return 0;
581 }
582 *(int *)arg2 = EVP_MD_type(md);
583 /* Return of 2 indicates this MD is mandatory */
584 return 2;
585 }
586 *(int *)arg2 = NID_sha256;
587 return 1;
588
589 default:
590 return -2;
591 }
592
593 if (alg != NULL)
594 return rsa_alg_set_pkcs1_padding(alg);
595
596 return 1;
597}
598
599static int
600rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg)
601{
602 X509_ALGOR *alg = NULL;
603 int ret = 0;
604
605 X509_ALGOR_free(*out_alg);
606 *out_alg = NULL;
607
608 /* RFC 8017 - default hash is SHA-1 and hence omitted. */
609 if (md == NULL || EVP_MD_type(md) == NID_sha1)
610 goto done;
611
612 if ((alg = X509_ALGOR_new()) == NULL)
613 goto err;
614 /*
615 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
616 * explicitly states that an explicit ASN.1 NULL is required.
617 */
618 if (!X509_ALGOR_set_evp_md(alg, md))
619 goto err;
620
621 done:
622 *out_alg = alg;
623 alg = NULL;
624
625 ret = 1;
626
627 err:
628 X509_ALGOR_free(alg);
629
630 return ret;
631}
632
633/*
634 * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP
635 * and RSASSA-PSS. The default is mgfSHA1 and hence omitted.
636 */
637static int
638rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg)
639{
640 X509_ALGOR *alg = NULL;
641 X509_ALGOR *inner_alg = NULL;
642 ASN1_STRING *astr = NULL;
643 int ret = 0;
644
645 X509_ALGOR_free(*out_alg);
646 *out_alg = NULL;
647
648 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
649 goto done;
650
651 if ((inner_alg = X509_ALGOR_new()) == NULL)
652 goto err;
653 /*
654 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
655 * explicitly states that an explicit ASN.1 NULL is required.
656 */
657 if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md))
658 goto err;
659 if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL)
660 goto err;
661
662 if ((alg = X509_ALGOR_new()) == NULL)
663 goto err;
664 if (!X509_ALGOR_set0_by_nid(alg, NID_mgf1, V_ASN1_SEQUENCE, astr))
665 goto err;
666 astr = NULL;
667
668 done:
669 *out_alg = alg;
670 alg = NULL;
671
672 ret = 1;
673
674 err:
675 X509_ALGOR_free(alg);
676 X509_ALGOR_free(inner_alg);
677 ASN1_STRING_free(astr);
678
679 return ret;
680}
681
682/* Convert algorithm ID to EVP_MD, defaults to SHA1. */
683static const EVP_MD *
684rsa_algor_to_md(X509_ALGOR *alg)
685{
686 const EVP_MD *md;
687
688 if (!alg)
689 return EVP_sha1();
690 md = EVP_get_digestbyobj(alg->algorithm);
691 if (md == NULL)
692 RSAerror(RSA_R_UNKNOWN_DIGEST);
693 return md;
694}
695
696/*
697 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
698 * suitable for setting an AlgorithmIdentifier.
699 */
700static RSA_PSS_PARAMS *
701rsa_ctx_to_pss(EVP_PKEY_CTX *pkey_ctx)
702{
703 const EVP_MD *sigmd, *mgf1md;
704 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkey_ctx);
705 int saltlen;
706
707 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &sigmd) <= 0)
708 return NULL;
709 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
710 return NULL;
711 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
712 return NULL;
713 if (saltlen == -1) {
714 saltlen = EVP_MD_size(sigmd);
715 } else if (saltlen == -2 || saltlen == -3) {
716 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
717 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
718 saltlen--;
719 if (saltlen < 0)
720 return NULL;
721 }
722
723 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
724}
725
726RSA_PSS_PARAMS *
727rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
728{
729 RSA_PSS_PARAMS *pss = NULL;
730
731 if (mgf1md == NULL)
732 mgf1md = sigmd;
733
734 if ((pss = RSA_PSS_PARAMS_new()) == NULL)
735 goto err;
736
737 if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm))
738 goto err;
739 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm))
740 goto err;
741
742 /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */
743 if (!rsa_md_to_algor(mgf1md, &pss->maskHash))
744 goto err;
745
746 /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */
747 if (saltlen != SHA_DIGEST_LENGTH) {
748 if ((pss->saltLength = ASN1_INTEGER_new()) == NULL)
749 goto err;
750 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
751 goto err;
752 }
753
754 return pss;
755
756 err:
757 RSA_PSS_PARAMS_free(pss);
758
759 return NULL;
760}
761
762/*
763 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
764 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
765 * passed to pkey_ctx instead.
766 */
767
768static int
769rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkey_ctx,
770 X509_ALGOR *sigalg, EVP_PKEY *pkey)
771{
772 int rv = -1;
773 int saltlen;
774 const EVP_MD *mgf1md = NULL, *md = NULL;
775 RSA_PSS_PARAMS *pss;
776
777 /* Sanity check: make sure it is PSS */
778 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
779 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
780 return -1;
781 }
782 /* Decode PSS parameters */
783 pss = rsa_pss_decode(sigalg);
784
785 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
786 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
787 goto err;
788 }
789
790 /* We have all parameters now set up context */
791 if (pkey) {
792 if (!EVP_DigestVerifyInit(ctx, &pkey_ctx, md, NULL, pkey))
793 goto err;
794 } else {
795 const EVP_MD *checkmd;
796 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &checkmd) <= 0)
797 goto err;
798 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
799 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH);
800 goto err;
801 }
802 }
803
804 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0)
805 goto err;
806
807 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, saltlen) <= 0)
808 goto err;
809
810 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) <= 0)
811 goto err;
812 /* Carry on */
813 rv = 1;
814
815 err:
816 RSA_PSS_PARAMS_free(pss);
817 return rv;
818}
819
820int
821rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
822 const EVP_MD **pmgf1md, int *psaltlen)
823{
824 if (pss == NULL)
825 return 0;
826 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
827 if (*pmd == NULL)
828 return 0;
829 *pmgf1md = rsa_algor_to_md(pss->maskHash);
830 if (*pmgf1md == NULL)
831 return 0;
832 if (pss->saltLength) {
833 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
834 if (*psaltlen < 0) {
835 RSAerror(RSA_R_INVALID_SALT_LENGTH);
836 return 0;
837 }
838 } else {
839 *psaltlen = 20;
840 }
841
842 /*
843 * low-level routines support only trailer field 0xbc (value 1) and
844 * PKCS#1 says we should reject any other value anyway.
845 */
846 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
847 RSAerror(RSA_R_INVALID_TRAILER);
848 return 0;
849 }
850
851 return 1;
852}
853
854static int
855rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid,
856 int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags)
857{
858 RSA_PSS_PARAMS *pss = NULL;
859 const ASN1_OBJECT *aobj;
860 const EVP_MD *md, *mgf1md;
861 int md_len, salt_len;
862 int md_nid = NID_undef, pkey_nid = NID_undef;
863 int security_bits = -1;
864 uint32_t flags = 0;
865
866 X509_ALGOR_get0(&aobj, NULL, NULL, alg);
867 if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
868 goto err;
869
870 if ((pss = rsa_pss_decode(alg)) == NULL)
871 goto err;
872 if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
873 goto err;
874
875 if ((md_nid = EVP_MD_type(md)) == NID_undef)
876 goto err;
877 if ((md_len = EVP_MD_size(md)) <= 0)
878 goto err;
879
880 /*
881 * RFC 8446, section 4.2.3 - restricts the digest algorithm:
882 * - it must be one of SHA256, SHA384, and SHA512;
883 * - the same digest must be used in the mask generation function;
884 * - the salt length must match the output length of the digest.
885 * XXX - consider separate flags for these checks.
886 */
887 if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) {
888 if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
889 flags |= X509_SIG_INFO_TLS;
890 }
891
892 security_bits = md_len * 4;
893 flags |= X509_SIG_INFO_VALID;
894
895 *out_md_nid = md_nid;
896 *out_pkey_nid = pkey_nid;
897 *out_security_bits = security_bits;
898 *out_flags = flags;
899
900 err:
901 RSA_PSS_PARAMS_free(pss);
902
903 return (flags & X509_SIG_INFO_VALID) != 0;
904}
905
906#ifndef OPENSSL_NO_CMS
907static int
908rsa_cms_verify(CMS_SignerInfo *si)
909{
910 int nid, nid2;
911 X509_ALGOR *alg;
912 EVP_PKEY_CTX *pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si);
913
914 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
915 nid = OBJ_obj2nid(alg->algorithm);
916 if (nid == EVP_PKEY_RSA_PSS)
917 return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL);
918 /* Only PSS allowed for PSS keys */
919 if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
920 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
921 return 0;
922 }
923 if (nid == NID_rsaEncryption)
924 return 1;
925 /* Workaround for some implementation that use a signature OID */
926 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
927 if (nid2 == NID_rsaEncryption)
928 return 1;
929 }
930 return 0;
931}
932#endif
933
934/*
935 * Customised RSA item verification routine. This is called when a signature
936 * is encountered requiring special handling. We currently only handle PSS.
937 */
938static int
939rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
940 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
941{
942 /* Sanity check: make sure it is PSS */
943 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
944 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
945 return -1;
946 }
947 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
948 /* Carry on */
949 return 2;
950 }
951 return -1;
952}
953
954static int
955rsa_alg_set_pkcs1_padding(X509_ALGOR *alg)
956{
957 return X509_ALGOR_set0_by_nid(alg, NID_rsaEncryption, V_ASN1_NULL, NULL);
958}
959
960static int
961rsa_alg_set_pss_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
962{
963 RSA_PSS_PARAMS *pss = NULL;
964 ASN1_STRING *astr = NULL;
965 int ret = 0;
966
967 if (pkey_ctx == NULL)
968 goto err;
969
970 if ((pss = rsa_ctx_to_pss(pkey_ctx)) == NULL)
971 goto err;
972 if ((astr = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL)) == NULL)
973 goto err;
974 if (!X509_ALGOR_set0_by_nid(alg, EVP_PKEY_RSA_PSS, V_ASN1_SEQUENCE, astr))
975 goto err;
976 astr = NULL;
977
978 ret = 1;
979
980 err:
981 ASN1_STRING_free(astr);
982 RSA_PSS_PARAMS_free(pss);
983
984 return ret;
985}
986
987#ifndef OPENSSL_NO_CMS
988static int
989rsa_alg_set_oaep_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
990{
991 const EVP_MD *md, *mgf1md;
992 RSA_OAEP_PARAMS *oaep = NULL;
993 ASN1_STRING *astr = NULL;
994 ASN1_OCTET_STRING *ostr = NULL;
995 unsigned char *label;
996 int labellen;
997 int ret = 0;
998
999 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkey_ctx, &md) <= 0)
1000 goto err;
1001 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
1002 goto err;
1003 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkey_ctx, &label);
1004 if (labellen < 0)
1005 goto err;
1006
1007 if ((oaep = RSA_OAEP_PARAMS_new()) == NULL)
1008 goto err;
1009
1010 if (!rsa_md_to_algor(md, &oaep->hashFunc))
1011 goto err;
1012 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc))
1013 goto err;
1014
1015 /* XXX - why do we not set oaep->maskHash here? */
1016
1017 if (labellen > 0) {
1018 if ((oaep->pSourceFunc = X509_ALGOR_new()) == NULL)
1019 goto err;
1020 if ((ostr = ASN1_OCTET_STRING_new()) == NULL)
1021 goto err;
1022 if (!ASN1_OCTET_STRING_set(ostr, label, labellen))
1023 goto err;
1024 if (!X509_ALGOR_set0_by_nid(oaep->pSourceFunc, NID_pSpecified,
1025 V_ASN1_OCTET_STRING, ostr))
1026 goto err;
1027 ostr = NULL;
1028 }
1029
1030 if ((astr = ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, NULL)) == NULL)
1031 goto err;
1032 if (!X509_ALGOR_set0_by_nid(alg, NID_rsaesOaep, V_ASN1_SEQUENCE, astr))
1033 goto err;
1034 astr = NULL;
1035
1036 ret = 1;
1037
1038 err:
1039 RSA_OAEP_PARAMS_free(oaep);
1040 ASN1_STRING_free(astr);
1041 ASN1_OCTET_STRING_free(ostr);
1042
1043 return ret;
1044}
1045
1046static int
1047rsa_cms_sign(CMS_SignerInfo *si)
1048{
1049 EVP_PKEY_CTX *pkey_ctx;
1050 X509_ALGOR *alg;
1051 int pad_mode = RSA_PKCS1_PADDING;
1052
1053 if ((pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si)) != NULL) {
1054 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1055 return 0;
1056 }
1057
1058 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
1059 if (pad_mode == RSA_PKCS1_PADDING)
1060 return rsa_alg_set_pkcs1_padding(alg);
1061 if (pad_mode == RSA_PKCS1_PSS_PADDING)
1062 return rsa_alg_set_pss_padding(alg, pkey_ctx);
1063
1064 return 0;
1065}
1066#endif
1067
1068static int
1069rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
1070 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
1071{
1072 EVP_PKEY_CTX *pkey_ctx = ctx->pctx;
1073 int pad_mode;
1074
1075 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1076 return 0;
1077 if (pad_mode == RSA_PKCS1_PADDING)
1078 return 2;
1079 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
1080 if (!rsa_alg_set_pss_padding(alg1, pkey_ctx))
1081 return 0;
1082 if (alg2 != NULL) {
1083 if (!rsa_alg_set_pss_padding(alg2, pkey_ctx))
1084 return 0;
1085 }
1086 return 3;
1087 }
1088 return 2;
1089}
1090
1091#ifndef OPENSSL_NO_CMS
1092static RSA_OAEP_PARAMS *
1093rsa_oaep_decode(const X509_ALGOR *alg)
1094{
1095 RSA_OAEP_PARAMS *oaep;
1096
1097 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
1098 if (oaep == NULL)
1099 return NULL;
1100
1101 if (oaep->maskGenFunc != NULL) {
1102 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
1103 if (oaep->maskHash == NULL) {
1104 RSA_OAEP_PARAMS_free(oaep);
1105 return NULL;
1106 }
1107 }
1108 return oaep;
1109}
1110
1111static int
1112rsa_cms_decrypt(CMS_RecipientInfo *ri)
1113{
1114 EVP_PKEY_CTX *pkctx;
1115 X509_ALGOR *cmsalg;
1116 int nid;
1117 int rv = -1;
1118 unsigned char *label = NULL;
1119 int labellen = 0;
1120 const EVP_MD *mgf1md = NULL, *md = NULL;
1121 RSA_OAEP_PARAMS *oaep;
1122
1123 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
1124 if (pkctx == NULL)
1125 return 0;
1126 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
1127 return -1;
1128 nid = OBJ_obj2nid(cmsalg->algorithm);
1129 if (nid == NID_rsaEncryption)
1130 return 1;
1131 if (nid != NID_rsaesOaep) {
1132 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
1133 return -1;
1134 }
1135 /* Decode OAEP parameters */
1136 oaep = rsa_oaep_decode(cmsalg);
1137
1138 if (oaep == NULL) {
1139 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
1140 goto err;
1141 }
1142
1143 mgf1md = rsa_algor_to_md(oaep->maskHash);
1144 if (mgf1md == NULL)
1145 goto err;
1146 md = rsa_algor_to_md(oaep->hashFunc);
1147 if (md == NULL)
1148 goto err;
1149
1150 if (oaep->pSourceFunc != NULL) {
1151 X509_ALGOR *plab = oaep->pSourceFunc;
1152
1153 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
1154 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
1155 goto err;
1156 }
1157 if (plab->parameter->type != V_ASN1_OCTET_STRING) {
1158 RSAerror(RSA_R_INVALID_LABEL);
1159 goto err;
1160 }
1161
1162 label = plab->parameter->value.octet_string->data;
1163
1164 /* Stop label being freed when OAEP parameters are freed */
1165 /* XXX - this leaks label on error... */
1166 plab->parameter->value.octet_string->data = NULL;
