summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h319
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c2
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c555
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c142
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c120
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c263
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c47
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c292
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c75
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c41
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c192
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c37
12 files changed, 1349 insertions, 736 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index aeb78ffcd3..030a6c88e5 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -59,36 +59,73 @@
59#ifndef HEADER_RSA_H 59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H 60#define HEADER_RSA_H
61 61
62#include <openssl/asn1.h>
63
64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h>
66#endif
67#include <openssl/bn.h>
68#include <openssl/crypto.h>
69#include <openssl/ossl_typ.h>
70
71#ifdef OPENSSL_NO_RSA
72#error RSA is disabled.
73#endif
74
62#ifdef __cplusplus 75#ifdef __cplusplus
63extern "C" { 76extern "C" {
64#endif 77#endif
65 78
66#include "bn.h" 79typedef struct rsa_st RSA;
67#include "crypto.h"
68 80
69typedef struct rsa_meth_st 81typedef struct rsa_meth_st
70 { 82 {
71 char *name; 83 const char *name;
72 int (*rsa_pub_enc)(); 84 int (*rsa_pub_enc)(int flen,const unsigned char *from,
73 int (*rsa_pub_dec)(); 85 unsigned char *to,
74 int (*rsa_priv_enc)(); 86 RSA *rsa,int padding);
75 int (*rsa_priv_dec)(); 87 int (*rsa_pub_dec)(int flen,const unsigned char *from,
76 int (*rsa_mod_exp)(); /* Can be null */ 88 unsigned char *to,
77 int (*bn_mod_exp)(); /* Can be null */ 89 RSA *rsa,int padding);
78 int (*init)(/* RSA * */); /* called at new */ 90 int (*rsa_priv_enc)(int flen,const unsigned char *from,
79 int (*finish)(/* RSA * */); /* called at free */ 91 unsigned char *to,
80 92 RSA *rsa,int padding);
93 int (*rsa_priv_dec)(int flen,const unsigned char *from,
94 unsigned char *to,
95 RSA *rsa,int padding);
96 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */
97 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
98 const BIGNUM *m, BN_CTX *ctx,
99 BN_MONT_CTX *m_ctx); /* Can be null */
100 int (*init)(RSA *rsa); /* called at new */
101 int (*finish)(RSA *rsa); /* called at free */
81 int flags; /* RSA_METHOD_FLAG_* things */ 102 int flags; /* RSA_METHOD_FLAG_* things */
82 char *app_data; /* may be needed! */ 103 char *app_data; /* may be needed! */
104/* New sign and verify functions: some libraries don't allow arbitrary data
105 * to be signed/verified: this allows them to be used. Note: for this to work
106 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
107 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
108 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
109 * option is set in 'flags'.
110 */
111 int (*rsa_sign)(int type,
112 const unsigned char *m, unsigned int m_length,
113 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
114 int (*rsa_verify)(int dtype,
115 const unsigned char *m, unsigned int m_length,
116 unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
117
83 } RSA_METHOD; 118 } RSA_METHOD;
84 119
85typedef struct rsa_st 120struct rsa_st
86 { 121 {
87 /* The first parameter is used to pickup errors where 122 /* The first parameter is used to pickup errors where
88 * this is passed instead of aEVP_PKEY, it is set to 0 */ 123 * this is passed instead of aEVP_PKEY, it is set to 0 */
89 int pad; 124 int pad;
90 int version; 125 long version;
91 RSA_METHOD *meth; 126 const RSA_METHOD *meth;
127 /* functional reference if 'meth' is ENGINE-provided */
128 ENGINE *engine;
92 BIGNUM *n; 129 BIGNUM *n;
93 BIGNUM *e; 130 BIGNUM *e;
94 BIGNUM *d; 131 BIGNUM *d;
@@ -97,203 +134,182 @@ typedef struct rsa_st
97 BIGNUM *dmp1; 134 BIGNUM *dmp1;
98 BIGNUM *dmq1; 135 BIGNUM *dmq1;
99 BIGNUM *iqmp; 136 BIGNUM *iqmp;
100 /* be carefull using this if the RSA structure is shared */ 137 /* be careful using this if the RSA structure is shared */
101 CRYPTO_EX_DATA ex_data; 138 CRYPTO_EX_DATA ex_data;
102 int references; 139 int references;
103 int flags; 140 int flags;
104 141
105 /* Normally used to cached montgomery values */ 142 /* Used to cache montgomery values */
106 char *method_mod_n; 143 BN_MONT_CTX *_method_mod_n;
107 char *method_mod_p; 144 BN_MONT_CTX *_method_mod_p;
108 char *method_mod_q; 145 BN_MONT_CTX *_method_mod_q;
109 146
147 /* all BIGNUM values are actually in the following data, if it is not
148 * NULL */
149 char *bignum_data;
110 BN_BLINDING *blinding; 150 BN_BLINDING *blinding;
111 } RSA; 151 };
112 152
113#define RSA_3 0x3L 153#define RSA_3 0x3L
114#define RSA_F4 0x10001L 154#define RSA_F4 0x10001L
115 155
116#define RSA_METHOD_FLAG_NO_CHECK 0x01 /* don't check pub/private match */ 156#define RSA_METHOD_FLAG_NO_CHECK 0x01 /* don't check pub/private match */
157
117#define RSA_FLAG_CACHE_PUBLIC 0x02 158#define RSA_FLAG_CACHE_PUBLIC 0x02
118#define RSA_FLAG_CACHE_PRIVATE 0x04 159#define RSA_FLAG_CACHE_PRIVATE 0x04
119#define RSA_FLAG_BLINDING 0x08 160#define RSA_FLAG_BLINDING 0x08
120#define RSA_FLAG_THREAD_SAFE 0x10 161#define RSA_FLAG_THREAD_SAFE 0x10
162/* This flag means the private key operations will be handled by rsa_mod_exp
163 * and that they do not depend on the private key components being present:
164 * for example a key stored in external hardware. Without this flag bn_mod_exp
165 * gets called when private key components are absent.