1167 labellen = plab->parameter->value.octet_string->length;
1168 }
1169
1170 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
1171 goto err;
1172 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
1173 goto err;
1174 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
1175 goto err;
1176 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
1177 goto err;
1178
1179 rv = 1;
1180
1181 err:
1182 RSA_OAEP_PARAMS_free(oaep);
1183 return rv;
1184}
1185
1186static int
1187rsa_cms_encrypt(CMS_RecipientInfo *ri)
1188{
1189 X509_ALGOR *alg;
1190 EVP_PKEY_CTX *pkey_ctx;
1191 int pad_mode = RSA_PKCS1_PADDING;
1192
1193 if ((pkey_ctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) != NULL) {
1194 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1195 return 0;
1196 }
1197
1198 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg))
1199 return 0;
1200 if (pad_mode == RSA_PKCS1_PADDING)
1201 return rsa_alg_set_pkcs1_padding(alg);
1202 if (pad_mode == RSA_PKCS1_OAEP_PADDING)
1203 return rsa_alg_set_oaep_padding(alg, pkey_ctx);
1204
1205 return 0;
1206}
1207#endif
1208
1209const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
1210 .base_method = &rsa_asn1_meth,
1211 .pkey_id = EVP_PKEY_RSA,
1212 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1213
1214 .pem_str = "RSA",
1215 .info = "OpenSSL RSA method",
1216
1217 .pub_decode = rsa_pub_decode,
1218 .pub_encode = rsa_pub_encode,
1219 .pub_cmp = rsa_pub_cmp,
1220 .pub_print = rsa_pub_print,
1221
1222 .priv_decode = rsa_priv_decode,
1223 .priv_encode = rsa_priv_encode,
1224 .priv_print = rsa_priv_print,
1225
1226 .pkey_size = rsa_size,
1227 .pkey_bits = rsa_bits,
1228 .pkey_security_bits = rsa_security_bits,
1229
1230 .sig_print = rsa_sig_print,
1231
1232 .pkey_free = rsa_free,
1233 .pkey_ctrl = rsa_pkey_ctrl,
1234 .old_priv_decode = old_rsa_priv_decode,
1235 .old_priv_encode = old_rsa_priv_encode,
1236 .item_verify = rsa_item_verify,
1237 .item_sign = rsa_item_sign,
1238};
1239
1240const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = {
1241 .base_method = &rsa_asn1_meth,
1242 .pkey_id = EVP_PKEY_RSA2,
1243 .pkey_flags = ASN1_PKEY_ALIAS,
1244};
1245
1246const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1247 .base_method = &rsa_pss_asn1_meth,
1248 .pkey_id = EVP_PKEY_RSA_PSS,
1249 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1250
1251 .pem_str = "RSA-PSS",
1252 .info = "OpenSSL RSA-PSS method",
1253
1254 .pub_decode = rsa_pub_decode,
1255 .pub_encode = rsa_pub_encode,
1256 .pub_cmp = rsa_pub_cmp,
1257 .pub_print = rsa_pub_print,
1258
1259 .priv_decode = rsa_priv_decode,
1260 .priv_encode = rsa_priv_encode,
1261 .priv_print = rsa_priv_print,
1262
1263 .pkey_size = rsa_size,
1264 .pkey_bits = rsa_bits,
1265 .pkey_security_bits = rsa_security_bits,
1266
1267 .signature_info = rsa_pss_signature_info,
1268
1269 .sig_print = rsa_sig_print,
1270
1271 .pkey_free = rsa_free,
1272 .pkey_ctrl = rsa_pkey_ctrl,
1273 .item_verify = rsa_item_verify,
1274 .item_sign = rsa_item_sign
1275};
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
deleted file mode 100644
index 1526e07931..0000000000
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ /dev/null
@@ -1,426 +0,0 @@
1/* $OpenBSD: rsa_asn1.c,v 1.18 2024/07/08 17:10:18 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64#include <openssl/x509.h>
65
66#include "rsa_local.h"
67
68/* Override the default free and new methods */
69static int
70rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
71{
72 if (operation == ASN1_OP_NEW_PRE) {
73 *pval = (ASN1_VALUE *)RSA_new();
74 if (*pval)
75 return 2;
76 return 0;
77 } else if (operation == ASN1_OP_FREE_PRE) {
78 RSA_free((RSA *)*pval);
79 *pval = NULL;
80 return 2;
81 }
82 return 1;
83}
84
85static const ASN1_AUX RSAPrivateKey_aux = {
86 .app_data = NULL,
87 .flags = 0,
88 .ref_offset = 0,
89 .ref_lock = 0,
90 .asn1_cb = rsa_cb,
91 .enc_offset = 0,
92};
93static const ASN1_TEMPLATE RSAPrivateKey_seq_tt[] = {
94 {
95 .flags = 0,
96 .tag = 0,
97 .offset = offsetof(RSA, version),
98 .field_name = "version",
99 .item = &LONG_it,
100 },
101 {
102 .flags = 0,
103 .tag = 0,
104 .offset = offsetof(RSA, n),
105 .field_name = "n",
106 .item = &BIGNUM_it,
107 },
108 {
109 .flags = 0,
110 .tag = 0,
111 .offset = offsetof(RSA, e),
112 .field_name = "e",
113 .item = &BIGNUM_it,
114 },
115 {
116 .flags = 0,
117 .tag = 0,
118 .offset = offsetof(RSA, d),
119 .field_name = "d",
120 .item = &BIGNUM_it,
121 },
122 {
123 .flags = 0,
124 .tag = 0,
125 .offset = offsetof(RSA, p),
126 .field_name = "p",
127 .item = &BIGNUM_it,
128 },
129 {
130 .flags = 0,
131 .tag = 0,
132 .offset = offsetof(RSA, q),
133 .field_name = "q",
134 .item = &BIGNUM_it,
135 },
136 {
137 .flags = 0,
138 .tag = 0,
139 .offset = offsetof(RSA, dmp1),
140 .field_name = "dmp1",
141 .item = &BIGNUM_it,
142 },
143 {
144 .flags = 0,
145 .tag = 0,
146 .offset = offsetof(RSA, dmq1),
147 .field_name = "dmq1",
148 .item = &BIGNUM_it,
149 },
150 {
151 .flags = 0,
152 .tag = 0,
153 .offset = offsetof(RSA, iqmp),
154 .field_name = "iqmp",
155 .item = &BIGNUM_it,
156 },
157};
158
159const ASN1_ITEM RSAPrivateKey_it = {
160 .itype = ASN1_ITYPE_SEQUENCE,
161 .utype = V_ASN1_SEQUENCE,
162 .templates = RSAPrivateKey_seq_tt,
163 .tcount = sizeof(RSAPrivateKey_seq_tt) / sizeof(ASN1_TEMPLATE),
164 .funcs = &RSAPrivateKey_aux,
165 .size = sizeof(RSA),
166 .sname = "RSA",
167};
168LCRYPTO_ALIAS(RSAPrivateKey_it);
169
170
171static const ASN1_AUX RSAPublicKey_aux = {
172 .app_data = NULL,
173 .flags = 0,
174 .ref_offset = 0,
175 .ref_lock = 0,
176 .asn1_cb = rsa_cb,
177 .enc_offset = 0,
178};
179static const ASN1_TEMPLATE RSAPublicKey_seq_tt[] = {
180 {
181 .flags = 0,
182 .tag = 0,
183 .offset = offsetof(RSA, n),
184 .field_name = "n",
185 .item = &BIGNUM_it,
186 },
187 {
188 .flags = 0,
189 .tag = 0,
190 .offset = offsetof(RSA, e),
191 .field_name = "e",
192 .item = &BIGNUM_it,
193 },
194};
195
196const ASN1_ITEM RSAPublicKey_it = {
197 .itype = ASN1_ITYPE_SEQUENCE,
198 .utype = V_ASN1_SEQUENCE,
199 .templates = RSAPublicKey_seq_tt,
200 .tcount = sizeof(RSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
201 .funcs = &RSAPublicKey_aux,
202 .size = sizeof(RSA),
203 .sname = "RSA",
204};
205LCRYPTO_ALIAS(RSAPublicKey_it);
206
207static int
208rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
209{
210 /* Free up maskHash */
211 if (operation == ASN1_OP_FREE_PRE) {
212 RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval;
213 X509_ALGOR_free(pss->maskHash);
214 }
215 return 1;
216}
217
218static const ASN1_AUX RSA_PSS_PARAMS_aux = {
219 .app_data = NULL,
220 .flags = 0,
221 .ref_offset = 0,
222 .ref_lock = 0,
223 .asn1_cb = rsa_pss_cb,
224 .enc_offset = 0,
225};
226
227static const ASN1_TEMPLATE RSA_PSS_PARAMS_seq_tt[] = {
228 {
229 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
230 .tag = 0,
231 .offset = offsetof(RSA_PSS_PARAMS, hashAlgorithm),
232 .field_name = "hashAlgorithm",
233 .item = &X509_ALGOR_it,
234 },
235 {
236 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
237 .tag = 1,
238 .offset = offsetof(RSA_PSS_PARAMS, maskGenAlgorithm),
239 .field_name = "maskGenAlgorithm",
240 .item = &X509_ALGOR_it,
241 },
242 {
243 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
244 .tag = 2,
245 .offset = offsetof(RSA_PSS_PARAMS, saltLength),
246 .field_name = "saltLength",
247 .item = &ASN1_INTEGER_it,
248 },
249 {
250 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
251 .tag = 3,
252 .offset = offsetof(RSA_PSS_PARAMS, trailerField),
253 .field_name = "trailerField",
254 .item = &ASN1_INTEGER_it,
255 },
256};
257
258const ASN1_ITEM RSA_PSS_PARAMS_it = {
259 .itype = ASN1_ITYPE_SEQUENCE,
260 .utype = V_ASN1_SEQUENCE,
261 .templates = RSA_PSS_PARAMS_seq_tt,
262 .tcount = sizeof(RSA_PSS_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE),
263 .funcs = &RSA_PSS_PARAMS_aux,
264 .size = sizeof(RSA_PSS_PARAMS),
265 .sname = "RSA_PSS_PARAMS",
266};
267LCRYPTO_ALIAS(RSA_PSS_PARAMS_it);
268
269RSA_PSS_PARAMS *
270d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len)
271{
272 return (RSA_PSS_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
273 &RSA_PSS_PARAMS_it);
274}
275LCRYPTO_ALIAS(d2i_RSA_PSS_PARAMS);
276
277int
278i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out)
279{
280 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_PSS_PARAMS_it);
281}
282LCRYPTO_ALIAS(i2d_RSA_PSS_PARAMS);
283
284RSA_PSS_PARAMS *
285RSA_PSS_PARAMS_new(void)
286{
287 return (RSA_PSS_PARAMS *)ASN1_item_new(&RSA_PSS_PARAMS_it);
288}
289LCRYPTO_ALIAS(RSA_PSS_PARAMS_new);
290
291void
292RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a)
293{
294 ASN1_item_free((ASN1_VALUE *)a, &RSA_PSS_PARAMS_it);
295}
296LCRYPTO_ALIAS(RSA_PSS_PARAMS_free);
297
298static int
299rsa_oaep_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
300{
301 /* Free up maskHash */
302 if (operation == ASN1_OP_FREE_PRE) {
303 RSA_OAEP_PARAMS *oaep = (RSA_OAEP_PARAMS *)*pval;
304 X509_ALGOR_free(oaep->maskHash);
305 }
306 return 1;
307}
308
309static const ASN1_AUX RSA_OAEP_PARAMS_aux = {
310 .app_data = NULL,
311 .flags = 0,
312 .ref_offset = 0,
313 .ref_lock = 0,
314 .asn1_cb = rsa_oaep_cb,
315 .enc_offset = 0,
316};
317
318static const ASN1_TEMPLATE RSA_OAEP_PARAMS_seq_tt[] = {
319 {
320 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
321 .tag = 0,
322 .offset = offsetof(RSA_OAEP_PARAMS, hashFunc),
323 .field_name = "hashFunc",
324 .item = &X509_ALGOR_it,
325 },
326 {
327 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
328 .tag = 1,
329 .offset = offsetof(RSA_OAEP_PARAMS, maskGenFunc),
330 .field_name = "maskGenFunc",
331 .item = &X509_ALGOR_it,
332 },
333 {
334 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
335 .tag = 2,
336 .offset = offsetof(RSA_OAEP_PARAMS, pSourceFunc),
337 .field_name = "pSourceFunc",
338 .item = &X509_ALGOR_it,
339 },
340};
341
342const ASN1_ITEM RSA_OAEP_PARAMS_it = {
343 .itype = ASN1_ITYPE_SEQUENCE,
344 .utype = V_ASN1_SEQUENCE,
345 .templates = RSA_OAEP_PARAMS_seq_tt,
346 .tcount = sizeof(RSA_OAEP_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE),
347 .funcs = &RSA_OAEP_PARAMS_aux,
348 .size = sizeof(RSA_OAEP_PARAMS),
349 .sname = "RSA_OAEP_PARAMS",
350};
351LCRYPTO_ALIAS(RSA_OAEP_PARAMS_it);
352
353
354RSA_OAEP_PARAMS *
355d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len)
356{
357 return (RSA_OAEP_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
358 &RSA_OAEP_PARAMS_it);
359}
360LCRYPTO_ALIAS(d2i_RSA_OAEP_PARAMS);
361
362int
363i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out)
364{
365 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_OAEP_PARAMS_it);
366}
367LCRYPTO_ALIAS(i2d_RSA_OAEP_PARAMS);
368
369RSA_OAEP_PARAMS *
370RSA_OAEP_PARAMS_new(void)
371{
372 return (RSA_OAEP_PARAMS *)ASN1_item_new(&RSA_OAEP_PARAMS_it);
373}
374LCRYPTO_ALIAS(RSA_OAEP_PARAMS_new);
375
376void
377RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a)
378{
379 ASN1_item_free((ASN1_VALUE *)a, &RSA_OAEP_PARAMS_it);
380}
381LCRYPTO_ALIAS(RSA_OAEP_PARAMS_free);
382
383RSA *
384d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len)
385{
386 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
387 &RSAPrivateKey_it);
388}
389LCRYPTO_ALIAS(d2i_RSAPrivateKey);
390
391int
392i2d_RSAPrivateKey(const RSA *a, unsigned char **out)
393{
394 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPrivateKey_it);
395}
396LCRYPTO_ALIAS(i2d_RSAPrivateKey);
397
398
399RSA *
400d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len)
401{
402 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
403 &RSAPublicKey_it);
404}
405LCRYPTO_ALIAS(d2i_RSAPublicKey);
406
407int
408i2d_RSAPublicKey(const RSA *a, unsigned char **out)
409{
410 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPublicKey_it);
411}
412LCRYPTO_ALIAS(i2d_RSAPublicKey);
413
414RSA *
415RSAPublicKey_dup(RSA *rsa)
416{
417 return ASN1_item_dup(&RSAPublicKey_it, rsa);
418}
419LCRYPTO_ALIAS(RSAPublicKey_dup);
420
421RSA *
422RSAPrivateKey_dup(RSA *rsa)
423{
424 return ASN1_item_dup(&RSAPrivateKey_it, rsa);
425}
426LCRYPTO_ALIAS(RSAPrivateKey_dup);
diff --git a/src/lib/libcrypto/rsa/rsa_blinding.c b/src/lib/libcrypto/rsa/rsa_blinding.c
deleted file mode 100644
index cac5bd91d2..0000000000
--- a/src/lib/libcrypto/rsa/rsa_blinding.c
+++ /dev/null
@@ -1,361 +0,0 @@
1/* $OpenBSD: rsa_blinding.c,v 1.3 2023/08/09 12:09:06 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
56 * All rights reserved.
57 *
58 * This package is an SSL implementation written
59 * by Eric Young (eay@cryptsoft.com).
60 * The implementation was written so as to conform with Netscapes SSL.
61 *
62 * This library is free for commercial and non-commercial use as long as
63 * the following conditions are aheared to. The following conditions
64 * apply to all code found in this distribution, be it the RC4, RSA,
65 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
66 * included with this distribution is covered by the same copyright terms
67 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
68 *
69 * Copyright remains Eric Young's, and as such any Copyright notices in
70 * the code are not to be removed.
71 * If this package is used in a product, Eric Young should be given attribution
72 * as the author of the parts of the library used.
73 * This can be in the form of a textual message at program startup or
74 * in documentation (online or textual) provided with the package.
75 *
76 * Redistribution and use in source and binary forms, with or without
77 * modification, are permitted provided that the following conditions
78 * are met:
79 * 1. Redistributions of source code must retain the copyright
80 * notice, this list of conditions and the following disclaimer.
81 * 2. Redistributions in binary form must reproduce the above copyright
82 * notice, this list of conditions and the following disclaimer in the
83 * documentation and/or other materials provided with the distribution.
84 * 3. All advertising materials mentioning features or use of this software
85 * must display the following acknowledgement:
86 * "This product includes cryptographic software written by
87 * Eric Young (eay@cryptsoft.com)"
88 * The word 'cryptographic' can be left out if the rouines from the library
89 * being used are not cryptographic related :-).
90 * 4. If you include any Windows specific code (or a derivative thereof) from
91 * the apps directory (application code) you must include an acknowledgement:
92 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
95 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
97 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
98 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
99 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
100 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
101 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
102 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
103 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
104 * SUCH DAMAGE.
105 *
106 * The licence and distribution terms for any publically available version or
107 * derivative of this code cannot be changed. i.e. this code cannot simply be
108 * copied and put under another distribution licence
109 * [including the GNU Public Licence.]
110 */
111
112#include <pthread.h>
113#include <stdio.h>
114
115#include <openssl/opensslconf.h>
116
117#include <openssl/err.h>
118#include <openssl/rsa.h>
119
120#include "bn_local.h"
121#include "rsa_local.h"
122
123#define BN_BLINDING_COUNTER 32
124
125struct bn_blinding_st {
126 BIGNUM *A;
127 BIGNUM *Ai;
128 BIGNUM *e;
129 BIGNUM *mod;
130 pthread_t tid;
131 int counter;
132 BN_MONT_CTX *m_ctx;
133 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
134 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
135};
136
137BN_BLINDING *
138BN_BLINDING_new(const BIGNUM *e, const BIGNUM *mod, BN_CTX *ctx,
139 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
140 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
141{
142 BN_BLINDING *ret = NULL;
143
144 if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
145 BNerror(ERR_R_MALLOC_FAILURE);
146 goto err;
147 }
148 if ((ret->A = BN_new()) == NULL)
149 goto err;
150 if ((ret->Ai = BN_new()) == NULL)
151 goto err;
152 if ((ret->e = BN_dup(e)) == NULL)
153 goto err;
154 if ((ret->mod = BN_dup(mod)) == NULL)
155 goto err;
156 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
157 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
158
159 /* Update on first use. */
160 ret->counter = BN_BLINDING_COUNTER - 1;
161 ret->tid = pthread_self();
162
163 if (bn_mod_exp != NULL)
164 ret->bn_mod_exp = bn_mod_exp;
165 if (m_ctx != NULL)
166 ret->m_ctx = m_ctx;
167
168 return ret;
169
170 err:
171 BN_BLINDING_free(ret);
172
173 return NULL;
174}
175
176void
177BN_BLINDING_free(BN_BLINDING *r)
178{
179 if (r == NULL)
180 return;
181
182 BN_free(r->A);
183 BN_free(r->Ai);
184 BN_free(r->e);
185 BN_free(r->mod);
186 free(r);
187}
188
189static int
190BN_BLINDING_setup(BN_BLINDING *b, BN_CTX *ctx)
191{
192 if (!bn_rand_interval(b->A, 1, b->mod))
193 return 0;
194 if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL)
195 return 0;
196
197 if (b->bn_mod_exp != NULL && b->m_ctx != NULL) {
198 if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx))
199 return 0;
200 } else {
201 if (!BN_mod_exp_ct(b->A, b->A, b->e, b->mod, ctx))
202 return 0;
203 }
204
205 return 1;
206}
207
208static int
209BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
210{
211 int ret = 0;
212
213 if (++b->counter >= BN_BLINDING_COUNTER) {
214 if (!BN_BLINDING_setup(b, ctx))
215 goto err;
216 b->counter = 0;
217 } else {
218 if (!BN_mod_sqr(b->A, b->A, b->mod, ctx))
219 goto err;
220 if (!BN_mod_sqr(b->Ai, b->Ai, b->mod, ctx))
221 goto err;
222 }
223
224 ret = 1;
225
226 err:
227 return ret;
228}
229
230int
231BN_BLINDING_convert(BIGNUM *n, BIGNUM *inv, BN_BLINDING *b, BN_CTX *ctx)
232{
233 int ret = 0;
234
235 if (!BN_BLINDING_update(b, ctx))
236 goto err;
237
238 if (inv != NULL) {
239 if (!bn_copy(inv, b->Ai))
240 goto err;
241 }
242
243 ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
244
245 err:
246 return ret;
247}
248
249int
250BN_BLINDING_invert(BIGNUM *n, const BIGNUM *inv, BN_BLINDING *b, BN_CTX *ctx)
251{
252 if (inv == NULL)
253 inv = b->Ai;
254
255 return BN_mod_mul(n, n, inv, b->mod, ctx);
256}
257
258int
259BN_BLINDING_is_local(BN_BLINDING *b)
260{
261 return pthread_equal(pthread_self(), b->tid) != 0;
262}
263
264static BIGNUM *
265rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
266 BN_CTX *ctx)
267{
268 BIGNUM *ret = NULL, *r0, *r1, *r2;
269
270 if (d == NULL || p == NULL || q == NULL)
271 return NULL;
272
273 BN_CTX_start(ctx);
274 if ((r0 = BN_CTX_get(ctx)) == NULL)
275 goto err;
276 if ((r1 = BN_CTX_get(ctx)) == NULL)
277 goto err;
278 if ((r2 = BN_CTX_get(ctx)) == NULL)
279 goto err;
280
281 if (!BN_sub(r1, p, BN_value_one()))
282 goto err;
283 if (!BN_sub(r2, q, BN_value_one()))
284 goto err;
285 if (!BN_mul(r0, r1, r2, ctx))
286 goto err;
287
288 ret = BN_mod_inverse_ct(NULL, d, r0, ctx);
289err:
290 BN_CTX_end(ctx);
291 return ret;
292}
293
294BN_BLINDING *
295RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
296{
297 BIGNUM *e = NULL;
298 BIGNUM n;
299 BN_CTX *ctx = NULL;
300 BN_BLINDING *ret = NULL;
301
302 if ((ctx = in_ctx) == NULL)
303 ctx = BN_CTX_new();
304 if (ctx == NULL)
305 goto err;
306
307 BN_CTX_start(ctx);
308
309 if ((e = rsa->e) == NULL)
310 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
311 if (e == NULL) {
312 RSAerror(RSA_R_NO_PUBLIC_EXPONENT);
313 goto err;
314 }
315
316 BN_init(&n);
317 BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
318
319 if ((ret = BN_BLINDING_new(e, &n, ctx, rsa->meth->bn_mod_exp,
320 rsa->_method_mod_n)) == NULL) {
321 RSAerror(ERR_R_BN_LIB);
322 goto err;
323 }
324
325 err:
326 BN_CTX_end(ctx);
327 if (ctx != in_ctx)
328 BN_CTX_free(ctx);
329 if (e != rsa->e)
330 BN_free(e);
331
332 return ret;
333}
334
335void
336RSA_blinding_off(RSA *rsa)
337{
338 BN_BLINDING_free(rsa->blinding);
339 rsa->blinding = NULL;
340 rsa->flags |= RSA_FLAG_NO_BLINDING;
341}
342LCRYPTO_ALIAS(RSA_blinding_off);
343
344int
345RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
346{
347 int ret = 0;
348
349 if (rsa->blinding != NULL)
350 RSA_blinding_off(rsa);
351
352 rsa->blinding = RSA_setup_blinding(rsa, ctx);
353 if (rsa->blinding == NULL)
354 goto err;
355
356 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
357 ret = 1;
358err:
359 return (ret);
360}
361LCRYPTO_ALIAS(RSA_blinding_on);
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
deleted file mode 100644
index b7666e0fed..0000000000
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ /dev/null
@@ -1,223 +0,0 @@
1/* $OpenBSD: rsa_chk.c,v 1.18 2023/07/08 12:26:45 beck Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55#include "bn_local.h"
56#include "rsa_local.h"
57
58int
59RSA_check_key(const RSA *key)
60{
61 BIGNUM *i, *j, *k, *l, *m;
62 BN_CTX *ctx;
63 int r;
64 int ret = 1;
65
66 if (!key->p || !key->q || !key->n || !key->e || !key->d) {
67 RSAerror(RSA_R_VALUE_MISSING);
68 return 0;
69 }
70
71 i = BN_new();
72 j = BN_new();
73 k = BN_new();
74 l = BN_new();
75 m = BN_new();
76 ctx = BN_CTX_new();
77 if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
78 ctx == NULL) {
79 ret = -1;
80 RSAerror(ERR_R_MALLOC_FAILURE);
81 goto err;
82 }
83
84 if (BN_is_one(key->e)) {
85 ret = 0;
86 RSAerror(RSA_R_BAD_E_VALUE);
87 }
88 if (!BN_is_odd(key->e)) {
89 ret = 0;
90 RSAerror(RSA_R_BAD_E_VALUE);
91 }
92
93 /* p prime? */
94 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
95 if (r != 1) {
96 ret = r;
97 if (r != 0)
98 goto err;
99 RSAerror(RSA_R_P_NOT_PRIME);
100 }
101
102 /* q prime? */
103 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
104 if (r != 1) {
105 ret = r;
106 if (r != 0)
107 goto err;
108 RSAerror(RSA_R_Q_NOT_PRIME);
109 }
110
111 /* n = p*q? */
112 r = BN_mul(i, key->p, key->q, ctx);
113 if (!r) {
114 ret = -1;
115 goto err;
116 }
117
118 if (BN_cmp(i, key->n) != 0) {
119 ret = 0;
120 RSAerror(RSA_R_N_DOES_NOT_EQUAL_P_Q);
121 }
122
123 /* d*e = 1 mod lcm(p-1,q-1)? */
124
125 r = BN_sub(i, key->p, BN_value_one());
126 if (!r) {
127 ret = -1;
128 goto err;
129 }
130 r = BN_sub(j, key->q, BN_value_one());
131 if (!r) {
132 ret = -1;
133 goto err;
134 }
135
136 /* now compute k = lcm(i,j) */
137 r = BN_mul(l, i, j, ctx);
138 if (!r) {
139 ret = -1;
140 goto err;
141 }
142 r = BN_gcd_ct(m, i, j, ctx);
143 if (!r) {
144 ret = -1;
145 goto err;
146 }
147 r = BN_div_ct(k, NULL, l, m, ctx); /* remainder is 0 */
148 if (!r) {
149 ret = -1;
150 goto err;
151 }
152
153 r = BN_mod_mul(i, key->d, key->e, k, ctx);
154 if (!r) {
155 ret = -1;
156 goto err;
157 }
158
159 if (!BN_is_one(i)) {
160 ret = 0;
161 RSAerror(RSA_R_D_E_NOT_CONGRUENT_TO_1);
162 }
163
164 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
165 /* dmp1 = d mod (p-1)? */
166 r = BN_sub(i, key->p, BN_value_one());
167 if (!r) {
168 ret = -1;
169 goto err;
170 }
171
172 r = BN_mod_ct(j, key->d, i, ctx);
173 if (!r) {
174 ret = -1;
175 goto err;
176 }
177
178 if (BN_cmp(j, key->dmp1) != 0) {
179 ret = 0;
180 RSAerror(RSA_R_DMP1_NOT_CONGRUENT_TO_D);
181 }
182
183 /* dmq1 = d mod (q-1)? */
184 r = BN_sub(i, key->q, BN_value_one());
185 if (!r) {
186 ret = -1;
187 goto err;
188 }
189
190 r = BN_mod_ct(j, key->d, i, ctx);
191 if (!r) {
192 ret = -1;
193 goto err;
194 }
195
196 if (BN_cmp(j, key->dmq1) != 0) {
197 ret = 0;
198 RSAerror(RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
199 }
200
201 /* iqmp = q^-1 mod p? */
202 if (BN_mod_inverse_ct(i, key->q, key->p, ctx) == NULL) {
203 ret = -1;
204 goto err;
205 }
206
207 if (BN_cmp(i, key->iqmp) != 0) {
208 ret = 0;
209 RSAerror(RSA_R_IQMP_NOT_INVERSE_OF_Q);
210 }
211 }
212
213err:
214 BN_free(i);
215 BN_free(j);
216 BN_free(k);
217 BN_free(l);
218 BN_free(m);
219 BN_CTX_free(ctx);
220
221 return (ret);
222}
223LCRYPTO_ALIAS(RSA_check_key);
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
deleted file mode 100644
index c2e1e22f9a..0000000000
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ /dev/null
@@ -1,902 +0,0 @@
1/* $OpenBSD: rsa_eay.c,v 1.65 2023/08/09 12:09:06 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include <string.h>
114
115#include <openssl/opensslconf.h>
116
117#include <openssl/bn.h>
118#include <openssl/err.h>
119#include <openssl/rsa.h>
120
121#include "bn_local.h"
122#include "rsa_local.h"
123
124static int
125rsa_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
126 RSA *rsa, int padding)
127{
128 BIGNUM *f, *ret;
129 int i, j, k, num = 0, r = -1;
130 unsigned char *buf = NULL;
131 BN_CTX *ctx = NULL;
132
133 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
134 RSAerror(RSA_R_MODULUS_TOO_LARGE);
135 return -1;
136 }
137
138 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
139 RSAerror(RSA_R_BAD_E_VALUE);
140 return -1;
141 }
142
143 /* for large moduli, enforce exponent limit */
144 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
145 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
146 RSAerror(RSA_R_BAD_E_VALUE);
147 return -1;
148 }
149 }
150
151 if ((ctx = BN_CTX_new()) == NULL)
152 goto err;
153
154 BN_CTX_start(ctx);
155 f = BN_CTX_get(ctx);
156 ret = BN_CTX_get(ctx);
157 num = BN_num_bytes(rsa->n);
158 buf = malloc(num);
159
160 if (f == NULL || ret == NULL || buf == NULL) {
161 RSAerror(ERR_R_MALLOC_FAILURE);
162 goto err;
163 }
164
165 switch (padding) {
166 case RSA_PKCS1_PADDING:
167 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
168 break;
169#ifndef OPENSSL_NO_SHA
170 case RSA_PKCS1_OAEP_PADDING:
171 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
172 break;
173#endif
174 case RSA_NO_PADDING:
175 i = RSA_padding_add_none(buf, num, from, flen);
176 break;
177 default:
178 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
179 goto err;
180 }
181 if (i <= 0)
182 goto err;
183
184 if (BN_bin2bn(buf, num, f) == NULL)
185 goto err;
186
187 if (BN_ucmp(f, rsa->n) >= 0) {
188 /* usually the padding functions would catch this */
189 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
190 goto err;
191 }
192
193 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
194 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
195 CRYPTO_LOCK_RSA, rsa->n, ctx))
196 goto err;
197 }
198
199 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
200 rsa->_method_mod_n))
201 goto err;
202
203 /* put in leading 0 bytes if the number is less than the
204 * length of the modulus */
205 j = BN_num_bytes(ret);
206 i = BN_bn2bin(ret, &(to[num - j]));
207 for (k = 0; k < num - i; k++)
208 to[k] = 0;
209
210 r = num;
211err:
212 if (ctx != NULL) {
213 BN_CTX_end(ctx);
214 BN_CTX_free(ctx);
215 }
216 freezero(buf, num);
217 return r;
218}
219
220static BN_BLINDING *
221rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
222{
223 BN_BLINDING *ret;
224 int got_write_lock = 0;
225
226 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
227
228 if (rsa->blinding == NULL) {
229 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
230 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
231 got_write_lock = 1;
232
233 if (rsa->blinding == NULL)
234 rsa->blinding = RSA_setup_blinding(rsa, ctx);
235 }
236
237 if ((ret = rsa->blinding) == NULL)
238 goto err;
239
240 /*
241 * We need a shared blinding. Accesses require locks and a copy of the
242 * blinding factor needs to be retained on use.
243 */
244 if ((*local = BN_BLINDING_is_local(ret)) == 0) {
245 if (rsa->mt_blinding == NULL) {
246 if (!got_write_lock) {
247 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
248 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
249 got_write_lock = 1;
250 }
251
252 if (rsa->mt_blinding == NULL)
253 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
254 }
255 ret = rsa->mt_blinding;
256 }
257
258 err:
259 if (got_write_lock)
260 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
261 else
262 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
263
264 return ret;
265}
266
267static int
268rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
269{
270 if (unblind == NULL)
271 /*
272 * Local blinding: store the unblinding factor
273 * in BN_BLINDING.
274 */
275 return BN_BLINDING_convert(f, NULL, b, ctx);
276 else {
277 /*
278 * Shared blinding: store the unblinding factor
279 * outside BN_BLINDING.
280 */
281 int ret;
282 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
283 ret = BN_BLINDING_convert(f, unblind, b, ctx);
284 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
285 return ret;
286 }
287}
288
289static int
290rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
291{
292 /*
293 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert()
294 * will use the unblinding factor stored in BN_BLINDING.
295 * If BN_BLINDING is shared between threads, unblind must be non-null:
296 * BN_BLINDING_invert() will then use the local unblinding factor,
297 * and will only read the modulus from BN_BLINDING.
298 * In both cases it's safe to access the blinding without a lock.
299 */
300 return BN_BLINDING_invert(f, unblind, b, ctx);
301}
302
303/* signing */
304static int
305rsa_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
306 RSA *rsa, int padding)
307{
308 BIGNUM *f, *ret, *res;
309 int i, j, k, num = 0, r = -1;
310 unsigned char *buf = NULL;
311 BN_CTX *ctx = NULL;
312 int local_blinding = 0;
313 /*
314 * Used only if the blinding structure is shared. A non-NULL unblind
315 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
316 * the unblinding factor outside the blinding structure.
317 */
318 BIGNUM *unblind = NULL;
319 BN_BLINDING *blinding = NULL;
320
321 if ((ctx = BN_CTX_new()) == NULL)
322 goto err;
323
324 BN_CTX_start(ctx);
325 f = BN_CTX_get(ctx);
326 ret = BN_CTX_get(ctx);
327 num = BN_num_bytes(rsa->n);
328 buf = malloc(num);
329
330 if (f == NULL || ret == NULL || buf == NULL) {
331 RSAerror(ERR_R_MALLOC_FAILURE);
332 goto err;
333 }
334
335 switch (padding) {
336 case RSA_PKCS1_PADDING:
337 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
338 break;
339 case RSA_X931_PADDING:
340 i = RSA_padding_add_X931(buf, num, from, flen);
341 break;
342 case RSA_NO_PADDING:
343 i = RSA_padding_add_none(buf, num, from, flen);
344 break;
345 default:
346 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
347 goto err;
348 }
349 if (i <= 0)
350 goto err;
351
352 if (BN_bin2bn(buf, num, f) == NULL)
353 goto err;
354
355 if (BN_ucmp(f, rsa->n) >= 0) {
356 /* usually the padding functions would catch this */
357 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
358 goto err;
359 }
360
361 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
362 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
363 CRYPTO_LOCK_RSA, rsa->n, ctx))
364 goto err;
365 }
366
367 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
368 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
369 if (blinding == NULL) {
370 RSAerror(ERR_R_INTERNAL_ERROR);
371 goto err;
372 }
373 }
374
375 if (blinding != NULL) {
376 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
377 RSAerror(ERR_R_MALLOC_FAILURE);
378 goto err;
379 }
380 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
381 goto err;
382 }
383
384 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
385 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
386 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
387 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
388 goto err;
389 } else {
390 BIGNUM d;
391
392 BN_init(&d);
393 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
394
395 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
396 rsa->_method_mod_n)) {
397 goto err;
398 }
399 }
400
401 if (blinding)
402 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
403 goto err;
404
405 if (padding == RSA_X931_PADDING) {
406 if (!BN_sub(f, rsa->n, ret))
407 goto err;
408 if (BN_cmp(ret, f) > 0)
409 res = f;
410 else
411 res = ret;
412 } else
413 res = ret;
414
415 /* put in leading 0 bytes if the number is less than the
416 * length of the modulus */
417 j = BN_num_bytes(res);
418 i = BN_bn2bin(res, &(to[num - j]));
419 for (k = 0; k < num - i; k++)
420 to[k] = 0;
421
422 r = num;
423err:
424 if (ctx != NULL) {
425 BN_CTX_end(ctx);
426 BN_CTX_free(ctx);
427 }
428 freezero(buf, num);
429 return r;
430}
431
432static int
433rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
434 RSA *rsa, int padding)
435{
436 BIGNUM *f, *ret;
437 int j, num = 0, r = -1;
438 unsigned char *p;
439 unsigned char *buf = NULL;
440 BN_CTX *ctx = NULL;
441 int local_blinding = 0;
442 /*
443 * Used only if the blinding structure is shared. A non-NULL unblind
444 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
445 * the unblinding factor outside the blinding structure.
446 */
447 BIGNUM *unblind = NULL;
448 BN_BLINDING *blinding = NULL;
449
450 if ((ctx = BN_CTX_new()) == NULL)
451 goto err;
452
453 BN_CTX_start(ctx);
454 f = BN_CTX_get(ctx);
455 ret = BN_CTX_get(ctx);
456 num = BN_num_bytes(rsa->n);
457 buf = malloc(num);
458
459 if (!f || !ret || !buf) {
460 RSAerror(ERR_R_MALLOC_FAILURE);
461 goto err;
462 }
463
464 /* This check was for equality but PGP does evil things
465 * and chops off the top '0' bytes */
466 if (flen > num) {
467 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
468 goto err;
469 }
470
471 /* make data into a big number */
472 if (BN_bin2bn(from, (int)flen, f) == NULL)
473 goto err;
474
475 if (BN_ucmp(f, rsa->n) >= 0) {
476 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
477 goto err;
478 }
479
480 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
481 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
482 CRYPTO_LOCK_RSA, rsa->n, ctx))
483 goto err;
484 }
485
486 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
487 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
488 if (blinding == NULL) {
489 RSAerror(ERR_R_INTERNAL_ERROR);
490 goto err;
491 }
492 }
493
494 if (blinding != NULL) {
495 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
496 RSAerror(ERR_R_MALLOC_FAILURE);
497 goto err;
498 }
499 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
500 goto err;
501 }
502
503 /* do the decrypt */
504 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
505 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
506 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
507 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
508 goto err;
509 } else {
510 BIGNUM d;
511
512 BN_init(&d);
513 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
514
515 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
516 rsa->_method_mod_n)) {
517 goto err;
518 }
519 }
520
521 if (blinding)
522 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
523 goto err;
524
525 p = buf;
526 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
527
528 switch (padding) {
529 case RSA_PKCS1_PADDING:
530 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
531 break;
532#ifndef OPENSSL_NO_SHA
533 case RSA_PKCS1_OAEP_PADDING:
534 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
535 break;
536#endif
537 case RSA_NO_PADDING:
538 r = RSA_padding_check_none(to, num, buf, j, num);
539 break;
540 default:
541 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
542 goto err;
543 }
544 if (r < 0)
545 RSAerror(RSA_R_PADDING_CHECK_FAILED);
546
547err:
548 if (ctx != NULL) {
549 BN_CTX_end(ctx);
550 BN_CTX_free(ctx);
551 }
552 freezero(buf, num);
553 return r;
554}
555
556/* signature verification */
557static int
558rsa_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
559 RSA *rsa, int padding)
560{
561 BIGNUM *f, *ret;
562 int i, num = 0, r = -1;
563 unsigned char *p;
564 unsigned char *buf = NULL;
565 BN_CTX *ctx = NULL;
566
567 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
568 RSAerror(RSA_R_MODULUS_TOO_LARGE);
569 return -1;
570 }
571
572 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
573 RSAerror(RSA_R_BAD_E_VALUE);
574 return -1;
575 }
576
577 /* for large moduli, enforce exponent limit */
578 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
579 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
580 RSAerror(RSA_R_BAD_E_VALUE);
581 return -1;
582 }
583 }
584
585 if ((ctx = BN_CTX_new()) == NULL)
586 goto err;
587
588 BN_CTX_start(ctx);
589 f = BN_CTX_get(ctx);
590 ret = BN_CTX_get(ctx);
591 num = BN_num_bytes(rsa->n);
592 buf = malloc(num);
593
594 if (!f || !ret || !buf) {
595 RSAerror(ERR_R_MALLOC_FAILURE);
596 goto err;
597 }
598
599 /* This check was for equality but PGP does evil things
600 * and chops off the top '0' bytes */
601 if (flen > num) {
602 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
603 goto err;
604 }
605
606 if (BN_bin2bn(from, flen, f) == NULL)
607 goto err;
608
609 if (BN_ucmp(f, rsa->n) >= 0) {
610 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
611 goto err;
612 }
613
614 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
615 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
616 CRYPTO_LOCK_RSA, rsa->n, ctx))
617 goto err;
618 }
619
620 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
621 rsa->_method_mod_n))
622 goto err;
623
624 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
625 if (!BN_sub(ret, rsa->n, ret))
626 goto err;
627
628 p = buf;
629 i = BN_bn2bin(ret, p);
630
631 switch (padding) {
632 case RSA_PKCS1_PADDING:
633 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
634 break;
635 case RSA_X931_PADDING:
636 r = RSA_padding_check_X931(to, num, buf, i, num);
637 break;
638 case RSA_NO_PADDING:
639 r = RSA_padding_check_none(to, num, buf, i, num);
640 break;
641 default:
642 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
643 goto err;
644 }
645 if (r < 0)
646 RSAerror(RSA_R_PADDING_CHECK_FAILED);
647
648err:
649 if (ctx != NULL) {
650 BN_CTX_end(ctx);
651 BN_CTX_free(ctx);
652 }
653 freezero(buf, num);
654 return r;
655}
656
657static int
658rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
659{
660 BIGNUM *r1, *m1, *vrfy;
661 BIGNUM dmp1, dmq1, c, pr1;
662 int ret = 0;
663
664 BN_CTX_start(ctx);
665 r1 = BN_CTX_get(ctx);
666 m1 = BN_CTX_get(ctx);
667 vrfy = BN_CTX_get(ctx);
668 if (r1 == NULL || m1 == NULL || vrfy == NULL) {
669 RSAerror(ERR_R_MALLOC_FAILURE);
670 goto err;
671 }
672
673 {
674 BIGNUM p, q;
675
676 /*
677 * Make sure BN_mod_inverse in Montgomery initialization uses the
678 * BN_FLG_CONSTTIME flag
679 */
680 BN_init(&p);
681 BN_init(&q);
682 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
683 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
684
685 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
686 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
687 CRYPTO_LOCK_RSA, &p, ctx) ||
688 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
689 CRYPTO_LOCK_RSA, &q, ctx)) {
690 goto err;
691 }
692 }
693 }
694
695 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
696 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
697 CRYPTO_LOCK_RSA, rsa->n, ctx))
698 goto err;
699 }
700
701 /* compute I mod q */
702 BN_init(&c);
703 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
704
705 if (!BN_mod_ct(r1, &c, rsa->q, ctx))
706 goto err;
707
708 /* compute r1^dmq1 mod q */
709 BN_init(&dmq1);
710 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
711
712 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
713 rsa->_method_mod_q))
714 goto err;
715
716 /* compute I mod p */
717 BN_init(&c);
718 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
719
720 if (!BN_mod_ct(r1, &c, rsa->p, ctx))
721 goto err;
722
723 /* compute r1^dmp1 mod p */
724 BN_init(&dmp1);
725 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
726
727 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
728 rsa->_method_mod_p))
729 goto err;
730
731 if (!BN_sub(r0, r0, m1))
732 goto err;
733
734 /*
735 * This will help stop the size of r0 increasing, which does
736 * affect the multiply if it optimised for a power of 2 size
737 */
738 if (BN_is_negative(r0))
739 if (!BN_add(r0, r0, rsa->p))
740 goto err;
741
742 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
743 goto err;
744
745 /* Turn BN_FLG_CONSTTIME flag on before division operation */
746 BN_init(&pr1);
747 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
748
749 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx))
750 goto err;
751
752 /*
753 * If p < q it is occasionally possible for the correction of
754 * adding 'p' if r0 is negative above to leave the result still
755 * negative. This can break the private key operations: the following
756 * second correction should *always* correct this rare occurrence.