166 */
167#define RSA_FLAG_EXT_PKEY 0x20
168
169/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
170 */
171#define RSA_FLAG_SIGN_VER 0x40
121 172
122#define RSA_PKCS1_PADDING 1 173#define RSA_PKCS1_PADDING 1
123#define RSA_SSLV23_PADDING 2 174#define RSA_SSLV23_PADDING 2
124#define RSA_NO_PADDING 3 175#define RSA_NO_PADDING 3
176#define RSA_PKCS1_OAEP_PADDING 4
125 177
126#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,(char *)arg) 178#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
127#define RSA_get_app_data(s) RSA_get_ex_data(s,0) 179#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
128 180
129#ifndef NOPROTO
130RSA * RSA_new(void); 181RSA * RSA_new(void);
131RSA * RSA_new_method(RSA_METHOD *method); 182RSA * RSA_new_method(ENGINE *engine);
132int RSA_size(RSA *); 183int RSA_size(const RSA *);
133RSA * RSA_generate_key(int bits, unsigned long e,void 184RSA * RSA_generate_key(int bits, unsigned long e,void
134 (*callback)(int,int,char *),char *cb_arg); 185 (*callback)(int,int,void *),void *cb_arg);
186int RSA_check_key(const RSA *);
135 /* next 4 return -1 on error */ 187 /* next 4 return -1 on error */
136int RSA_public_encrypt(int flen, unsigned char *from, 188int RSA_public_encrypt(int flen, const unsigned char *from,
137 unsigned char *to, RSA *rsa,int padding); 189 unsigned char *to, RSA *rsa,int padding);
138int RSA_private_encrypt(int flen, unsigned char *from, 190int RSA_private_encrypt(int flen, const unsigned char *from,
139 unsigned char *to, RSA *rsa,int padding); 191 unsigned char *to, RSA *rsa,int padding);
140int RSA_public_decrypt(int flen, unsigned char *from, 192int RSA_public_decrypt(int flen, const unsigned char *from,
141 unsigned char *to, RSA *rsa,int padding); 193 unsigned char *to, RSA *rsa,int padding);
142int RSA_private_decrypt(int flen, unsigned char *from, 194int RSA_private_decrypt(int flen, const unsigned char *from,
143 unsigned char *to, RSA *rsa,int padding); 195 unsigned char *to, RSA *rsa,int padding);
144void RSA_free (RSA *r); 196void RSA_free (RSA *r);
197/* "up" the RSA object's reference count */
198int RSA_up_ref(RSA *r);
145 199
146int RSA_flags(RSA *r); 200int RSA_flags(const RSA *r);
147 201
148void RSA_set_default_method(RSA_METHOD *meth); 202void RSA_set_default_method(const RSA_METHOD *meth);
203const RSA_METHOD *RSA_get_default_method(void);
204const RSA_METHOD *RSA_get_method(const RSA *rsa);
205int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
149 206
150/* If you have RSAref compiled in. */ 207/* This function needs the memory locking malloc callbacks to be installed */
151RSA_METHOD *RSA_PKCS1_RSAref(void); 208int RSA_memory_lock(RSA *r);
152 209
153/* these are the actual SSLeay RSA functions */ 210/* these are the actual SSLeay RSA functions */
154RSA_METHOD *RSA_PKCS1_SSLeay(void); 211const RSA_METHOD *RSA_PKCS1_SSLeay(void);
212
213const RSA_METHOD *RSA_null_method(void);
155 214
156void ERR_load_RSA_strings(void ); 215DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
216DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
157 217
158RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length); 218#ifndef OPENSSL_NO_FP_API
159int i2d_RSAPublicKey(RSA *a, unsigned char **pp); 219int RSA_print_fp(FILE *fp, const RSA *r,int offset);
160RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
161int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
162#ifndef NO_FP_API
163int RSA_print_fp(FILE *fp, RSA *r,int offset);
164#endif 220#endif
165 221
166#ifdef HEADER_BIO_H 222#ifndef OPENSSL_NO_BIO
167int RSA_print(BIO *bp, RSA *r,int offset); 223int RSA_print(BIO *bp, const RSA *r,int offset);
168#endif 224#endif
169 225
170int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); 226int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey);
171RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)()); 227RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey);
172/* Naughty internal function required elsewhere, to handle a MS structure 228
173 * that is the same as the netscape one :-) */ 229int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)());
174RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length, int (*cb)()); 230RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
175 231
176/* The following 2 functions sign and verify a X509_SIG ASN1 object 232/* The following 2 functions sign and verify a X509_SIG ASN1 object
177 * inside PKCS#1 padded RSA encryption */ 233 * inside PKCS#1 padded RSA encryption */
178int RSA_sign(int type, unsigned char *m, unsigned int m_len, 234int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
179 unsigned char *sigret, unsigned int *siglen, RSA *rsa); 235 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
180int RSA_verify(int type, unsigned char *m, unsigned int m_len, 236int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