757 * This will *never* happen with OpenSSL generated keys because
758 * they ensure p > q [steve]
759 */
760 if (BN_is_negative(r0))
761 if (!BN_add(r0, r0, rsa->p))
762 goto err;
763 if (!BN_mul(r1, r0, rsa->q, ctx))
764 goto err;
765 if (!BN_add(r0, r1, m1))
766 goto err;
767
768 if (rsa->e && rsa->n) {
769 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
770 rsa->_method_mod_n))
771 goto err;
772 /*
773 * If 'I' was greater than (or equal to) rsa->n, the operation
774 * will be equivalent to using 'I mod n'. However, the result of
775 * the verify will *always* be less than 'n' so we don't check
776 * for absolute equality, just congruency.
777 */
778 if (!BN_sub(vrfy, vrfy, I))
779 goto err;
780 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx))
781 goto err;
782 if (BN_is_negative(vrfy))
783 if (!BN_add(vrfy, vrfy, rsa->n))
784 goto err;
785 if (!BN_is_zero(vrfy)) {
786 /*
787 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
788 * miscalculated CRT output, just do a raw (slower)
789 * mod_exp and return that instead.
790 */
791 BIGNUM d;
792
793 BN_init(&d);
794 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
795
796 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
797 rsa->_method_mod_n)) {
798 goto err;
799 }
800 }
801 }
802 ret = 1;
803err:
804 BN_CTX_end(ctx);
805 return ret;
806}
807
808static int
809rsa_init(RSA *rsa)
810{
811 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
812 return 1;
813}
814
815static int
816rsa_finish(RSA *rsa)
817{
818 BN_MONT_CTX_free(rsa->_method_mod_n);
819 BN_MONT_CTX_free(rsa->_method_mod_p);
820 BN_MONT_CTX_free(rsa->_method_mod_q);
821
822 return 1;
823}
824
825static const RSA_METHOD rsa_pkcs1_meth = {
826 .name = "OpenSSL PKCS#1 RSA",
827 .rsa_pub_enc = rsa_public_encrypt,
828 .rsa_pub_dec = rsa_public_decrypt, /* signature verification */
829 .rsa_priv_enc = rsa_private_encrypt, /* signing */
830 .rsa_priv_dec = rsa_private_decrypt,
831 .rsa_mod_exp = rsa_mod_exp,
832 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */
833 .init = rsa_init,
834 .finish = rsa_finish,
835};
836
837const RSA_METHOD *
838RSA_PKCS1_OpenSSL(void)
839{
840 return &rsa_pkcs1_meth;
841}
842LCRYPTO_ALIAS(RSA_PKCS1_OpenSSL);
843
844const RSA_METHOD *
845RSA_PKCS1_SSLeay(void)
846{
847 return RSA_PKCS1_OpenSSL();
848}
849LCRYPTO_ALIAS(RSA_PKCS1_SSLeay);
850
851int
852RSA_bits(const RSA *r)
853{
854 return BN_num_bits(r->n);
855}
856LCRYPTO_ALIAS(RSA_bits);
857
858int
859RSA_size(const RSA *r)
860{
861 return BN_num_bytes(r->n);
862}
863LCRYPTO_ALIAS(RSA_size);
864
865int
866RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
867 RSA *rsa, int padding)
868{
869 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
870}
871LCRYPTO_ALIAS(RSA_public_encrypt);
872
873int
874RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
875 RSA *rsa, int padding)
876{
877 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
878}
879LCRYPTO_ALIAS(RSA_private_encrypt);
880
881int
882RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
883 RSA *rsa, int padding)
884{
885 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
886}
887LCRYPTO_ALIAS(RSA_private_decrypt);
888
889int
890RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
891 RSA *rsa, int padding)
892{
893 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
894}
895LCRYPTO_ALIAS(RSA_public_decrypt);
896
897int
898RSA_flags(const RSA *r)
899{
900 return r == NULL ? 0 : r->meth->flags;
901}
902LCRYPTO_ALIAS(RSA_flags);
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
deleted file mode 100644
index 934a59f663..0000000000
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ /dev/null
@@ -1,160 +0,0 @@
1/* $OpenBSD: rsa_err.c,v 1.23 2024/06/24 06:43:22 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <stdio.h>
57
58#include <openssl/opensslconf.h>
59
60#include <openssl/err.h>
61#include <openssl/rsa.h>
62
63#include "err_local.h"
64
65#ifndef OPENSSL_NO_ERR
66
67#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
68#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
69
70static const ERR_STRING_DATA RSA_str_functs[] = {
71 {ERR_FUNC(0xfff), "CRYPTO_internal"},
72 {0, NULL}
73};
74
75static const ERR_STRING_DATA RSA_str_reasons[] = {
76 {ERR_REASON(RSA_R_ALGORITHM_MISMATCH) , "algorithm mismatch"},
77 {ERR_REASON(RSA_R_BAD_E_VALUE) , "bad e value"},
78 {ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT), "bad fixed header decrypt"},
79 {ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) , "bad pad byte count"},
80 {ERR_REASON(RSA_R_BAD_SIGNATURE) , "bad signature"},
81 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) , "block type is not 01"},
82 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) , "block type is not 02"},
83 {ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN), "data greater than mod len"},
84 {ERR_REASON(RSA_R_DATA_TOO_LARGE) , "data too large"},
85 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE), "data too large for key size"},
86 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"},
87 {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"},
88 {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"},
89 {ERR_REASON(RSA_R_DIGEST_DOES_NOT_MATCH) , "digest does not match"},
90 {ERR_REASON(RSA_R_DIGEST_NOT_ALLOWED) , "digest not allowed"},
91 {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"},
92 {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"},
93 {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"},
94 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"},
95 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"},
96 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"},
97 {ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"},
98 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
99 {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},
100 {ERR_REASON(RSA_R_INVALID_LABEL) , "invalid label"},
101 {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},
102 {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
103 {ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"},
104 {ERR_REASON(RSA_R_INVALID_OAEP_PARAMETERS), "invalid oaep parameters"},
105 {ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"},
106 {ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"},
107 {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},
108 {ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) , "invalid pss saltlen"},
109 {ERR_REASON(RSA_R_INVALID_SALT_LENGTH) , "invalid salt length"},
110 {ERR_REASON(RSA_R_INVALID_TRAILER) , "invalid trailer"},
111 {ERR_REASON(RSA_R_INVALID_X931_DIGEST) , "invalid x931 digest"},
112 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"},
113 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"},
114 {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"},
115 {ERR_REASON(RSA_R_MGF1_DIGEST_NOT_ALLOWED), "mgf1 digest not allowed"},
116 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"},
117 {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"},
118 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"},
119 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"},
120 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) , "n does not equal p q"},
121 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) , "oaep decoding error"},
122 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"},
123 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"},
124 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"},
125 {ERR_REASON(RSA_R_PSS_SALTLEN_TOO_SMALL) , "pss saltlen too small"},
126 {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"},
127 {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"},
128 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"},
129 {ERR_REASON(RSA_R_SLEN_CHECK_FAILED) , "salt length check failed"},
130 {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) , "salt length recovery failed"},
131 {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"},
132 {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"},
133 {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"},
134 {ERR_REASON(RSA_R_UNKNOWN_DIGEST) , "unknown digest"},
135 {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},
136 {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},
137 {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},
138 {ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE), "unsupported encryption type"},
139 {ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"},
140 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},
141 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},
142 {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},
143 {ERR_REASON(RSA_R_VALUE_MISSING) , "value missing"},
144 {ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"},
145 {0, NULL}
146};
147
148#endif
149
150void
151ERR_load_RSA_strings(void)
152{
153#ifndef OPENSSL_NO_ERR
154 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) {
155 ERR_load_const_strings(RSA_str_functs);
156 ERR_load_const_strings(RSA_str_reasons);
157 }
158#endif
159}
160LCRYPTO_ALIAS(ERR_load_RSA_strings);
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
deleted file mode 100644
index ff64eb2f0e..0000000000
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ /dev/null
@@ -1,257 +0,0 @@
1/* $OpenBSD: rsa_gen.c,v 1.30 2023/07/08 12:26:45 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/rsa.h>
65
66#include "bn_local.h"
67#include "rsa_local.h"
68
69static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
70
71int
72RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
73{
74 if (rsa->meth->rsa_keygen)
75 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
76 return rsa_builtin_keygen(rsa, bits, e_value, cb);
77}
78LCRYPTO_ALIAS(RSA_generate_key_ex);
79
80static int
81rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82{
83 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
84 BIGNUM pr0, d, p;
85 int bitsp, bitsq, ok = -1, n = 0;
86 BN_CTX *ctx = NULL;
87
88 ctx = BN_CTX_new();
89 if (ctx == NULL)
90 goto err;
91 BN_CTX_start(ctx);
92 if ((r0 = BN_CTX_get(ctx)) == NULL)
93 goto err;
94 if ((r1 = BN_CTX_get(ctx)) == NULL)
95 goto err;
96 if ((r2 = BN_CTX_get(ctx)) == NULL)
97 goto err;
98 if ((r3 = BN_CTX_get(ctx)) == NULL)
99 goto err;
100
101 bitsp = (bits + 1) / 2;
102 bitsq = bits - bitsp;
103
104 /* We need the RSA components non-NULL */
105 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
106 goto err;
107 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
108 goto err;
109 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
110 goto err;
111 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
112 goto err;
113 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
114 goto err;
115 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
116 goto err;
117 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
118 goto err;
119 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
120 goto err;
121
122 if (!bn_copy(rsa->e, e_value))
123 goto err;
124
125 /* generate p and q */
126 for (;;) {
127 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
128 goto err;
129 if (!BN_sub(r2, rsa->p, BN_value_one()))
130 goto err;
131 if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
132 goto err;
133 if (BN_is_one(r1))
134 break;
135 if (!BN_GENCB_call(cb, 2, n++))
136 goto err;
137 }
138 if (!BN_GENCB_call(cb, 3, 0))
139 goto err;
140 for (;;) {
141 /*
142 * When generating ridiculously small keys, we can get stuck
143 * continually regenerating the same prime values. Check for
144 * this and bail if it happens 3 times.
145 */
146 unsigned int degenerate = 0;
147 do {
148 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
149 cb))
150 goto err;
151 } while (BN_cmp(rsa->p, rsa->q) == 0 &&
152 ++degenerate < 3);
153 if (degenerate == 3) {
154 ok = 0; /* we set our own err */
155 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
156 goto err;
157 }
158 if (!BN_sub(r2, rsa->q, BN_value_one()))
159 goto err;
160 if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
161 goto err;
162 if (BN_is_one(r1))
163 break;
164 if (!BN_GENCB_call(cb, 2, n++))
165 goto err;
166 }
167 if (!BN_GENCB_call(cb, 3, 1))
168 goto err;
169 if (BN_cmp(rsa->p, rsa->q) < 0) {
170 tmp = rsa->p;
171 rsa->p = rsa->q;
172 rsa->q = tmp;
173 }
174
175 /* calculate n */
176 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
177 goto err;
178
179 /* calculate d */
180 if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
181 goto err;
182 if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
183 goto err;
184 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
185 goto err;
186
187 BN_init(&pr0);
188 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
189
190 if (BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx) == NULL) /* d */
191 goto err;
192
193 /* set up d for correct BN_FLG_CONSTTIME flag */
194 BN_init(&d);
195 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
196
197 /* calculate d mod (p-1) */
198 if (!BN_mod_ct(rsa->dmp1, &d, r1, ctx))
199 goto err;
200
201 /* calculate d mod (q-1) */
202 if (!BN_mod_ct(rsa->dmq1, &d, r2, ctx))
203 goto err;
204
205 /* calculate inverse of q mod p */
206 BN_init(&p);
207 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
208 if (BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx) == NULL)
209 goto err;
210
211 ok = 1;
212err:
213 if (ok == -1) {
214 RSAerror(ERR_LIB_BN);
215 ok = 0;
216 }
217 if (ctx != NULL) {
218 BN_CTX_end(ctx);
219 BN_CTX_free(ctx);
220 }
221
222 return ok;
223}
224
225RSA *
226RSA_generate_key(int bits, unsigned long e_value,
227 void (*callback)(int, int, void *), void *cb_arg)
228{
229 BN_GENCB cb;
230 int i;
231 RSA *rsa = RSA_new();
232 BIGNUM *e = BN_new();
233
234 if (!rsa || !e)
235 goto err;
236
237 /* The problem is when building with 8, 16, or 32 BN_ULONG,
238 * unsigned long can be larger */
239 for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) {
240 if (e_value & (1UL << i))
241 if (BN_set_bit(e, i) == 0)
242 goto err;
243 }
244
245 BN_GENCB_set_old(&cb, callback, cb_arg);
246
247 if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
248 BN_free(e);
249 return rsa;
250 }
251err:
252 BN_free(e);
253 RSA_free(rsa);
254
255 return 0;
256}
257LCRYPTO_ALIAS(RSA_generate_key);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
deleted file mode 100644
index 91f4938ec9..0000000000
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ /dev/null
@@ -1,426 +0,0 @@
1/* $OpenBSD: rsa_lib.c,v 1.50 2024/03/27 01:22:30 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bn.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/evp.h>
67#include <openssl/lhash.h>
68#include <openssl/rsa.h>
69
70#include "bn_local.h"
71#include "evp_local.h"
72#include "rsa_local.h"
73
74static const RSA_METHOD *default_RSA_meth = NULL;
75
76RSA *
77RSA_new(void)
78{
79 RSA *r = RSA_new_method(NULL);
80
81 return r;
82}
83LCRYPTO_ALIAS(RSA_new);
84
85void
86RSA_set_default_method(const RSA_METHOD *meth)
87{
88 default_RSA_meth = meth;
89}
90LCRYPTO_ALIAS(RSA_set_default_method);
91
92const RSA_METHOD *
93RSA_get_default_method(void)
94{
95 if (default_RSA_meth == NULL)
96 default_RSA_meth = RSA_PKCS1_SSLeay();
97
98 return default_RSA_meth;
99}
100LCRYPTO_ALIAS(RSA_get_default_method);
101
102const RSA_METHOD *
103RSA_get_method(const RSA *rsa)
104{
105 return rsa->meth;
106}
107LCRYPTO_ALIAS(RSA_get_method);
108
109int
110RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
111{
112 /*
113 * NB: The caller is specifically setting a method, so it's not up to us
114 * to deal with which ENGINE it comes from.
115 */
116 const RSA_METHOD *mtmp;
117
118 mtmp = rsa->meth;
119 if (mtmp->finish)
120 mtmp->finish(rsa);
121 rsa->meth = meth;
122 if (meth->init)
123 meth->init(rsa);
124 return 1;
125}
126LCRYPTO_ALIAS(RSA_set_method);
127
128RSA *
129RSA_new_method(ENGINE *engine)
130{
131 RSA *ret;
132
133 if ((ret = calloc(1, sizeof(RSA))) == NULL) {
134 RSAerror(ERR_R_MALLOC_FAILURE);
135 return NULL;
136 }
137
138 ret->meth = RSA_get_default_method();
139
140 ret->references = 1;
141 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
142
143 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
144 goto err;
145
146 if (ret->meth->init != NULL && !ret->meth->init(ret)) {
147 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
148 goto err;
149 }
150
151 return ret;
152
153 err:
154 free(ret);
155
156 return NULL;
157}
158LCRYPTO_ALIAS(RSA_new_method);
159
160void
161RSA_free(RSA *r)
162{
163 int i;
164
165 if (r == NULL)
166 return;
167
168 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
169 if (i > 0)
170 return;
171
172 if (r->meth->finish)
173 r->meth->finish(r);
174
175 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
176
177 BN_free(r->n);
178 BN_free(r->e);
179 BN_free(r->d);
180 BN_free(r->p);
181 BN_free(r->q);
182 BN_free(r->dmp1);
183 BN_free(r->dmq1);
184 BN_free(r->iqmp);
185 BN_BLINDING_free(r->blinding);
186 BN_BLINDING_free(r->mt_blinding);
187 RSA_PSS_PARAMS_free(r->pss);
188 free(r);
189}
190LCRYPTO_ALIAS(RSA_free);
191
192int
193RSA_up_ref(RSA *r)
194{
195 return CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA) > 1;
196}
197LCRYPTO_ALIAS(RSA_up_ref);
198
199int
200RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
201 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
202{
203 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
204 new_func, dup_func, free_func);
205}
206LCRYPTO_ALIAS(RSA_get_ex_new_index);
207
208int
209RSA_set_ex_data(RSA *r, int idx, void *arg)
210{
211 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
212}
213LCRYPTO_ALIAS(RSA_set_ex_data);
214
215void *
216RSA_get_ex_data(const RSA *r, int idx)
217{
218 return CRYPTO_get_ex_data(&r->ex_data, idx);
219}
220LCRYPTO_ALIAS(RSA_get_ex_data);
221
222int
223RSA_security_bits(const RSA *rsa)
224{
225 return BN_security_bits(RSA_bits(rsa), -1);
226}
227LCRYPTO_ALIAS(RSA_security_bits);
228
229void
230RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
231{
232 if (n != NULL)
233 *n = r->n;
234 if (e != NULL)
235 *e = r->e;
236 if (d != NULL)
237 *d = r->d;
238}
239LCRYPTO_ALIAS(RSA_get0_key);
240
241int
242RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
243{
244 if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
245 return 0;
246
247 if (n != NULL) {
248 BN_free(r->n);
249 r->n = n;
250 }
251 if (e != NULL) {
252 BN_free(r->e);
253 r->e = e;
254 }
255 if (d != NULL) {
256 BN_free(r->d);
257 r->d = d;
258 }
259
260 return 1;
261}
262LCRYPTO_ALIAS(RSA_set0_key);
263
264void
265RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
266 const BIGNUM **iqmp)
267{
268 if (dmp1 != NULL)
269 *dmp1 = r->dmp1;
270 if (dmq1 != NULL)
271 *dmq1 = r->dmq1;
272 if (iqmp != NULL)
273 *iqmp = r->iqmp;
274}
275LCRYPTO_ALIAS(RSA_get0_crt_params);
276
277int
278RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
279{
280 if ((r->dmp1 == NULL && dmp1 == NULL) ||
281 (r->dmq1 == NULL && dmq1 == NULL) ||
282 (r->iqmp == NULL && iqmp == NULL))
283 return 0;
284
285 if (dmp1 != NULL) {
286 BN_free(r->dmp1);
287 r->dmp1 = dmp1;
288 }
289 if (dmq1 != NULL) {
290 BN_free(r->dmq1);
291 r->dmq1 = dmq1;
292 }
293 if (iqmp != NULL) {
294 BN_free(r->iqmp);
295 r->iqmp = iqmp;
296 }
297
298 return 1;
299}
300LCRYPTO_ALIAS(RSA_set0_crt_params);
301
302void
303RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
304{
305 if (p != NULL)
306 *p = r->p;
307 if (q != NULL)
308 *q = r->q;
309}
310LCRYPTO_ALIAS(RSA_get0_factors);
311
312int
313RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
314{
315 if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
316 return 0;
317
318 if (p != NULL) {
319 BN_free(r->p);
320 r->p = p;
321 }
322 if (q != NULL) {
323 BN_free(r->q);
324 r->q = q;
325 }
326
327 return 1;
328}
329LCRYPTO_ALIAS(RSA_set0_factors);
330
331const BIGNUM *
332RSA_get0_n(const RSA *r)
333{
334 return r->n;
335}
336LCRYPTO_ALIAS(RSA_get0_n);
337
338const BIGNUM *
339RSA_get0_e(const RSA *r)
340{
341 return r->e;
342}
343LCRYPTO_ALIAS(RSA_get0_e);
344
345const BIGNUM *
346RSA_get0_d(const RSA *r)
347{
348 return r->d;
349}
350LCRYPTO_ALIAS(RSA_get0_d);
351
352const BIGNUM *
353RSA_get0_p(const RSA *r)
354{
355 return r->p;
356}
357LCRYPTO_ALIAS(RSA_get0_p);
358
359const BIGNUM *
360RSA_get0_q(const RSA *r)
361{
362 return r->q;
363}
364LCRYPTO_ALIAS(RSA_get0_q);
365
366const BIGNUM *
367RSA_get0_dmp1(const RSA *r)
368{
369 return r->dmp1;
370}
371LCRYPTO_ALIAS(RSA_get0_dmp1);
372
373const BIGNUM *
374RSA_get0_dmq1(const RSA *r)
375{
376 return r->dmq1;
377}
378LCRYPTO_ALIAS(RSA_get0_dmq1);
379
380const BIGNUM *
381RSA_get0_iqmp(const RSA *r)
382{
383 return r->iqmp;
384}
385LCRYPTO_ALIAS(RSA_get0_iqmp);
386
387const RSA_PSS_PARAMS *
388RSA_get0_pss_params(const RSA *r)
389{
390 return r->pss;
391}
392LCRYPTO_ALIAS(RSA_get0_pss_params);
393
394void
395RSA_clear_flags(RSA *r, int flags)
396{
397 r->flags &= ~flags;
398}
399LCRYPTO_ALIAS(RSA_clear_flags);
400
401int
402RSA_test_flags(const RSA *r, int flags)
403{
404 return r->flags & flags;
405}
406LCRYPTO_ALIAS(RSA_test_flags);
407
408void
409RSA_set_flags(RSA *r, int flags)
410{
411 r->flags |= flags;
412}
413LCRYPTO_ALIAS(RSA_set_flags);
414
415int
416RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
417{
418 /* Return an error if the key type is not RSA or RSA-PSS. */
419 if (ctx != NULL && ctx->pmeth != NULL &&
420 ctx->pmeth->pkey_id != EVP_PKEY_RSA &&
421 ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
422 return -1;
423
424 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
425}
426LCRYPTO_ALIAS(RSA_pkey_ctx_ctrl);
diff --git a/src/lib/libcrypto/rsa/rsa_local.h b/src/lib/libcrypto/rsa/rsa_local.h
deleted file mode 100644
index 3f88b952a2..0000000000
--- a/src/lib/libcrypto/rsa/rsa_local.h
+++ /dev/null
@@ -1,154 +0,0 @@
1/* $OpenBSD: rsa_local.h,v 1.10 2025/01/05 15:39:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59__BEGIN_HIDDEN_DECLS
60
61#define RSA_MIN_MODULUS_BITS 512
62
63struct rsa_meth_st {
64 char *name;
65 int (*rsa_pub_enc)(int flen, const unsigned char *from,
66 unsigned char *to, RSA *rsa, int padding);
67 int (*rsa_pub_dec)(int flen, const unsigned char *from,
68 unsigned char *to, RSA *rsa, int padding);
69 int (*rsa_priv_enc)(int flen, const unsigned char *from,
70 unsigned char *to, RSA *rsa, int padding);
71 int (*rsa_priv_dec)(int flen, const unsigned char *from,
72 unsigned char *to, RSA *rsa, int padding);
73 int (*rsa_mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
74 BN_CTX *ctx); /* Can be null */
75 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
76 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
77 int (*init)(RSA *rsa); /* called at new */
78 int (*finish)(RSA *rsa); /* called at free */
79 int flags; /* RSA_METHOD_FLAG_* things */
80 char *app_data; /* may be needed! */
81/* New sign and verify functions: some libraries don't allow arbitrary data
82 * to be signed/verified: this allows them to be used. Note: for this to work
83 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
84 * RSA_sign(), RSA_verify() should be used instead.
85 */
86 int (*rsa_sign)(int type, const unsigned char *m, unsigned int m_length,
87 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
88 int (*rsa_verify)(int dtype, const unsigned char *m,
89 unsigned int m_length, const unsigned char *sigbuf,
90 unsigned int siglen, const RSA *rsa);
91/* If this callback is NULL, the builtin software RSA key-gen will be used. This
92 * is for behavioural compatibility whilst the code gets rewired, but one day
93 * it would be nice to assume there are no such things as "builtin software"
94 * implementations. */
95 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
96};
97
98struct rsa_st {
99 long version;
100 const RSA_METHOD *meth;
101
102 BIGNUM *n;
103 BIGNUM *e;
104 BIGNUM *d;
105 BIGNUM *p;
106 BIGNUM *q;
107 BIGNUM *dmp1;
108 BIGNUM *dmq1;
109 BIGNUM *iqmp;
110
111 /* Parameter restrictions for PSS only keys. */
112 RSA_PSS_PARAMS *pss;
113
114 /* be careful using this if the RSA structure is shared */
115 CRYPTO_EX_DATA ex_data;
116 int references;
117 int flags;
118
119 /* Used to cache montgomery values */
120 BN_MONT_CTX *_method_mod_n;
121 BN_MONT_CTX *_method_mod_p;
122 BN_MONT_CTX *_method_mod_q;
123
124 /* all BIGNUM values are actually in the following data, if it is not
125 * NULL */
126 BN_BLINDING *blinding;
127 BN_BLINDING *mt_blinding;
128};
129
130RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md,
131 int saltlen);
132int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
133 const EVP_MD **pmgf1md, int *psaltlen);
134
135extern int int_rsa_verify(int dtype, const unsigned char *m,
136 unsigned int m_len, unsigned char *rm, size_t *prm_len,
137 const unsigned char *sigbuf, size_t siglen, RSA *rsa);
138
139int RSA_padding_add_X931(unsigned char *to, int tlen,
140 const unsigned char *f, int fl);
141int RSA_padding_check_X931(unsigned char *to, int tlen,
142 const unsigned char *f, int fl, int rsa_len);
143int RSA_X931_hash_id(int nid);
144
145BN_BLINDING *BN_BLINDING_new(const BIGNUM *e, const BIGNUM *mod, BN_CTX *ctx,
146 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
147 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx);
148void BN_BLINDING_free(BN_BLINDING *b);
149int BN_BLINDING_convert(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
150int BN_BLINDING_invert(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
151int BN_BLINDING_is_local(BN_BLINDING *b);
152BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
153
154__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/rsa/rsa_meth.c b/src/lib/libcrypto/rsa/rsa_meth.c
deleted file mode 100644
index 71608caa01..0000000000
--- a/src/lib/libcrypto/rsa/rsa_meth.c
+++ /dev/null
@@ -1,309 +0,0 @@
1/* $OpenBSD: rsa_meth.c,v 1.7 2023/07/08 12:26:45 beck Exp $ */
2/*
3 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stdlib.h>
19#include <string.h>
20
21#include <openssl/err.h>
22#include <openssl/rsa.h>
23
24#include "rsa_local.h"
25
26RSA_METHOD *
27RSA_meth_new(const char *name, int flags)
28{
29 RSA_METHOD *meth;
30
31 if ((meth = calloc(1, sizeof(*meth))) == NULL)
32 return NULL;
33 if ((meth->name = strdup(name)) == NULL) {
34 free(meth);
35 return NULL;
36 }
37 meth->flags = flags;
38
39 return meth;
40}
41LCRYPTO_ALIAS(RSA_meth_new);
42
43void
44RSA_meth_free(RSA_METHOD *meth)
45{
46 if (meth == NULL)
47 return;
48
49 free(meth->name);
50 free(meth);
51}
52LCRYPTO_ALIAS(RSA_meth_free);
53
54RSA_METHOD *
55RSA_meth_dup(const RSA_METHOD *meth)
56{
57 RSA_METHOD *copy;
58
59 if ((copy = calloc(1, sizeof(*copy))) == NULL)
60 return NULL;
61 memcpy(copy, meth, sizeof(*copy));
62 if ((copy->name = strdup(meth->name)) == NULL) {
63 free(copy);
64 return NULL;
65 }
66
67 return copy;
68}
69LCRYPTO_ALIAS(RSA_meth_dup);
70
71int
72RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
73{
74 char *new_name;
75
76 if ((new_name = strdup(name)) == NULL)
77 return 0;
78 free(meth->name);
79 meth->name = new_name;
80 return 1;
81}
82LCRYPTO_ALIAS(RSA_meth_set1_name);
83
84int
85(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
86{
87 return meth->finish;
88}
89LCRYPTO_ALIAS(RSA_meth_get_finish);
90
91int
92RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
93 const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
94{
95 meth->rsa_priv_enc = priv_enc;
96 return 1;
97}
98LCRYPTO_ALIAS(RSA_meth_set_priv_enc);
99
100int
101RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
102 const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
103{
104 meth->rsa_priv_dec = priv_dec;
105 return 1;
106}
107LCRYPTO_ALIAS(RSA_meth_set_priv_dec);
108
109int
110RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
111{
112 meth->finish = finish;
113 return 1;
114}
115LCRYPTO_ALIAS(RSA_meth_set_finish);
116
117int
118RSA_meth_set_pub_enc(RSA_METHOD *meth, int (*pub_enc)(int flen,
119 const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
120{
121 meth->rsa_pub_enc = pub_enc;
122 return 1;
123}
124LCRYPTO_ALIAS(RSA_meth_set_pub_enc);
125
126int
127RSA_meth_set_pub_dec(RSA_METHOD *meth, int (*pub_dec)(int flen,
128 const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
129{
130 meth->rsa_pub_dec = pub_dec;
131 return 1;
132}
133LCRYPTO_ALIAS(RSA_meth_set_pub_dec);
134
135int
136RSA_meth_set_mod_exp(RSA_METHOD *meth, int (*mod_exp)(BIGNUM *r0,
137 const BIGNUM *i, RSA *rsa, BN_CTX *ctx))
138{
139 meth->rsa_mod_exp = mod_exp;
140 return 1;
141}
142LCRYPTO_ALIAS(RSA_meth_set_mod_exp);
143
144int
145RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)(BIGNUM *r,
146 const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
147 BN_MONT_CTX *m_ctx))
148{
149 meth->bn_mod_exp = bn_mod_exp;
150 return 1;
151}
152LCRYPTO_ALIAS(RSA_meth_set_bn_mod_exp);
153
154int
155RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa))
156{
157 meth->init = init;
158 return 1;
159}
160LCRYPTO_ALIAS(RSA_meth_set_init);
161
162int
163RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)(RSA *rsa, int bits,
164 BIGNUM *e, BN_GENCB *cb))
165{
166 meth->rsa_keygen = keygen;
167 return 1;
168}
169LCRYPTO_ALIAS(RSA_meth_set_keygen);
170
171int
172RSA_meth_set_flags(RSA_METHOD *meth, int flags)
173{
174 meth->flags = flags;
175 return 1;
176}
177LCRYPTO_ALIAS(RSA_meth_set_flags);
178
179int
180RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
181{
182 meth->app_data = app_data;
183 return 1;
184}
185LCRYPTO_ALIAS(RSA_meth_set0_app_data);
186
187const char *
188RSA_meth_get0_name(const RSA_METHOD *meth)
189{
190 return meth->name;
191}
192LCRYPTO_ALIAS(RSA_meth_get0_name);
193
194int
195(*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen,
196 const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
197{
198 return meth->rsa_pub_enc;
199}
200LCRYPTO_ALIAS(RSA_meth_get_pub_enc);
201
202int
203(*RSA_meth_get_pub_dec(const RSA_METHOD *meth))(int flen,
204 const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
205{
206 return meth->rsa_pub_dec;
207}
208LCRYPTO_ALIAS(RSA_meth_get_pub_dec);
209
210int
211(*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen,
212 const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
213{
214 return meth->rsa_priv_enc;
215}
216LCRYPTO_ALIAS(RSA_meth_get_priv_enc);
217
218int
219(*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen,
220 const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
221{
222 return meth->rsa_priv_dec;
223}
224LCRYPTO_ALIAS(RSA_meth_get_priv_dec);
225
226int
227(*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i,
228 RSA *rsa, BN_CTX *ctx)
229{
230 return meth->rsa_mod_exp;
231}
232LCRYPTO_ALIAS(RSA_meth_get_mod_exp);
233
234int
235(*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r,
236 const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
237 BN_MONT_CTX *m_ctx)
238{
239 return meth->bn_mod_exp;
240}
241LCRYPTO_ALIAS(RSA_meth_get_bn_mod_exp);
242
243int
244(*RSA_meth_get_init(const RSA_METHOD *meth))(RSA *rsa)
245{
246 return meth->init;
247}
248LCRYPTO_ALIAS(RSA_meth_get_init);
249
250int
251(*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e,
252 BN_GENCB *cb)
253{
254 return meth->rsa_keygen;
255}
256LCRYPTO_ALIAS(RSA_meth_get_keygen);
257
258int
259RSA_meth_get_flags(const RSA_METHOD *meth)
260{
261 return meth->flags;
262}
263LCRYPTO_ALIAS(RSA_meth_get_flags);
264
265void *
266RSA_meth_get0_app_data(const RSA_METHOD *meth)
267{
268 return meth->app_data;
269}
270LCRYPTO_ALIAS(RSA_meth_get0_app_data);
271
272int
273(*RSA_meth_get_sign(const RSA_METHOD *meth))(int type,
274 const unsigned char *m, unsigned int m_length,
275 unsigned char *sigret, unsigned int *siglen,
276 const RSA *rsa)
277{
278 return meth->rsa_sign;
279}
280LCRYPTO_ALIAS(RSA_meth_get_sign);
281
282int
283RSA_meth_set_sign(RSA_METHOD *meth, int (*sign)(int type,
284 const unsigned char *m, unsigned int m_length, unsigned char *sigret,
285 unsigned int *siglen, const RSA *rsa))
286{
287 meth->rsa_sign = sign;
288 return 1;
289}
290LCRYPTO_ALIAS(RSA_meth_set_sign);
291
292int
293(*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype,
294 const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf,
295 unsigned int siglen, const RSA *rsa)
296{
297 return meth->rsa_verify;
298}
299LCRYPTO_ALIAS(RSA_meth_get_verify);
300
301int
302RSA_meth_set_verify(RSA_METHOD *meth, int (*verify)(int dtype,
303 const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf,
304 unsigned int siglen, const RSA *rsa))
305{
306 meth->rsa_verify = verify;
307 return 1;
308}
309LCRYPTO_ALIAS(RSA_meth_set_verify);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
deleted file mode 100644
index 9c53dcf595..0000000000
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ /dev/null
@@ -1,98 +0,0 @@
1/* $OpenBSD: rsa_none.c,v 1.12 2023/07/08 12:26:45 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/rsa.h>
65
66int
67RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
68 int flen)
69{
70 if (flen > tlen) {
71 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
72 return 0;
73 }
74
75 if (flen < tlen) {
76 RSAerror(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return 0;
78 }
79
80 memcpy(to, from, flen);
81 return 1;
82}
83LCRYPTO_ALIAS(RSA_padding_add_none);
84
85int
86RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *from,
87 int flen, int num)
88{
89 if (flen > tlen) {
90 RSAerror(RSA_R_DATA_TOO_LARGE);
91 return -1;
92 }
93
94 memset(to, 0, tlen - flen);
95 memcpy(to + tlen - flen, from, flen);
96 return tlen;
97}
98LCRYPTO_ALIAS(RSA_padding_check_none);
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
deleted file mode 100644
index d1e138c299..0000000000
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ /dev/null
@@ -1,368 +0,0 @@
1/* $OpenBSD: rsa_oaep.c,v 1.39 2024/03/26 05:37:28 joshua Exp $ */
2/*
3 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
57
58/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
59 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
60 * for problems with the security proof for the
61 * original OAEP scheme, which EME-OAEP is based on.