181 unsigned char *sigbuf, unsigned int siglen, RSA *rsa); 237 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
182 238
183/* The following 2 function sign and verify a ASN1_OCTET_STRING 239/* The following 2 function sign and verify a ASN1_OCTET_STRING
184 * object inside PKCS#1 padded RSA encryption */ 240 * object inside PKCS#1 padded RSA encryption */
185int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len, 241int RSA_sign_ASN1_OCTET_STRING(int type,
242 const unsigned char *m, unsigned int m_length,
186 unsigned char *sigret, unsigned int *siglen, RSA *rsa); 243 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
187int RSA_verify_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len, 244int RSA_verify_ASN1_OCTET_STRING(int type,
245 const unsigned char *m, unsigned int m_length,
188 unsigned char *sigbuf, unsigned int siglen, RSA *rsa); 246 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
189 247
190int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 248int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
191void RSA_blinding_off(RSA *rsa); 249void RSA_blinding_off(RSA *rsa);
192 250
193int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen, 251int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
194 unsigned char *f,int fl); 252 const unsigned char *f,int fl);
195int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen, 253int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
196 unsigned char *f,int fl); 254 const unsigned char *f,int fl,int rsa_len);
197int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen, 255int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
198 unsigned char *f,int fl); 256 const unsigned char *f,int fl);
199int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen, 257int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
200 unsigned char *f,int fl); 258 const unsigned char *f,int fl,int rsa_len);
259int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
260 const unsigned char *f,int fl,
261 const unsigned char *p,int pl);
262int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
263 const unsigned char *f,int fl,int rsa_len,
264 const unsigned char *p,int pl);
201int RSA_padding_add_SSLv23(unsigned char *to,int tlen, 265int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
202 unsigned char *f,int fl); 266 const unsigned char *f,int fl);
203int RSA_padding_check_SSLv23(unsigned char *to,int tlen, 267int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
204 unsigned char *f,int fl); 268 const unsigned char *f,int fl,int rsa_len);
205int RSA_padding_add_none(unsigned char *to,int tlen, 269int RSA_padding_add_none(unsigned char *to,int tlen,
206 unsigned char *f,int fl); 270 const unsigned char *f,int fl);
207int RSA_padding_check_none(unsigned char *to,int tlen, 271int RSA_padding_check_none(unsigned char *to,int tlen,
208 unsigned char *f,int fl); 272 const unsigned char *f,int fl,int rsa_len);
209
210int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
211 int (*dup_func)(), void (*free_func)());
212int RSA_set_ex_data(RSA *r,int idx,char *arg);
213char *RSA_get_ex_data(RSA *r, int idx);
214
215#else
216
217RSA * RSA_new();
218RSA * RSA_new_method();
219int RSA_size();
220RSA * RSA_generate_key();
221int RSA_public_encrypt();
222int RSA_private_encrypt();
223int RSA_public_decrypt();
224int RSA_private_decrypt();
225void RSA_free ();
226 273
227int RSA_flags(); 274int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
228 275 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
229void RSA_set_default_method(); 276int RSA_set_ex_data(RSA *r,int idx,void *arg);
230 277void *RSA_get_ex_data(const RSA *r, int idx);
231/* RSA_METHOD *RSA_PKCS1_RSAref(); */
232RSA_METHOD *RSA_PKCS1_SSLeay();
233
234void ERR_load_RSA_strings();
235
236RSA * d2i_RSAPublicKey();
237int i2d_RSAPublicKey();
238RSA * d2i_RSAPrivateKey();
239int i2d_RSAPrivateKey();
240#ifndef NO_FP_API
241int RSA_print_fp();
242#endif
243
244int RSA_print();
245
246int i2d_Netscape_RSA();
247RSA *d2i_Netscape_RSA();
248RSA *d2i_Netscape_RSA_2();
249
250int RSA_sign();
251int RSA_verify();
252
253int RSA_sign_ASN1_OCTET_STRING();
254int RSA_verify_ASN1_OCTET_STRING();
255int RSA_blinding_on();
256void RSA_blinding_off();
257
258int RSA_padding_add_PKCS1_type_1();
259int RSA_padding_check_PKCS1_type_1();
260int RSA_padding_add_PKCS1_type_2();
261int RSA_padding_check_PKCS1_type_2();
262int RSA_padding_add_SSLv23();
263int RSA_padding_check_SSLv23();
264int RSA_padding_add_none();
265int RSA_padding_check_none();
266
267int RSA_get_ex_new_index();
268int RSA_set_ex_data();
269char *RSA_get_ex_data();
270
271#endif
272 278
273/* BEGIN ERROR CODES */ 279/* BEGIN ERROR CODES */
280/* The following lines are auto generated by the script mkerr.pl. Any changes
281 * made after this point may be overwritten when the script is next run.