62 *
63 * A new proof can be found in E. Fujisaki, T. Okamoto,
64 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
65 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
66 * The new proof has stronger requirements for the
67 * underlying permutation: "partial-one-wayness" instead
68 * of one-wayness. For the RSA function, this is
69 * an equivalent notion.
70 */
71
72#include <stdio.h>
73#include <stdlib.h>
74#include <string.h>
75
76#include <openssl/bn.h>
77#include <openssl/err.h>
78#include <openssl/evp.h>
79#include <openssl/rsa.h>
80#include <openssl/sha.h>
81
82#include "constant_time.h"
83#include "evp_local.h"
84#include "rsa_local.h"
85
86int
87RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
88 const unsigned char *from, int flen, const unsigned char *param, int plen)
89{
90 return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen, param,
91 plen, NULL, NULL);
92}
93LCRYPTO_ALIAS(RSA_padding_add_PKCS1_OAEP);
94
95int
96RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
97 const unsigned char *from, int flen, const unsigned char *param, int plen,
98 const EVP_MD *md, const EVP_MD *mgf1md)
99{
100 int i, emlen = tlen - 1;
101 unsigned char *db, *seed;
102 unsigned char *dbmask = NULL;
103 unsigned char seedmask[EVP_MAX_MD_SIZE];
104 int mdlen, dbmask_len = 0;
105 int rv = 0;
106
107 if (md == NULL)
108 md = EVP_sha1();
109 if (mgf1md == NULL)
110 mgf1md = md;
111
112 if ((mdlen = EVP_MD_size(md)) <= 0)
113 goto err;
114
115 if (flen > emlen - 2 * mdlen - 1) {
116 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
117 goto err;
118 }
119
120 if (emlen < 2 * mdlen + 1) {
121 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
122 goto err;
123 }
124
125 to[0] = 0;
126 seed = to + 1;
127 db = to + mdlen + 1;
128
129 if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
130 goto err;
131
132 memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
133 db[emlen - flen - mdlen - 1] = 0x01;
134 memcpy(db + emlen - flen - mdlen, from, flen);
135 arc4random_buf(seed, mdlen);
136
137 dbmask_len = emlen - mdlen;
138 if ((dbmask = malloc(dbmask_len)) == NULL) {
139 RSAerror(ERR_R_MALLOC_FAILURE);
140 goto err;
141 }
142
143 if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0)
144 goto err;
145 for (i = 0; i < dbmask_len; i++)
146 db[i] ^= dbmask[i];
147 if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0)
148 goto err;
149 for (i = 0; i < mdlen; i++)
150 seed[i] ^= seedmask[i];
151
152 rv = 1;
153
154 err:
155 explicit_bzero(seedmask, sizeof(seedmask));
156 freezero(dbmask, dbmask_len);
157
158 return rv;
159}
160LCRYPTO_ALIAS(RSA_padding_add_PKCS1_OAEP_mgf1);
161
162int
163RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
164 const unsigned char *from, int flen, int num, const unsigned char *param,
165 int plen)
166{
167 return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from, flen, num,
168 param, plen, NULL, NULL);
169}
170LCRYPTO_ALIAS(RSA_padding_check_PKCS1_OAEP);
171
172int
173RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
174 const unsigned char *from, int flen, int num, const unsigned char *param,
175 int plen, const EVP_MD *md, const EVP_MD *mgf1md)
176{
177 int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
178 unsigned int good = 0, found_one_byte, mask;
179 const unsigned char *maskedseed, *maskeddb;
180 unsigned char seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
181 unsigned char *db = NULL, *em = NULL;
182 int mdlen;
183
184 if (md == NULL)
185 md = EVP_sha1();
186 if (mgf1md == NULL)
187 mgf1md = md;
188
189 if ((mdlen = EVP_MD_size(md)) <= 0)
190 return -1;
191
192 if (tlen <= 0 || flen <= 0)
193 return -1;
194
195 /*
196 * |num| is the length of the modulus; |flen| is the length of the
197 * encoded message. Therefore, for any |from| that was obtained by
198 * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
199 * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective
200 * of the ciphertext, see PKCS #1 v2.2, section 7.1.2.
201 * This does not leak any side-channel information.
202 */
203 if (num < flen || num < 2 * mdlen + 2) {
204 RSAerror(RSA_R_OAEP_DECODING_ERROR);
205 return -1;
206 }
207
208 dblen = num - mdlen - 1;
209 if ((db = malloc(dblen)) == NULL) {
210 RSAerror(ERR_R_MALLOC_FAILURE);
211 goto cleanup;
212 }
213 if ((em = malloc(num)) == NULL) {
214 RSAerror(ERR_R_MALLOC_FAILURE);
215 goto cleanup;
216 }
217
218 /*
219 * Caller is encouraged to pass zero-padded message created with
220 * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
221 * bounds, it's impossible to have an invariant memory access pattern
222 * in case |from| was not zero-padded in advance.
223 */
224 for (from += flen, em += num, i = 0; i < num; i++) {
225 mask = ~constant_time_is_zero(flen);
226 flen -= 1 & mask;
227 from -= 1 & mask;
228 *--em = *from & mask;
229 }
230
231 /*
232 * The first byte must be zero, however we must not leak if this is
233 * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
234 * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
235 */
236 good = constant_time_is_zero(em[0]);
237
238 maskedseed = em + 1;
239 maskeddb = em + 1 + mdlen;
240
241 if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
242 goto cleanup;
243 for (i = 0; i < mdlen; i++)
244 seed[i] ^= maskedseed[i];
245
246 if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))
247 goto cleanup;
248 for (i = 0; i < dblen; i++)
249 db[i] ^= maskeddb[i];
250
251 if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))
252 goto cleanup;
253
254 good &= constant_time_is_zero(timingsafe_memcmp(db, phash, mdlen));
255
256 found_one_byte = 0;
257 for (i = mdlen; i < dblen; i++) {
258 /*
259 * Padding consists of a number of 0-bytes, followed by a 1.
260 */
261 unsigned int equals1 = constant_time_eq(db[i], 1);
262 unsigned int equals0 = constant_time_is_zero(db[i]);
263
264 one_index = constant_time_select_int(~found_one_byte & equals1,
265 i, one_index);
266 found_one_byte |= equals1;
267 good &= (found_one_byte | equals0);
268 }
269
270 good &= found_one_byte;
271
272 /*
273 * At this point |good| is zero unless the plaintext was valid,
274 * so plaintext-awareness ensures timing side-channels are no longer a
275 * concern.
276 */
277 msg_index = one_index + 1;
278 mlen = dblen - msg_index;
279
280 /*
281 * For good measure, do this check in constant time as well.
282 */
283 good &= constant_time_ge(tlen, mlen);
284
285 /*
286 * Even though we can't fake result's length, we can pretend copying
287 * |tlen| bytes where |mlen| bytes would be real. The last |tlen| of
288 * |dblen| bytes are viewed as a circular buffer starting at |tlen|-|mlen'|,
289 * where |mlen'| is the "saturated" |mlen| value. Deducing information
290 * about failure or |mlen| would require an attacker to observe
291 * memory access patterns with byte granularity *as it occurs*. It
292 * should be noted that failure is indistinguishable from normal
293 * operation if |tlen| is fixed by protocol.
294 */
295 tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
296 dblen - mdlen - 1, tlen);
297 msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
298 mlen = dblen - msg_index;
299 for (mask = good, i = 0; i < tlen; i++) {
300 unsigned int equals = constant_time_eq(msg_index, dblen);
301
302 msg_index -= tlen & equals; /* rewind at EOF */
303 mask &= ~equals; /* mask = 0 at EOF */
304 to[i] = constant_time_select_8(mask, db[msg_index++], to[i]);
305 }
306
307 /*
308 * To avoid chosen ciphertext attacks, the error message should not
309 * reveal which kind of decoding error happened.
310 */
311 RSAerror(RSA_R_OAEP_DECODING_ERROR);
312 err_clear_last_constant_time(1 & good);
313
314 cleanup:
315 explicit_bzero(seed, sizeof(seed));
316 freezero(db, dblen);
317 freezero(em, num);
318
319 return constant_time_select_int(good, mlen, -1);
320}
321LCRYPTO_ALIAS(RSA_padding_check_PKCS1_OAEP_mgf1);
322
323int
324PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
325 long seedlen, const EVP_MD *dgst)
326{
327 long i, outlen = 0;
328 unsigned char cnt[4];
329 EVP_MD_CTX *md_ctx;
330 unsigned char md[EVP_MAX_MD_SIZE];
331 int mdlen;
332 int rv = -1;
333
334 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
335 goto err;
336
337 mdlen = EVP_MD_size(dgst);
338 if (mdlen < 0)
339 goto err;
340 for (i = 0; outlen < len; i++) {
341 cnt[0] = (unsigned char)((i >> 24) & 255);
342 cnt[1] = (unsigned char)((i >> 16) & 255);
343 cnt[2] = (unsigned char)((i >> 8)) & 255;
344 cnt[3] = (unsigned char)(i & 255);
345 if (!EVP_DigestInit_ex(md_ctx, dgst, NULL) ||
346 !EVP_DigestUpdate(md_ctx, seed, seedlen) ||
347 !EVP_DigestUpdate(md_ctx, cnt, 4))
348 goto err;
349 if (outlen + mdlen <= len) {
350 if (!EVP_DigestFinal_ex(md_ctx, mask + outlen, NULL))
351 goto err;
352 outlen += mdlen;
353 } else {
354 if (!EVP_DigestFinal_ex(md_ctx, md, NULL))
355 goto err;
356 memcpy(mask + outlen, md, len - outlen);
357 outlen = len;
358 }
359 }
360
361 rv = 0;
362
363 err:
364 EVP_MD_CTX_free(md_ctx);
365
366 return rv;
367}
368LCRYPTO_ALIAS(PKCS1_MGF1);
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
deleted file mode 100644
index 8e56a8c4cd..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ /dev/null
@@ -1,283 +0,0 @@
1/* $OpenBSD: rsa_pk1.c,v 1.17 2024/03/30 04:34:17 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/rsa.h>
66
67#include "bytestring.h"
68
69int
70RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
71 const unsigned char *from, int flen)
72{
73 CBB cbb;
74 int i;
75 int ret = 0;
76
77 /*
78 * Pad data block with PKCS1 type 1 padding - RFC 2313, section 8.1.
79 */
80
81 memset(&cbb, 0, sizeof(cbb));
82
83 if (flen < 0 || tlen < 0)
84 goto err;
85
86 if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
87 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
88 goto err;
89 }
90
91 if (!CBB_init_fixed(&cbb, to, tlen))
92 goto err;
93
94 /*
95 * Add leading NUL, block type (0x01), padding bytes (0xff) and
96 * trailing NUL.
97 */
98 if (!CBB_add_u8(&cbb, 0))
99 goto err;
100 if (!CBB_add_u8(&cbb, 1))
101 goto err;
102 for (i = 0; i < tlen - 3 - flen; i++) {
103 if (!CBB_add_u8(&cbb, 0xff))
104 goto err;
105 }
106 if (!CBB_add_u8(&cbb, 0))
107 goto err;
108
109 /* Now add the actual data. */
110 if (!CBB_add_bytes(&cbb, from, flen))
111 goto err;
112
113 if (!CBB_finish(&cbb, NULL, NULL))
114 goto err;
115
116 ret = 1;
117
118 err:
119 CBB_cleanup(&cbb);
120
121 return ret;
122}
123LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_1);
124
125int
126RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
127 const unsigned char *from, int flen, int num)
128{
129 int i, j;
130 const unsigned char *p;
131
132 p = from;
133 if (num != flen + 1 || *(p++) != 01) {
134 RSAerror(RSA_R_BLOCK_TYPE_IS_NOT_01);
135 return -1;
136 }
137
138 /* scan over padding data */
139 j = flen - 1; /* one for type. */
140 for (i = 0; i < j; i++) {
141 if (*p != 0xff) {
142 /* should decrypt to 0xff */
143 if (*p == 0) {
144 p++;
145 break;
146 } else {
147 RSAerror(RSA_R_BAD_FIXED_HEADER_DECRYPT);
148 return -1;
149 }
150 }
151 p++;
152 }
153
154 if (i == j) {
155 RSAerror(RSA_R_NULL_BEFORE_BLOCK_MISSING);
156 return -1;
157 }
158
159 if (i < 8) {
160 RSAerror(RSA_R_BAD_PAD_BYTE_COUNT);
161 return -1;
162 }
163 i++; /* Skip over the '\0' */
164 j -= i;
165 if (j > tlen) {
166 RSAerror(RSA_R_DATA_TOO_LARGE);
167 return -1;
168 }
169 memcpy(to, p, j);
170
171 return j;
172}
173LCRYPTO_ALIAS(RSA_padding_check_PKCS1_type_1);
174
175int
176RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
177 const unsigned char *from, int flen)
178{
179 uint8_t padding[256];
180 uint8_t pad;
181 CBB cbb;
182 CBS cbs;
183 int i;
184 int ret = 0;
185
186 /*
187 * Pad data block with PKCS1 type 2 padding - RFC 2313, section 8.1.
188 */
189
190 memset(&cbb, 0, sizeof(cbb));
191 CBS_init(&cbs, NULL, 0);
192
193 if (flen < 0 || tlen < 0)
194 goto err;
195
196 if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
197 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
198 goto err;
199 }
200
201 if (!CBB_init_fixed(&cbb, to, tlen))
202 goto err;
203
204 /*
205 * Add leading NUL, block type (0x02), padding bytes (random non-zero
206 * bytes) and trailing NUL.
207 */
208 if (!CBB_add_u8(&cbb, 0))
209 goto err;
210 if (!CBB_add_u8(&cbb, 2))
211 goto err;
212 for (i = 0; i < tlen - 3 - flen; i++) {
213 do {
214 if (CBS_len(&cbs) == 0) {
215 arc4random_buf(padding, sizeof(padding));
216 CBS_init(&cbs, padding, sizeof(padding));
217 }
218 if (!CBS_get_u8(&cbs, &pad))
219 goto err;
220 } while (pad == 0);
221
222 if (!CBB_add_u8(&cbb, pad))
223 goto err;
224 }
225 if (!CBB_add_u8(&cbb, 0))
226 goto err;
227
228 /* Now add the actual data. */
229 if (!CBB_add_bytes(&cbb, from, flen))
230 goto err;
231
232 if (!CBB_finish(&cbb, NULL, NULL))
233 goto err;
234
235 ret = 1;
236
237 err:
238 CBB_cleanup(&cbb);
239 explicit_bzero(padding, sizeof(padding));
240
241 return ret;
242}
243LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_2);
244
245int
246RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
247 const unsigned char *from, int flen, int num)
248{
249 int i, j;
250 const unsigned char *p;
251
252 p = from;
253 if (num != flen + 1 || *(p++) != 02) {
254 RSAerror(RSA_R_BLOCK_TYPE_IS_NOT_02);
255 return -1;
256 }
257
258 /* scan over padding data */
259 j = flen - 1; /* one for type. */
260 for (i = 0; i < j; i++)
261 if (*(p++) == 0)
262 break;
263
264 if (i == j) {
265 RSAerror(RSA_R_NULL_BEFORE_BLOCK_MISSING);
266 return -1;
267 }
268
269 if (i < 8) {
270 RSAerror(RSA_R_BAD_PAD_BYTE_COUNT);
271 return -1;
272 }
273 i++; /* Skip over the '\0' */
274 j -= i;
275 if (j > tlen) {
276 RSAerror(RSA_R_DATA_TOO_LARGE);
277 return -1;
278 }
279 memcpy(to, p, j);
280
281 return j;
282}
283LCRYPTO_ALIAS(RSA_padding_check_PKCS1_type_2);
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 453570cf74..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,911 +0,0 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.43 2025/01/17 15:39:19 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <string.h>
63
64#include <openssl/opensslconf.h>
65
66#include <openssl/asn1t.h>
67#include <openssl/bn.h>
68#include <openssl/err.h>
69#include <openssl/evp.h>
70#include <openssl/rsa.h>
71#include <openssl/x509.h>
72#include <openssl/x509v3.h>
73
74#include "bn_local.h"
75#include "evp_local.h"
76#include "rsa_local.h"
77
78/* RSA pkey context structure */
79
80typedef struct {
81 /* Key gen parameters */
82 int nbits;
83 BIGNUM *pub_exp;
84 /* Keygen callback info */
85 int gentmp[2];
86 /* RSA padding mode */
87 int pad_mode;
88 /* message digest */
89 const EVP_MD *md;
90 /* message digest for MGF1 */
91 const EVP_MD *mgf1md;
92 /* PSS salt length */
93 int saltlen;
94 /* Minimum salt length or -1 if no PSS parameter restriction */
95 int min_saltlen;
96 /* Temp buffer */
97 unsigned char *tbuf;
98 /* OAEP label */
99 unsigned char *oaep_label;
100 size_t oaep_labellen;
101} RSA_PKEY_CTX;
102
103/* True if PSS parameters are restricted */
104#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
105
106static int
107pkey_rsa_init(EVP_PKEY_CTX *ctx)
108{
109 RSA_PKEY_CTX *rctx;
110
111 if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL)
112 return 0;
113
114 rctx->nbits = 2048;
115
116 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
117 rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
118 else
119 rctx->pad_mode = RSA_PKCS1_PADDING;
120
121 /* Maximum for sign, auto for verify */
122 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
123 rctx->min_saltlen = -1;
124
125 ctx->data = rctx;
126 ctx->keygen_info = rctx->gentmp;
127 ctx->keygen_info_count = 2;
128
129 return 1;
130}
131
132static int
133pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
134{
135 RSA_PKEY_CTX *dctx, *sctx;
136
137 if (!pkey_rsa_init(dst))
138 return 0;
139
140 sctx = src->data;
141 dctx = dst->data;
142 dctx->nbits = sctx->nbits;
143 if (sctx->pub_exp != NULL) {
144 BN_free(dctx->pub_exp);
145 if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL)
146 return 0;
147 }
148 dctx->pad_mode = sctx->pad_mode;
149 dctx->md = sctx->md;
150 dctx->mgf1md = sctx->mgf1md;
151 if (sctx->oaep_label != NULL) {
152 free(dctx->oaep_label);
153 if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL)
154 return 0;
155 memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen);
156 dctx->oaep_labellen = sctx->oaep_labellen;
157 }
158
159 return 1;
160}
161
162static int
163setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
164{
165 if (ctx->tbuf != NULL)
166 return 1;
167 if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) {
168 RSAerror(ERR_R_MALLOC_FAILURE);
169 return 0;
170 }
171 return 1;
172}
173
174static void
175pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
176{
177 RSA_PKEY_CTX *rctx = ctx->data;
178
179 if (rctx) {
180 BN_free(rctx->pub_exp);
181 free(rctx->tbuf);
182 free(rctx->oaep_label);
183 free(rctx);
184 }
185}
186
187static int
188pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
189 const unsigned char *tbs, size_t tbslen)
190{
191 int ret;
192 RSA_PKEY_CTX *rctx = ctx->data;
193 RSA *rsa = ctx->pkey->pkey.rsa;
194
195 if (rctx->md) {
196 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
197 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
198 return -1;
199 }
200
201 if (rctx->pad_mode == RSA_X931_PADDING) {
202 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
203 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
204 return -1;
205 }
206 if (!setup_tbuf(rctx, ctx)) {
207 RSAerror(ERR_R_MALLOC_FAILURE);
208 return -1;
209 }
210 memcpy(rctx->tbuf, tbs, tbslen);
211 rctx->tbuf[tbslen] =
212 RSA_X931_hash_id(EVP_MD_type(rctx->md));
213 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
214 rsa, RSA_X931_PADDING);
215 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
216 unsigned int sltmp;
217
218 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
219 &sltmp, rsa);
220 if (ret <= 0)
221 return ret;
222 ret = sltmp;
223 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
224 if (!setup_tbuf(rctx, ctx))
225 return -1;
226 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
227 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
228 return -1;
229 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
230 sig, rsa, RSA_NO_PADDING);
231 } else {
232 return -1;
233 }
234 } else {
235 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
236 rctx->pad_mode);
237 }
238 if (ret < 0)
239 return ret;
240 *siglen = ret;
241 return 1;
242}
243
244static int
245pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
246 const unsigned char *sig, size_t siglen)
247{
248 int ret;
249 RSA_PKEY_CTX *rctx = ctx->data;
250
251 if (rctx->md) {
252 if (rctx->pad_mode == RSA_X931_PADDING) {
253 if (!setup_tbuf(rctx, ctx))
254 return -1;
255 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
256 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
257 if (ret < 1)
258 return 0;
259 ret--;
260 if (rctx->tbuf[ret] !=
261 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
262 RSAerror(RSA_R_ALGORITHM_MISMATCH);
263 return 0;
264 }
265 if (ret != EVP_MD_size(rctx->md)) {
266 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
267 return 0;
268 }
269 if (rout)
270 memcpy(rout, rctx->tbuf, ret);
271 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
272 size_t sltmp;
273
274 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
275 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
276 if (ret <= 0)
277 return 0;
278 ret = sltmp;
279 } else {
280 return -1;
281 }
282 } else {
283 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
284 rctx->pad_mode);
285 }
286 if (ret < 0)
287 return ret;
288 *routlen = ret;
289 return 1;
290}
291
292static int
293pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
294 const unsigned char *tbs, size_t tbslen)
295{
296 RSA_PKEY_CTX *rctx = ctx->data;
297 RSA *rsa = ctx->pkey->pkey.rsa;
298 size_t rslen;
299
300 if (rctx->md) {
301 if (rctx->pad_mode == RSA_PKCS1_PADDING)
302 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
303 sig, siglen, rsa);
304 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
305 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
306 return -1;
307 }
308 if (rctx->pad_mode == RSA_X931_PADDING) {
309 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
310 siglen) <= 0)
311 return 0;
312 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
313 int ret;
314
315 if (!setup_tbuf(rctx, ctx))
316 return -1;
317 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
318 rsa, RSA_NO_PADDING);
319 if (ret <= 0)
320 return 0;
321 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
322 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
323 if (ret <= 0)
324 return 0;
325 return 1;
326 } else {
327 return -1;
328 }
329 } else {
330 int ret;
331
332 if (!setup_tbuf(rctx, ctx))
333 return -1;
334
335 if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
336 rctx->pad_mode)) <= 0)
337 return 0;
338
339 rslen = ret;
340 }
341
342 if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen))
343 return 0;
344
345 return 1;
346}
347
348static int
349pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
350 const unsigned char *in, size_t inlen)
351{
352 RSA_PKEY_CTX *rctx = ctx->data;
353 int ret;
354
355 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
356 int klen = RSA_size(ctx->pkey->pkey.rsa);
357 if (!setup_tbuf(rctx, ctx))
358 return -1;
359 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
360 in, inlen, rctx->oaep_label, rctx->oaep_labellen,
361 rctx->md, rctx->mgf1md))
362 return -1;
363 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
364 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
365 } else {
366 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
367 rctx->pad_mode);
368 }
369 if (ret < 0)
370 return ret;
371 *outlen = ret;
372 return 1;
373}
374
375static int
376pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
377 const unsigned char *in, size_t inlen)
378{
379 int ret;
380 RSA_PKEY_CTX *rctx = ctx->data;
381
382 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
383 if (!setup_tbuf(rctx, ctx))
384 return -1;
385 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
386 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
387 if (ret <= 0)
388 return ret;
389 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
390 ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md,
391 rctx->mgf1md);
392 } else {
393 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
394 rctx->pad_mode);
395 }
396 if (ret < 0)
397 return ret;
398 *outlen = ret;
399 return 1;
400}
401
402static int
403check_padding_md(const EVP_MD *md, int padding)
404{
405 if (md == NULL)
406 return 1;
407
408 if (padding == RSA_NO_PADDING) {
409 RSAerror(RSA_R_INVALID_PADDING_MODE);
410 return 0;
411 }
412
413 if (padding == RSA_X931_PADDING) {
414 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
415 RSAerror(RSA_R_INVALID_X931_DIGEST);
416 return 0;
417 }
418 } else {
419 /* List of all supported RSA digests. */
420 /* RFC 8017 and NIST CSOR. */
421 switch(EVP_MD_type(md)) {
422 case NID_sha1:
423 case NID_sha224:
424 case NID_sha256:
425 case NID_sha384:
426 case NID_sha512:
427 case NID_sha512_224:
428 case NID_sha512_256:
429 case NID_sha3_224:
430 case NID_sha3_256:
431 case NID_sha3_384:
432 case NID_sha3_512:
433 case NID_md5:
434 case NID_md5_sha1:
435 case NID_md4:
436 case NID_ripemd160:
437 return 1;
438
439 default:
440 RSAerror(RSA_R_INVALID_DIGEST);
441 return 0;
442 }
443 }
444
445 return 1;
446}
447
448static int
449pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
450{
451 RSA_PKEY_CTX *rctx = ctx->data;
452
453 switch (type) {
454 case EVP_PKEY_CTRL_RSA_PADDING:
455 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
456 if (!check_padding_md(rctx->md, p1))
457 return 0;
458 if (p1 == RSA_PKCS1_PSS_PADDING) {
459 if (!(ctx->operation &
460 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
461 goto bad_pad;
462 if (!rctx->md)
463 rctx->md = EVP_sha1();
464 } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
465 goto bad_pad;
466 }
467 if (p1 == RSA_PKCS1_OAEP_PADDING) {
468 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
469 goto bad_pad;
470 if (!rctx->md)
471 rctx->md = EVP_sha1();
472 }
473 rctx->pad_mode = p1;
474 return 1;
475 }
476 bad_pad:
477 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
478 return -2;
479
480 case EVP_PKEY_CTRL_GET_RSA_PADDING:
481 *(int *)p2 = rctx->pad_mode;
482 return 1;
483
484 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
485 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
486 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
487 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
488 return -2;
489 }
490 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
491 *(int *)p2 = rctx->saltlen;
492 } else {
493 if (p1 < RSA_PSS_SALTLEN_MAX)
494 return -2;
495 if (rsa_pss_restricted(rctx)) {
496 if (p1 == RSA_PSS_SALTLEN_AUTO &&
497 ctx->operation == EVP_PKEY_OP_VERIFY) {
498 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
499 return -2;
500 }
501 if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
502 rctx->min_saltlen > EVP_MD_size(rctx->md)) ||
503 (p1 >= 0 && p1 < rctx->min_saltlen)) {
504 RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
505 return 0;
506 }
507 }
508 rctx->saltlen = p1;
509 }
510 return 1;
511
512 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
513 if (p1 < RSA_MIN_MODULUS_BITS) {
514 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
515 return -2;
516 }
517 rctx->nbits = p1;
518 return 1;
519
520 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
521 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) ||
522 BN_is_one((BIGNUM *)p2)) {
523 RSAerror(RSA_R_BAD_E_VALUE);
524 return -2;
525 }
526 BN_free(rctx->pub_exp);
527 rctx->pub_exp = p2;
528 return 1;
529
530 case EVP_PKEY_CTRL_RSA_OAEP_MD:
531 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
532 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
533 RSAerror(RSA_R_INVALID_PADDING_MODE);
534 return -2;
535 }
536 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
537 *(const EVP_MD **)p2 = rctx->md;
538 else
539 rctx->md = p2;
540 return 1;
541
542 case EVP_PKEY_CTRL_MD:
543 if (!check_padding_md(p2, rctx->pad_mode))
544 return 0;
545 if (rsa_pss_restricted(rctx)) {
546 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
547 return 1;
548 RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
549 return 0;
550 }
551 rctx->md = p2;
552 return 1;
553
554 case EVP_PKEY_CTRL_GET_MD:
555 *(const EVP_MD **)p2 = rctx->md;
556 return 1;
557
558 case EVP_PKEY_CTRL_RSA_MGF1_MD:
559 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
560 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
561 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
562 RSAerror(RSA_R_INVALID_MGF1_MD);
563 return -2;
564 }
565 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
566 if (rctx->mgf1md)
567 *(const EVP_MD **)p2 = rctx->mgf1md;
568 else
569 *(const EVP_MD **)p2 = rctx->md;
570 } else {
571 if (rsa_pss_restricted(rctx)) {
572 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
573 return 1;
574 RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
575 return 0;
576 }
577 rctx->mgf1md = p2;
578 }
579 return 1;
580
581 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
582 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
583 RSAerror(RSA_R_INVALID_PADDING_MODE);
584 return -2;
585 }
586 free(rctx->oaep_label);
587 if (p2 != NULL && p1 > 0) {
588 rctx->oaep_label = p2;
589 rctx->oaep_labellen = p1;
590 } else {
591 rctx->oaep_label = NULL;
592 rctx->oaep_labellen = 0;
593 }
594 return 1;
595
596 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
597 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
598 RSAerror(RSA_R_INVALID_PADDING_MODE);
599 return -2;
600 }
601 *(unsigned char **)p2 = rctx->oaep_label;
602 return rctx->oaep_labellen;
603
604 case EVP_PKEY_CTRL_DIGESTINIT:
605 case EVP_PKEY_CTRL_PKCS7_SIGN:
606#ifndef OPENSSL_NO_CMS
607 case EVP_PKEY_CTRL_CMS_SIGN:
608#endif
609 return 1;
610
611 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
612 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
613#ifndef OPENSSL_NO_CMS
614 case EVP_PKEY_CTRL_CMS_DECRYPT:
615 case EVP_PKEY_CTRL_CMS_ENCRYPT:
616#endif
617 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
618 return 1;
619
620 /* fall through */
621 case EVP_PKEY_CTRL_PEER_KEY:
622 RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
623 return -2;
624
625 default:
626 return -2;
627
628 }
629}
630
631static int
632pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
633{
634 const char *errstr;
635
636 if (!value) {
637 RSAerror(RSA_R_VALUE_MISSING);
638 return 0;
639 }
640 if (strcmp(type, "rsa_padding_mode") == 0) {
641 int pm;
642 if (strcmp(value, "pkcs1") == 0)
643 pm = RSA_PKCS1_PADDING;
644 else if (strcmp(value, "none") == 0)
645 pm = RSA_NO_PADDING;
646 else if (strcmp(value, "oaep") == 0 || strcmp(value, "oeap") == 0)
647 pm = RSA_PKCS1_OAEP_PADDING;
648 else if (strcmp(value, "x931") == 0)
649 pm = RSA_X931_PADDING;
650 else if (strcmp(value, "pss") == 0)
651 pm = RSA_PKCS1_PSS_PADDING;
652 else {
653 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
654 return -2;
655 }
656 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
657 }
658
659 if (strcmp(type, "rsa_pss_saltlen") == 0) {
660 int saltlen;
661
662 if (strcmp(value, "digest") == 0)
663 saltlen = RSA_PSS_SALTLEN_DIGEST;
664 else if (strcmp(value, "max") == 0)
665 saltlen = RSA_PSS_SALTLEN_MAX;
666 else if (strcmp(value, "auto") == 0)
667 saltlen = RSA_PSS_SALTLEN_AUTO;
668 else {
669 /*
670 * Accept the special values -1, -2, -3 since that's
671 * what atoi() historically did. Lower values are later
672 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
673 */
674 saltlen = strtonum(value, -3, INT_MAX, &errstr);
675 if (errstr != NULL) {
676 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
677 return -2;
678 }
679 }
680 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
681 }
682
683 if (strcmp(type, "rsa_keygen_bits") == 0) {
684 int nbits;
685
686 nbits = strtonum(value, 0, INT_MAX, &errstr);
687 if (errstr != NULL) {
688 RSAerror(RSA_R_INVALID_KEYBITS);
689 return -2;
690 }
691
692 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
693 }
694
695 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
696 BIGNUM *pubexp = NULL;
697 int ret;
698
699 if (!BN_asc2bn(&pubexp, value))
700 return 0;
701 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
702 if (ret <= 0)
703 BN_free(pubexp);
704 return ret;
705 }
706
707 if (strcmp(type, "rsa_mgf1_md") == 0)
708 return EVP_PKEY_CTX_md(ctx,
709 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
710 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
711
712 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
713 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
714 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
715 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
716
717 if (strcmp(type, "rsa_pss_keygen_md") == 0)
718 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
719 EVP_PKEY_CTRL_MD, value);
720
721 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
722 int saltlen;
723
724 /*
725 * Accept the special values -1, -2, -3 since that's
726 * what atoi() historically did. Lower values are later
727 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
728 */
729 saltlen = strtonum(value, -3, INT_MAX, &errstr);
730 if (errstr != NULL) {
731 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
732 return -2;
733 }
734
735 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
736 }
737 }
738
739 if (strcmp(type, "rsa_oaep_md") == 0)
740 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
741 EVP_PKEY_CTRL_RSA_OAEP_MD, value);
742
743 if (strcmp(type, "rsa_oaep_label") == 0) {
744 unsigned char *lab;
745 long lablen;
746 int ret;
747
748 if ((lab = string_to_hex(value, &lablen)) == NULL)
749 return 0;
750 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
751 if (ret <= 0)
752 free(lab);
753
754 return ret;
755 }
756
757 return -2;
758}
759
760/* Set PSS parameters when generating a key, if necessary. */
761static int
762rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
763{
764 RSA_PKEY_CTX *rctx = ctx->data;
765
766 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
767 return 1;
768
769 /* If all parameters are default values then do not set PSS. */
770 if (rctx->md == NULL && rctx->mgf1md == NULL &&
771 rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
772 return 1;
773
774 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
775 rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
776 if (rsa->pss == NULL)
777 return 0;
778
779 return 1;
780}
781
782static int
783pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
784{
785 RSA *rsa = NULL;
786 RSA_PKEY_CTX *rctx = ctx->data;
787 BN_GENCB *pcb = NULL;
788 BN_GENCB cb = {0};
789 int ret = 0;
790
791 if (rctx->pub_exp == NULL) {
792 if ((rctx->pub_exp = BN_new()) == NULL)
793 goto err;
794 if (!BN_set_word(rctx->pub_exp, RSA_F4))
795 goto err;
796 }
797
798 if ((rsa = RSA_new()) == NULL)
799 goto err;
800 if (ctx->pkey_gencb != NULL) {
801 pcb = &cb;
802 evp_pkey_set_cb_translate(pcb, ctx);
803 }
804 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb))
805 goto err;
806 if (!rsa_set_pss_param(rsa, ctx))
807 goto err;
808 if (!EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa))
809 goto err;
810 rsa = NULL;
811
812 ret = 1;
813
814 err:
815 RSA_free(rsa);
816
817 return ret;
818}
819
820const EVP_PKEY_METHOD rsa_pkey_meth = {
821 .pkey_id = EVP_PKEY_RSA,
822 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
823
824 .init = pkey_rsa_init,
825 .copy = pkey_rsa_copy,
826 .cleanup = pkey_rsa_cleanup,
827
828 .keygen = pkey_rsa_keygen,
829
830 .sign = pkey_rsa_sign,
831
832 .verify = pkey_rsa_verify,
833
834 .verify_recover = pkey_rsa_verifyrecover,
835
836 .encrypt = pkey_rsa_encrypt,
837
838 .decrypt = pkey_rsa_decrypt,
839
840 .ctrl = pkey_rsa_ctrl,
841 .ctrl_str = pkey_rsa_ctrl_str
842};
843
844/*
845 * Called for PSS sign or verify initialisation: checks PSS parameter
846 * sanity and sets any restrictions on key usage.