282 */
283void ERR_load_RSA_strings(void);
284
274/* Error codes for the RSA functions. */ 285/* Error codes for the RSA functions. */
275 286
276/* Function codes. */ 287/* Function codes. */
277#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 100 288#define RSA_F_MEMORY_LOCK 100
278#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 101 289#define RSA_F_RSA_CHECK_KEY 123
279#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 102 290#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
280#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 103 291#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
281#define RSA_F_RSA_GENERATE_KEY 104 292#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
282#define RSA_F_RSA_NEW_METHOD 105 293#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
283#define RSA_F_RSA_PADDING_ADD_NONE 106 294#define RSA_F_RSA_GENERATE_KEY 105
284#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 107 295#define RSA_F_RSA_NEW_METHOD 106
285#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 108 296#define RSA_F_RSA_NULL 124
286#define RSA_F_RSA_PADDING_ADD_SSLV23 109 297#define RSA_F_RSA_PADDING_ADD_NONE 107
287#define RSA_F_RSA_PADDING_CHECK_NONE 110 298#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
288#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 111 299#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
289#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 112 300#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
290#define RSA_F_RSA_PADDING_CHECK_SSLV23 113 301#define RSA_F_RSA_PADDING_ADD_SSLV23 110
291#define RSA_F_RSA_PRINT 114 302#define RSA_F_RSA_PADDING_CHECK_NONE 111
292#define RSA_F_RSA_PRINT_FP 115 303#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
293#define RSA_F_RSA_SIGN 116 304#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
294#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 117 305#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
295#define RSA_F_RSA_VERIFY 118 306#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
296#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 119 307#define RSA_F_RSA_PRINT 115
308#define RSA_F_RSA_PRINT_FP 116
309#define RSA_F_RSA_SIGN 117
310#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
311#define RSA_F_RSA_VERIFY 119
312#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
297 313
298/* Reason codes. */ 314/* Reason codes. */
299#define RSA_R_ALGORITHM_MISMATCH 100 315#define RSA_R_ALGORITHM_MISMATCH 100
@@ -301,24 +317,35 @@ char *RSA_get_ex_data();
301#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102 317#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
302#define RSA_R_BAD_PAD_BYTE_COUNT 103 318#define RSA_R_BAD_PAD_BYTE_COUNT 103
303#define RSA_R_BAD_SIGNATURE 104 319#define RSA_R_BAD_SIGNATURE 104
304#define RSA_R_BAD_ZERO_BYTE 105
305#define RSA_R_BLOCK_TYPE_IS_NOT_01 106 320#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
306#define RSA_R_BLOCK_TYPE_IS_NOT_02 107 321#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
307#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108 322#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
308#define RSA_R_DATA_TOO_LARGE 109 323#define RSA_R_DATA_TOO_LARGE 109
309#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110 324#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
325#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
310#define RSA_R_DATA_TOO_SMALL 111 326#define RSA_R_DATA_TOO_SMALL 111
327#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
311#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112 328#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
329#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
330#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
331#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
332#define RSA_R_INVALID_MESSAGE_LENGTH 131
333#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
334#define RSA_R_KEY_SIZE_TOO_SMALL 120
312#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 335#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
336#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
337#define RSA_R_OAEP_DECODING_ERROR 121
313#define RSA_R_PADDING_CHECK_FAILED 114 338#define RSA_R_PADDING_CHECK_FAILED 114
339#define RSA_R_P_NOT_PRIME 128
340#define RSA_R_Q_NOT_PRIME 129
341#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
314#define RSA_R_SSLV3_ROLLBACK_ATTACK 115 342#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
315#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 343#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
316#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 344#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
317#define RSA_R_UNKNOWN_PADDING_TYPE 118 345#define RSA_R_UNKNOWN_PADDING_TYPE 118
318#define RSA_R_WRONG_SIGNATURE_LENGTH 119 346#define RSA_R_WRONG_SIGNATURE_LENGTH 119
319 347
320#ifdef __cplusplus 348#ifdef __cplusplus
321} 349}
322#endif 350#endif
323#endif 351#endif
324
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index 91b9115798..002f2cb487 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -53,7 +53,7 @@
53#include <openssl/rsa.h> 53#include <openssl/rsa.h>
54 54
55 55
56int RSA_check_key(RSA *key) 56int RSA_check_key(const RSA *key)
57 { 57 {
58 BIGNUM *i, *j, *k, *l, *m; 58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx; 59 BN_CTX *ctx;
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 42a77f11cd..0eda816081 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2/* This file has been explicitly broken by ryker for OpenBSD, July
3 * 1, 1998. In spite of the title, there is no implementation of the
4 * RSA algorithm left in this file. All these routines will return an
5 * error and fail when called. They exist as stubs and can be
6 * ressurected from the bit bucket by someone in the free world once
7 * the RSA algorithm is no longer subject to patent problems. Eric
8 * Young's original copyright is below.
9 */
10
11/* crypto/rsa/rsa_eay.c */ 1/* crypto/rsa/rsa_eay.c */
12/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13 * All rights reserved. 3 * All rights reserved.