847 */
848
849static int
850pkey_pss_init(EVP_PKEY_CTX *ctx)
851{
852 RSA *rsa;
853 RSA_PKEY_CTX *rctx = ctx->data;
854 const EVP_MD *md;
855 const EVP_MD *mgf1md;
856 int min_saltlen, max_saltlen;
857
858 /* Should never happen */
859 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
860 return 0;
861 rsa = ctx->pkey->pkey.rsa;
862
863 /* If no restrictions just return */
864 if (rsa->pss == NULL)
865 return 1;
866
867 /* Get and check parameters */
868 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
869 return 0;
870
871 /* See if minimum salt length exceeds maximum possible */
872 max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
873 if ((RSA_bits(rsa) & 0x7) == 1)
874 max_saltlen--;
875 if (min_saltlen > max_saltlen) {
876 RSAerror(RSA_R_INVALID_SALT_LENGTH);
877 return 0;
878 }
879 rctx->min_saltlen = min_saltlen;
880
881 /*
882 * Set PSS restrictions as defaults: we can then block any attempt to
883 * use invalid values in pkey_rsa_ctrl
884 */
885
886 rctx->md = md;
887 rctx->mgf1md = mgf1md;
888 rctx->saltlen = min_saltlen;
889
890 return 1;
891}
892
893const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
894 .pkey_id = EVP_PKEY_RSA_PSS,
895 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
896
897 .init = pkey_rsa_init,
898 .copy = pkey_rsa_copy,
899 .cleanup = pkey_rsa_cleanup,
900
901 .keygen = pkey_rsa_keygen,
902
903 .sign_init = pkey_pss_init,
904 .sign = pkey_rsa_sign,
905
906 .verify_init = pkey_pss_init,
907 .verify = pkey_rsa_verify,
908
909 .ctrl = pkey_rsa_ctrl,
910 .ctrl_str = pkey_rsa_ctrl_str
911};
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
deleted file mode 100644
index 1783563661..0000000000
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ /dev/null
@@ -1,99 +0,0 @@
1/* $OpenBSD: rsa_prn.c,v 1.10 2023/07/08 12:26:45 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/evp.h>
63#include <openssl/rsa.h>
64
65int
66RSA_print_fp(FILE *fp, const RSA *x, int off)
67{
68 BIO *b;
69 int ret;
70
71 if ((b = BIO_new(BIO_s_file())) == NULL) {
72 RSAerror(ERR_R_BUF_LIB);
73 return 0;
74 }
75 BIO_set_fp(b, fp, BIO_NOCLOSE);
76 ret = RSA_print(b, x, off);
77 BIO_free(b);
78 return ret;
79}
80LCRYPTO_ALIAS(RSA_print_fp);
81
82int
83RSA_print(BIO *bp, const RSA *x, int off)
84{
85 EVP_PKEY *pk;
86 int ret = 0;
87
88 if ((pk = EVP_PKEY_new()) == NULL)
89 goto err;
90
91 if (!EVP_PKEY_set1_RSA(pk, (RSA *)x))
92 goto err;
93
94 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
95 err:
96 EVP_PKEY_free(pk);
97 return ret;
98}
99LCRYPTO_ALIAS(RSA_print);
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
deleted file mode 100644
index 610ae7c928..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ /dev/null
@@ -1,291 +0,0 @@
1/* $OpenBSD: rsa_pss.c,v 1.19 2024/03/26 05:26:27 joshua Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/rsa.h>
67#include <openssl/sha.h>
68
69#include "evp_local.h"
70#include "rsa_local.h"
71
72static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
73
74int
75RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
76 const unsigned char *EM, int sLen)
77{
78 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
79}
80LCRYPTO_ALIAS(RSA_verify_PKCS1_PSS);
81
82int
83RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
84 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
85 int sLen)
86{
87 int i;
88 int ret = 0;
89 int hLen, maskedDBLen, MSBits, emLen;
90 const unsigned char *H;
91 unsigned char *DB = NULL;
92 EVP_MD_CTX *md_ctx;
93 unsigned char H_[EVP_MAX_MD_SIZE];
94
95 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
96 goto err;
97
98 if (mgf1Hash == NULL)
99 mgf1Hash = Hash;
100
101 hLen = EVP_MD_size(Hash);
102 if (hLen < 0)
103 goto err;
104 /*
105 * Negative sLen has special meanings:
106 * -1 sLen == hLen
107 * -2 salt length is autorecovered from signature
108 * -N reserved
109 */
110 if (sLen == -1)
111 sLen = hLen;
112 else if (sLen == -2)
113 sLen = -2;
114 else if (sLen < -2) {
115 RSAerror(RSA_R_SLEN_CHECK_FAILED);
116 goto err;
117 }
118
119 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
120 emLen = RSA_size(rsa);
121 if (EM[0] & (0xFF << MSBits)) {
122 RSAerror(RSA_R_FIRST_OCTET_INVALID);
123 goto err;
124 }
125 if (MSBits == 0) {
126 EM++;
127 emLen--;
128 }
129 if (emLen < (hLen + sLen + 2)) {
130 /* sLen can be small negative */
131 RSAerror(RSA_R_DATA_TOO_LARGE);
132 goto err;
133 }
134 if (EM[emLen - 1] != 0xbc) {
135 RSAerror(RSA_R_LAST_OCTET_INVALID);
136 goto err;
137 }
138 maskedDBLen = emLen - hLen - 1;
139 H = EM + maskedDBLen;
140 DB = malloc(maskedDBLen);
141 if (!DB) {
142 RSAerror(ERR_R_MALLOC_FAILURE);
143 goto err;
144 }
145 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
146 goto err;
147 for (i = 0; i < maskedDBLen; i++)
148 DB[i] ^= EM[i];
149 if (MSBits)
150 DB[0] &= 0xFF >> (8 - MSBits);
151 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
152 ;
153 if (DB[i++] != 0x1) {
154 RSAerror(RSA_R_SLEN_RECOVERY_FAILED);
155 goto err;
156 }
157 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
158 RSAerror(RSA_R_SLEN_CHECK_FAILED);
159 goto err;
160 }
161 if (!EVP_DigestInit_ex(md_ctx, Hash, NULL) ||
162 !EVP_DigestUpdate(md_ctx, zeroes, sizeof zeroes) ||
163 !EVP_DigestUpdate(md_ctx, mHash, hLen))
164 goto err;
165 if (maskedDBLen - i) {
166 if (!EVP_DigestUpdate(md_ctx, DB + i, maskedDBLen - i))
167 goto err;
168 }
169 if (!EVP_DigestFinal_ex(md_ctx, H_, NULL))
170 goto err;
171 if (timingsafe_bcmp(H_, H, hLen)) {
172 RSAerror(RSA_R_BAD_SIGNATURE);
173 ret = 0;
174 } else {
175 ret = 1;
176 }
177
178 err:
179 free(DB);
180 EVP_MD_CTX_free(md_ctx);
181
182 return ret;
183}
184LCRYPTO_ALIAS(RSA_verify_PKCS1_PSS_mgf1);
185
186int
187RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
188 const unsigned char *mHash, const EVP_MD *Hash, int sLen)
189{
190 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
191}
192LCRYPTO_ALIAS(RSA_padding_add_PKCS1_PSS);
193
194int
195RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
196 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
197 int sLen)
198{
199 int i;
200 int ret = 0;
201 int hLen, maskedDBLen, MSBits, emLen;
202 unsigned char *H, *salt = NULL, *p;
203 EVP_MD_CTX *md_ctx;
204
205 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
206 goto err;
207
208 if (mgf1Hash == NULL)
209 mgf1Hash = Hash;
210
211 hLen = EVP_MD_size(Hash);
212 if (hLen < 0)
213 goto err;
214 /*
215 * Negative sLen has special meanings:
216 * -1 sLen == hLen
217 * -2 salt length is maximized
218 * -N reserved
219 */
220 if (sLen == -1)
221 sLen = hLen;
222 else if (sLen == -2)
223 sLen = -2;
224 else if (sLen < -2) {
225 RSAerror(RSA_R_SLEN_CHECK_FAILED);
226 goto err;
227 }
228
229 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
230 emLen = RSA_size(rsa);
231 if (MSBits == 0) {
232 *EM++ = 0;
233 emLen--;
234 }
235 if (sLen == -2)
236 sLen = emLen - hLen - 2;
237 else if (emLen < (hLen + sLen + 2)) {
238 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
239 goto err;
240 }
241 if (sLen > 0) {
242 salt = malloc(sLen);
243 if (!salt) {
244 RSAerror(ERR_R_MALLOC_FAILURE);
245 goto err;
246 }
247 arc4random_buf(salt, sLen);
248 }
249 maskedDBLen = emLen - hLen - 1;
250 H = EM + maskedDBLen;
251 if (!EVP_DigestInit_ex(md_ctx, Hash, NULL) ||
252 !EVP_DigestUpdate(md_ctx, zeroes, sizeof zeroes) ||
253 !EVP_DigestUpdate(md_ctx, mHash, hLen))
254 goto err;
255 if (sLen && !EVP_DigestUpdate(md_ctx, salt, sLen))
256 goto err;
257 if (!EVP_DigestFinal_ex(md_ctx, H, NULL))
258 goto err;
259
260 /* Generate dbMask in place then perform XOR on it */
261 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
262 goto err;
263
264 p = EM;
265
266 /*
267 * Initial PS XORs with all zeroes which is a NOP so just update
268 * pointer. Note from a test above this value is guaranteed to
269 * be non-negative.
270 */
271 p += emLen - sLen - hLen - 2;
272 *p++ ^= 0x1;
273 if (sLen > 0) {
274 for (i = 0; i < sLen; i++)
275 *p++ ^= salt[i];
276 }
277 if (MSBits)
278 EM[0] &= 0xFF >> (8 - MSBits);
279
280 /* H is already in place so just set final 0xbc */
281 EM[emLen - 1] = 0xbc;
282
283 ret = 1;
284
285err:
286 free(salt);
287 EVP_MD_CTX_free(md_ctx);
288
289 return ret;
290}
291LCRYPTO_ALIAS(RSA_padding_add_PKCS1_PSS_mgf1);
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
deleted file mode 100644
index 07a4f5d659..0000000000
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ /dev/null
@@ -1,143 +0,0 @@
1/* $OpenBSD: rsa_saos.c,v 1.25 2023/07/08 12:26:45 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68int
69RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
70 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
71{
72 ASN1_OCTET_STRING sig;
73 int i, j, ret = 1;
74 unsigned char *p, *s;
75
76 sig.type = V_ASN1_OCTET_STRING;
77 sig.length = m_len;
78 sig.data = (unsigned char *)m;
79
80 i = i2d_ASN1_OCTET_STRING(&sig, NULL);
81 j = RSA_size(rsa);
82 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
83 RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
84 return 0;
85 }
86 s = malloc(j + 1);
87 if (s == NULL) {
88 RSAerror(ERR_R_MALLOC_FAILURE);
89 return 0;
90 }
91 p = s;
92 i2d_ASN1_OCTET_STRING(&sig, &p);
93 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
94 if (i <= 0)
95 ret = 0;
96 else
97 *siglen = i;
98
99 freezero(s, (unsigned int)j + 1);
100 return ret;
101}
102LCRYPTO_ALIAS(RSA_sign_ASN1_OCTET_STRING);
103
104int
105RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
107{
108 int i, ret = 0;
109 unsigned char *s;
110 const unsigned char *p;
111 ASN1_OCTET_STRING *sig = NULL;
112
113 if (siglen != (unsigned int)RSA_size(rsa)) {
114 RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH);
115 return 0;
116 }
117
118 s = malloc(siglen);
119 if (s == NULL) {
120 RSAerror(ERR_R_MALLOC_FAILURE);
121 goto err;
122 }
123 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
124
125 if (i <= 0)
126 goto err;
127
128 p = s;
129 sig = d2i_ASN1_OCTET_STRING(NULL, &p, (long)i);
130 if (sig == NULL)
131 goto err;
132
133 if ((unsigned int)sig->length != m_len ||
134 timingsafe_bcmp(m, sig->data, m_len) != 0) {
135 RSAerror(RSA_R_BAD_SIGNATURE);
136 } else
137 ret = 1;
138err:
139 ASN1_OCTET_STRING_free(sig);
140 freezero(s, (unsigned int)siglen);
141 return ret;
142}
143LCRYPTO_ALIAS(RSA_verify_ASN1_OCTET_STRING);
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index 6edd20626d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,280 +0,0 @@
1/* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68#include "asn1_local.h"
69#include "rsa_local.h"
70#include "x509_local.h"
71
72/* Size of an SSL signature: MD5+SHA1 */
73#define SSL_SIG_LENGTH 36
74
75static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *,
76 unsigned int);
77
78/*
79 * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as
80 * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This
81 * encodes the DigestInfo (T and tLen) but does not add the padding.
82 *
83 * On success, it returns one and sets `*out' to a newly allocated buffer
84 * containing the result and `*out_len' to its length. Freeing `*out' is
85 * the caller's responsibility. Failure is indicated by zero.
86 */
87static int
88encode_pkcs1(unsigned char **out, int *out_len, int type,
89 const unsigned char *m, unsigned int m_len)
90{
91 X509_SIG sig;
92 X509_ALGOR algor;
93 ASN1_TYPE parameter;
94 ASN1_OCTET_STRING digest;
95 uint8_t *der = NULL;
96 int len;
97
98 sig.algor = &algor;
99 if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) {
100 RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
101 return 0;
102 }
103 if (sig.algor->algorithm->length == 0) {
104 RSAerror(
105 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
106 return 0;
107 }
108 parameter.type = V_ASN1_NULL;
109 parameter.value.ptr = NULL;
110 sig.algor->parameter = &parameter;
111
112 sig.digest = &digest;
113 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
114 sig.digest->length = m_len;
115
116 if ((len = i2d_X509_SIG(&sig, &der)) < 0)
117 return 0;
118
119 *out = der;
120 *out_len = len;
121
122 return 1;
123}
124
125int
126RSA_sign(int type, const unsigned char *m, unsigned int m_len,
127 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
128{
129 const unsigned char *encoded = NULL;
130 unsigned char *tmps = NULL;
131 int encrypt_len, encoded_len = 0, ret = 0;
132
133 if (rsa->meth->rsa_sign != NULL)
134 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
135
136 /* Compute the encoded digest. */
137 if (type == NID_md5_sha1) {
138 /*
139 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
140 * TLS 1.1 and earlier. It has no DigestInfo wrapper but
141 * otherwise is RSASSA-PKCS-v1.5.
142 */
143 if (m_len != SSL_SIG_LENGTH) {
144 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
145 return 0;
146 }
147 encoded_len = SSL_SIG_LENGTH;
148 encoded = m;
149 } else {
150 if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))
151 goto err;
152 encoded = tmps;
153 }
154 if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {
155 RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
156 goto err;
157 }
158 if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret,
159 rsa, RSA_PKCS1_PADDING)) <= 0)
160 goto err;
161
162 *siglen = encrypt_len;
163 ret = 1;
164
165 err:
166 freezero(tmps, (size_t)encoded_len);
167 return (ret);
168}
169LCRYPTO_ALIAS(RSA_sign);
170
171/*
172 * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be
173 * called in two modes. If `rm' is NULL, it verifies the signature for the
174 * digest `m'. Otherwise, it recovers the digest from the signature, writing the
175 * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest
176 * algorithm to use. It returns one on successful verification and zero
177 * otherwise.
178 */
179int
180int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
181 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
182 size_t siglen, RSA *rsa)
183{
184 unsigned char *decrypt_buf, *encoded = NULL;
185 int decrypt_len, encoded_len = 0, ret = 0;
186
187 if (siglen != (size_t)RSA_size(rsa)) {
188 RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH);
189 return 0;
190 }
191
192 /* Recover the encoded digest. */
193 if ((decrypt_buf = malloc(siglen)) == NULL) {
194 RSAerror(ERR_R_MALLOC_FAILURE);
195 goto err;
196 }
197 if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
198 rsa, RSA_PKCS1_PADDING)) <= 0)
199 goto err;
200
201 if (type == NID_md5_sha1) {
202 /*
203 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
204 * TLS 1.1 and earlier. It has no DigestInfo wrapper but
205 * otherwise is RSASSA-PKCS1-v1_5.
206 */
207 if (decrypt_len != SSL_SIG_LENGTH) {
208 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
209 goto err;
210 }
211
212 if (rm != NULL) {
213 memcpy(rm, decrypt_buf, SSL_SIG_LENGTH);
214 *prm_len = SSL_SIG_LENGTH;
215 } else {
216 if (m_len != SSL_SIG_LENGTH) {
217 RSAerror(RSA_R_INVALID_MESSAGE_LENGTH);
218 goto err;
219 }
220 if (timingsafe_bcmp(decrypt_buf,
221 m, SSL_SIG_LENGTH) != 0) {
222 RSAerror(RSA_R_BAD_SIGNATURE);
223 goto err;
224 }
225 }
226 } else {
227 /*
228 * If recovering the digest, extract a digest-sized output from
229 * the end of `decrypt_buf' for `encode_pkcs1', then compare the
230 * decryption output as in a standard verification.
231 */
232 if (rm != NULL) {
233 const EVP_MD *md;
234
235 if ((md = EVP_get_digestbynid(type)) == NULL) {
236 RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
237 goto err;
238 }
239 if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) {
240 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
241 goto err;
242 }
243 m = decrypt_buf + decrypt_len - m_len;
244 }
245
246 /* Construct the encoded digest and ensure it matches */
247 if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))
248 goto err;
249
250 if (encoded_len != decrypt_len ||
251 timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {
252 RSAerror(RSA_R_BAD_SIGNATURE);
253 goto err;
254 }
255
256 /* Output the recovered digest. */
257 if (rm != NULL) {
258 memcpy(rm, m, m_len);
259 *prm_len = m_len;
260 }
261 }
262
263 ret = 1;
264 err:
265 freezero(encoded, (size_t)encoded_len);
266 freezero(decrypt_buf, siglen);
267 return ret;
268}
269
270int
271RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
272 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
273{
274 if (rsa->meth->rsa_verify != NULL)
275 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
276 rsa);
277
278 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
279}
280LCRYPTO_ALIAS(RSA_verify);
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
deleted file mode 100644
index 52f3f803b2..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ /dev/null
@@ -1,164 +0,0 @@
1/* $OpenBSD: rsa_x931.c,v 1.12 2023/05/05 12:19:37 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
69 int flen)
70{
71 int j;
72 unsigned char *p;
73
74 /*
75 * Absolute minimum amount of padding is 1 header nibble, 1 padding
76 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
77 */
78 j = tlen - flen - 2;
79
80 if (j < 0) {
81 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
82 return -1;
83 }
84
85 p = (unsigned char *)to;
86
87 /* If no padding start and end nibbles are in one byte */
88 if (j == 0)
89 *p++ = 0x6A;
90 else {
91 *p++ = 0x6B;
92 if (j > 1) {
93 memset(p, 0xBB, j - 1);
94 p += j - 1;
95 }
96 *p++ = 0xBA;
97 }
98 memcpy(p, from, flen);
99 p += flen;
100 *p = 0xCC;
101 return 1;
102}
103
104int
105RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
106 int flen, int num)
107{
108 int i = 0, j;
109 const unsigned char *p = from;
110
111 if (num != flen || (*p != 0x6A && *p != 0x6B)) {
112 RSAerror(RSA_R_INVALID_HEADER);
113 return -1;
114 }
115
116 if (*p++ == 0x6B) {
117 j = flen - 3;
118 for (i = 0; i < j; i++) {
119 unsigned char c = *p++;
120 if (c == 0xBA)
121 break;
122 if (c != 0xBB) {
123 RSAerror(RSA_R_INVALID_PADDING);
124 return -1;
125 }
126 }
127
128 if (i == 0) {
129 RSAerror(RSA_R_INVALID_PADDING);
130 return -1;
131 }
132
133 j -= i;
134 } else
135 j = flen - 2;
136
137 if (j < 0 || p[j] != 0xCC) {
138 RSAerror(RSA_R_INVALID_TRAILER);
139 return -1;
140 }
141
142 memcpy(to, p, j);
143
144 return j;
145}
146
147/* Translate between X931 hash ids and NIDs */
148
149int
150RSA_X931_hash_id(int nid)
151{
152 switch (nid) {
153 case NID_sha1:
154 return 0x33;
155 case NID_sha256:
156 return 0x34;
157 case NID_sha384:
158 return 0x36;
159 case NID_sha512:
160 return 0x35;
161 }
162
163 return -1;
164}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 18:48:34 +0000