@@ -68,207 +58,552 @@
68 58
69#include <stdio.h> 59#include <stdio.h>
70#include "cryptlib.h" 60#include "cryptlib.h"
71#include "bn.h" 61#include <openssl/bn.h>
72#include "rsa.h" 62#include <openssl/rsa.h>
73#include "rand.h" 63#include <openssl/rand.h>
64#include <openssl/engine.h>
74 65
75#ifndef NOPROTO 66#ifndef RSA_NULL
76static int RSA_eay_public_encrypt(int flen, unsigned char *from, 67
68static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
77 unsigned char *to, RSA *rsa,int padding); 69 unsigned char *to, RSA *rsa,int padding);
78static int RSA_eay_private_encrypt(int flen, unsigned char *from, 70static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
79 unsigned char *to, RSA *rsa,int padding); 71 unsigned char *to, RSA *rsa,int padding);
80static int RSA_eay_public_decrypt(int flen, unsigned char *from, 72static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
81 unsigned char *to, RSA *rsa,int padding); 73 unsigned char *to, RSA *rsa,int padding);
82static int RSA_eay_private_decrypt(int flen, unsigned char *from, 74static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
83 unsigned char *to, RSA *rsa,int padding); 75 unsigned char *to, RSA *rsa,int padding);
84static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); 76static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
85static int RSA_eay_init(RSA *rsa); 77static int RSA_eay_init(RSA *rsa);
86static int RSA_eay_finish(RSA *rsa); 78static int RSA_eay_finish(RSA *rsa);
87#else
88static int RSA_eay_public_encrypt();
89static int RSA_eay_private_encrypt();
90static int RSA_eay_public_decrypt();
91static int RSA_eay_private_decrypt();
92static int RSA_eay_mod_exp();
93static int RSA_eay_init();
94static int RSA_eay_finish();
95#endif
96
97static RSA_METHOD rsa_pkcs1_eay_meth={ 79static RSA_METHOD rsa_pkcs1_eay_meth={
98 "Eric Young's PKCS#1 RSA", 80 "Eric Young's PKCS#1 RSA",
99 RSA_eay_public_encrypt, 81 RSA_eay_public_encrypt,
100 RSA_eay_public_decrypt, 82 RSA_eay_public_decrypt, /* signature verification */
101 RSA_eay_private_encrypt, 83 RSA_eay_private_encrypt, /* signing */
102 RSA_eay_private_decrypt, 84 RSA_eay_private_decrypt,
103 RSA_eay_mod_exp, 85 RSA_eay_mod_exp,
104 BN_mod_exp_mont, 86 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
105 RSA_eay_init, 87 RSA_eay_init,
106 RSA_eay_finish, 88 RSA_eay_finish,
107 0, 89 0, /* flags */
108 NULL, 90 NULL,
91 0, /* rsa_sign */
92 0 /* rsa_verify */
109 }; 93 };
110 94
111RSA_METHOD *RSA_PKCS1_SSLeay() 95const RSA_METHOD *RSA_PKCS1_SSLeay(void)
112 { 96 {
113 return(&rsa_pkcs1_eay_meth); 97 return(&rsa_pkcs1_eay_meth);
114 } 98 }
115 99
116static int RSA_eay_public_encrypt(flen, from, to, rsa, padding) 100static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
117int flen; 101 unsigned char *to, RSA *rsa, int padding)
118unsigned char *from;
119unsigned char *to;
120RSA *rsa;
121int padding;
122 { 102 {
123 BIGNUM *f=NULL,*ret=NULL; 103 BIGNUM f,ret;
124 int i,j,k,num=0,r= -1; 104 int i,j,k,num=0,r= -1;
125 unsigned char *buf=NULL; 105 unsigned char *buf=NULL;
126 BN_CTX *ctx=NULL; 106 BN_CTX *ctx=NULL;
127 107
128 /* Body of this routine removed for OpenBSD - will return 108 BN_init(&f);
129 * when the RSA patent expires 109 BN_init(&ret);
130 */ 110 if ((ctx=BN_CTX_new()) == NULL) goto err;
111 num=BN_num_bytes(rsa->n);
112 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
113 {
114 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
115 goto err;
116 }
131 117
118 switch (padding)
119 {
120 case RSA_PKCS1_PADDING:
121 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
122 break;
123#ifndef OPENSSL_NO_SHA
124 case RSA_PKCS1_OAEP_PADDING:
125 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
126 break;
127#endif
128 case RSA_SSLV23_PADDING:
129 i=RSA_padding_add_SSLv23(buf,num,from,flen);
130 break;
131 case RSA_NO_PADDING:
132 i=RSA_padding_add_none(buf,num,from,flen);
133 break;
134 default:
135 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
136 goto err;
137 }
138 if (i <= 0) goto err;
139
140 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
141
142 if (BN_ucmp(&f, rsa->n) >= 0)
143 {
144 /* usually the padding functions would catch this */
145 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
146 goto err;
147 }
148
149 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
150 {
151 BN_MONT_CTX* bn_mont_ctx;
152 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
153 goto err;
154 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
155 {
156 BN_MONT_CTX_free(bn_mont_ctx);
157 goto err;
158 }
159 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
160 {
161 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
162 if (rsa->_method_mod_n == NULL)
163 {
164 rsa->_method_mod_n = bn_mont_ctx;
165 bn_mont_ctx = NULL;
166 }
167 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
168 }
169 if (bn_mont_ctx)
170 BN_MONT_CTX_free(bn_mont_ctx);
171 }
172
173 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
174 rsa->_method_mod_n)) goto err;
175
176 /* put in leading 0 bytes if the number is less than the
177 * length of the modulus */
178 j=BN_num_bytes(&ret);
179 i=BN_bn2bin(&ret,&(to[num-j]));
180 for (k=0; k<(num-i); k++)
181 to[k]=0;
182
183 r=num;
132err: 184err:
133 if (ctx != NULL) BN_CTX_free(ctx); 185 if (ctx != NULL) BN_CTX_free(ctx);
134 if (f != NULL) BN_free(f); 186 BN_clear_free(&f);
135 if (ret != NULL) BN_free(ret); 187 BN_clear_free(&ret);
136 if (buf != NULL) 188 if (buf != NULL)
137 { 189 {
138 memset(buf,0,num); 190 memset(buf,0,num);
139 Free(buf); 191 OPENSSL_free(buf);
140 } 192 }
141 return(r); 193 return(r);
142 } 194 }
143 195
144static int RSA_eay_private_encrypt(flen, from, to, rsa, padding) 196/* signing */
145int flen; 197static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
146unsigned char *from; 198 unsigned char *to, RSA *rsa, int padding)
147unsigned char *to;
148RSA *rsa;
149int padding;
150 { 199 {
151 BIGNUM *f=NULL,*ret=NULL; 200 BIGNUM f,ret;
152 int i,j,k,num=0,r= -1; 201 int i,j,k,num=0,r= -1;
153 unsigned char *buf=NULL; 202 unsigned char *buf=NULL;
154 BN_CTX *ctx=NULL; 203 BN_CTX *ctx=NULL;
155 204
156 /* Body of this routine removed for OpenBSD - will return 205 BN_init(&f);
157 * when the RSA patent expires 206 BN_init(&ret);
158 */
159 207
208 if ((ctx=BN_CTX_new()) == NULL) goto err;
209 num=BN_num_bytes(rsa->n);
210 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
211 {
212 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
213 goto err;
214 }
215
216 switch (padding)
217 {
218 case RSA_PKCS1_PADDING:
219 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
220 break;
221 case RSA_NO_PADDING:
222 i=RSA_padding_add_none(buf,num,from,flen);
223 break;
224 case RSA_SSLV23_PADDING:
225 default:
226 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
227 goto err;
228 }
229 if (i <= 0) goto err;
230
231 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
232
233 if (BN_ucmp(&f, rsa->n) >= 0)
234 {
235 /* usually the padding functions would catch this */
236 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
237 goto err;
238 }
239
240 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
241 RSA_blinding_on(rsa,ctx);
242 if (rsa->flags & RSA_FLAG_BLINDING)
243 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
244
245 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
246 ((rsa->p != NULL) &&
247 (rsa->q != NULL) &&
248 (rsa->dmp1 != NULL) &&
249 (rsa->dmq1 != NULL) &&
250 (rsa->iqmp != NULL)) )
251 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
252 else
253 {
254 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
255 }
256
257 if (rsa->flags & RSA_FLAG_BLINDING)
258 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
259
260 /* put in leading 0 bytes if the number is less than the
261 * length of the modulus */
262 j=BN_num_bytes(&ret);
263 i=BN_bn2bin(&ret,&(to[num-j]));
264 for (k=0; k<(num-i); k++)
265 to[k]=0;
266
267 r=num;
160err: 268err:
161 if (ctx != NULL) BN_CTX_free(ctx); 269 if (ctx != NULL) BN_CTX_free(ctx);
162 if (ret != NULL) BN_free(ret); 270 BN_clear_free(&ret);
163 if (f != NULL) BN_free(f); 271 BN_clear_free(&f);
164 if (buf != NULL) 272 if (buf != NULL)
165 { 273 {
166 memset(buf,0,num); 274 memset(buf,0,num);
167 Free(buf); 275 OPENSSL_free(buf);
168 } 276 }
169 return(r); 277 return(r);
170 } 278 }
171 279
172static int RSA_eay_private_decrypt(flen, from, to, rsa,padding) 280static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
173int flen; 281 unsigned char *to, RSA *rsa, int padding)
174unsigned char *from;
175unsigned char *to;
176RSA *rsa;
177int padding;
178 { 282 {
179 BIGNUM *f=NULL,*ret=NULL; 283 BIGNUM f,ret;
180 int j,num=0,r= -1; 284 int j,num=0,r= -1;
181 unsigned char *p; 285 unsigned char *p;
182 unsigned char *buf=NULL; 286 unsigned char *buf=NULL;
183 BN_CTX *ctx=NULL; 287 BN_CTX *ctx=NULL;
184 288
185 /* Body of this routine removed for OpenBSD - will return 289 BN_init(&f);
186 * when the RSA patent expires 290 BN_init(&ret);
187 */ 291 ctx=BN_CTX_new();
292 if (ctx == NULL) goto err;
293
294 num=BN_num_bytes(rsa->n);
295
296 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
297 {
298 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
299 goto err;
300 }
301
302 /* This check was for equality but PGP does evil things
303 * and chops off the top '0' bytes */
304 if (flen > num)
305 {
306 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
307 goto err;
308 }
309
310 /* make data into a big number */
311 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
312
313 if (BN_ucmp(&f, rsa->n) >= 0)
314 {
315 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
316 goto err;
317 }
318
319 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
320 RSA_blinding_on(rsa,ctx);
321 if (rsa->flags & RSA_FLAG_BLINDING)
322 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
323
324 /* do the decrypt */
325 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
326 ((rsa->p != NULL) &&
327 (rsa->q != NULL) &&
328 (rsa->dmp1 != NULL) &&
329 (rsa->dmq1 != NULL) &&
330 (rsa->iqmp != NULL)) )
331 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
332 else
333 {
334 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
335 goto err;
336 }
337
338 if (rsa->flags & RSA_FLAG_BLINDING)
339 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
340
341 p=buf;
342 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
343
344 switch (padding)
345 {
346 case RSA_PKCS1_PADDING:
347 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
348 break;
349#ifndef OPENSSL_NO_SHA
350 case RSA_PKCS1_OAEP_PADDING:
351 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
352 break;
353#endif
354 case RSA_SSLV23_PADDING:
355 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
356 break;
357 case RSA_NO_PADDING:
358 r=RSA_padding_check_none(to,num,buf,j,num);
359 break;
360 default:
361 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
362 goto err;
363 }
364 if (r < 0)
365 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
188 366
189err: 367err:
190 if (ctx != NULL) BN_CTX_free(ctx); 368 if (ctx != NULL) BN_CTX_free(ctx);
191 if (f != NULL) BN_free(f); 369 BN_clear_free(&f);
192 if (ret != NULL) BN_free(ret); 370 BN_clear_free(&ret);
193 if (buf != NULL) 371 if (buf != NULL)
194 { 372 {
195 memset(buf,0,num); 373 memset(buf,0,num);
196 Free(buf); 374 OPENSSL_free(buf);
197 } 375 }
198 return(r); 376 return(r);
199 } 377 }
200 378
201static int RSA_eay_public_decrypt(flen, from, to, rsa, padding) 379/* signature verification */
202int flen; 380static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
203unsigned char *from; 381 unsigned char *to, RSA *rsa, int padding)
204unsigned char *to;
205RSA *rsa;
206int padding;
207 { 382 {
208 BIGNUM *f=NULL,*ret=NULL; 383 BIGNUM f,ret;
209 int i,num=0,r= -1; 384 int i,num=0,r= -1;
210 unsigned char *p; 385 unsigned char *p;
211 unsigned char *buf=NULL; 386 unsigned char *buf=NULL;
212 BN_CTX *ctx=NULL; 387 BN_CTX *ctx=NULL;
213 388
389 BN_init(&f);
390 BN_init(&ret);
391 ctx=BN_CTX_new();
392 if (ctx == NULL) goto err;
393
394 num=BN_num_bytes(rsa->n);
395 buf=(unsigned char *)OPENSSL_malloc(num);
396 if (buf == NULL)
397 {
398 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
399 goto err;
400 }
401
402 /* This check was for equality but PGP does evil things
403 * and chops off the top '0' bytes */
404 if (flen > num)
405 {
406 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
407 goto err;
408 }
214 409
215 /* Body of this routine removed for OpenBSD - will return 410 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
216 * when the RSA patent expires 411
217 */ 412 if (BN_ucmp(&f, rsa->n) >= 0)
413 {
414 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
415 goto err;
416 }
417
418 /* do the decrypt */
419 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
420 {
421 BN_MONT_CTX* bn_mont_ctx;
422 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
423 goto err;
424 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
425 {
426 BN_MONT_CTX_free(bn_mont_ctx);
427 goto err;
428 }
429 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
430 {
431 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
432 if (rsa->_method_mod_n == NULL)
433 {
434 rsa->_method_mod_n = bn_mont_ctx;
435 bn_mont_ctx = NULL;
436 }
437 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
438 }
439 if (bn_mont_ctx)
440 BN_MONT_CTX_free(bn_mont_ctx);
441 }
442
443 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
444 rsa->_method_mod_n)) goto err;
445
446 p=buf;
447 i=BN_bn2bin(&ret,p);
448
449 switch (padding)
450 {
451 case RSA_PKCS1_PADDING:
452 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
453 break;
454 case RSA_NO_PADDING:
455 r=RSA_padding_check_none(to,num,buf,i,num);
456 break;
457 default:
458 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
459 goto err;
460 }
461 if (r < 0)
462 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
218 463
219err: 464err:
220 if (ctx != NULL) BN_CTX_free(ctx); 465 if (ctx != NULL) BN_CTX_free(ctx);
221 if (f != NULL) BN_free(f); 466 BN_clear_free(&f);
222 if (ret != NULL) BN_free(ret); 467 BN_clear_free(&ret);
223 if (buf != NULL) 468 if (buf != NULL)
224 { 469 {
225 memset(buf,0,num); 470 memset(buf,0,num);
226 Free(buf); 471 OPENSSL_free(buf);
227 } 472 }
228 return(r); 473 return(r);
229 } 474 }
230 475
231static int RSA_eay_mod_exp(r0, I, rsa) 476static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
232BIGNUM *r0;
233BIGNUM *I;
234RSA *rsa;
235 { 477 {
236 BIGNUM *r1=NULL,*m1=NULL; 478 BIGNUM r1,m1,vrfy;
237 int ret=0; 479 int ret=0;
238 BN_CTX *ctx; 480 BN_CTX *ctx;
239 481
482 BN_init(&m1);
483 BN_init(&r1);
484 BN_init(&vrfy);
240 if ((ctx=BN_CTX_new()) == NULL) goto err; 485 if ((ctx=BN_CTX_new()) == NULL) goto err;
241 m1=BN_new();
242 r1=BN_new();
243 if ((m1 == NULL) || (r1 == NULL)) goto err;
244 486
245 /* Body of this routine removed for OpenBSD - will return 487 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
246 * when the RSA patent expires 488 {
247 */ 489 if (rsa->_method_mod_p == NULL)
490 {
491 BN_MONT_CTX* bn_mont_ctx;
492 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
493 goto err;
494 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
495 {
496 BN_MONT_CTX_free(bn_mont_ctx);
497 goto err;
498 }
499 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
500 {
501 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
502 if (rsa->_method_mod_p == NULL)
503 {
504 rsa->_method_mod_p = bn_mont_ctx;
505 bn_mont_ctx = NULL;
506 }
507 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
508 }
509 if (bn_mont_ctx)
510 BN_MONT_CTX_free(bn_mont_ctx);
511 }
512
513 if (rsa->_method_mod_q == NULL)
514 {
515 BN_MONT_CTX* bn_mont_ctx;
516 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
517 goto err;
518 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
519 {
520 BN_MONT_CTX_free(bn_mont_ctx);
521 goto err;
522 }
523 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
524 {
525 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
526 if (rsa->_method_mod_q == NULL)
527 {
528 rsa->_method_mod_q = bn_mont_ctx;
529 bn_mont_ctx = NULL;
530 }
531 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
532 }
533 if (bn_mont_ctx)
534 BN_MONT_CTX_free(bn_mont_ctx);
535 }
536 }
537
538 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
539 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
540 rsa->_method_mod_q)) goto err;
541
542 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
543 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
544 rsa->_method_mod_p)) goto err;
545
546 if (!BN_sub(r0,r0,&m1)) goto err;
547 /* This will help stop the size of r0 increasing, which does
548 * affect the multiply if it optimised for a power of 2 size */
549 if (r0->neg)
550 if (!BN_add(r0,r0,rsa->p)) goto err;
551
552 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
553 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
554 /* If p < q it is occasionally possible for the correction of
555 * adding 'p' if r0 is negative above to leave the result still
556 * negative. This can break the private key operations: the following
557 * second correction should *always* correct this rare occurrence.
558 * This will *never* happen with OpenSSL generated keys because
559 * they ensure p > q [steve]
560 */
561 if (r0->neg)
562 if (!BN_add(r0,r0,rsa->p)) goto err;
563 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
564 if (!BN_add(r0,&r1,&m1)) goto err;
565
566 if (rsa->e && rsa->n)
567 {
568 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
569 /* If 'I' was greater than (or equal to) rsa->n, the operation
570 * will be equivalent to using 'I mod n'. However, the result of
571 * the verify will *always* be less than 'n' so we don't check
572 * for absolute equality, just congruency. */
573 if (!BN_sub(&vrfy, &vrfy, I)) goto err;
574 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
575 if (vrfy.neg)
576 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
577 if (!BN_is_zero(&vrfy))
578 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
579 * miscalculated CRT output, just do a raw (slower)
580 * mod_exp and return that instead. */
581 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
582 }
583 ret=1;
248err: 584err:
249 if (m1 != NULL) BN_free(m1); 585 BN_clear_free(&m1);
250 if (r1 != NULL) BN_free(r1); 586 BN_clear_free(&r1);
587 BN_clear_free(&vrfy);
251 BN_CTX_free(ctx); 588 BN_CTX_free(ctx);
252 return(ret); 589 return(ret);
253 } 590 }
254 591
255static int RSA_eay_init(rsa) 592static int RSA_eay_init(RSA *rsa)
256RSA *rsa;
257 { 593 {
258 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 594 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
259 return(1); 595 return(1);
260 } 596 }
261 597
262static int RSA_eay_finish(rsa) 598static int RSA_eay_finish(RSA *rsa)
263RSA *rsa;
264 { 599 {
265 if (rsa->method_mod_n != NULL) 600 if (rsa->_method_mod_n != NULL)
266 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_n); 601 BN_MONT_CTX_free(rsa->_method_mod_n);
267 if (rsa->method_mod_p != NULL) 602 if (rsa->_method_mod_p != NULL)
268 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_p); 603 BN_MONT_CTX_free(rsa->_method_mod_p);
269 if (rsa->method_mod_q != NULL) 604 if (rsa->_method_mod_q != NULL)
270 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_q); 605 BN_MONT_CTX_free(rsa->_method_mod_q);
271 return(1); 606 return(1);
272 } 607 }
273 608
274 609#endif
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 796b3afd47..a7766c3b76 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,79 +1,87 @@
1/* lib/rsa/rsa_err.c */ 1/* crypto/rsa/rsa_err.c */
2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 2/* ====================================================================
3 * All rights reserved. 3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
25 * are met: 7 * are met:
26 * 1. Redistributions of source code must retain the copyright 8 *
27 * notice, this list of conditions and the following disclaimer. 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
28 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in
30 * documentation and/or other materials provided with the distribution. 14 * the documentation and/or other materials provided with the
31 * 3. All advertising materials mentioning features or use of this software 15 * distribution.
32 * must display the following acknowledgement: 16 *
33 * "This product includes cryptographic software written by 17 * 3. All advertising materials mentioning features or use of this
34 * Eric Young (eay@cryptsoft.com)" 18 * software must display the following acknowledgment:
35 * The word 'cryptographic' can be left out if the rouines from the library 19 * "This product includes software developed by the OpenSSL Project
36 * being used are not cryptographic related :-). 20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
37 * 4. If you include any Windows specific code (or a derivative thereof) from 21 *
38 * the apps directory (application code) you must include an acknowledgement: 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 23 * endorse or promote products derived from this software without
40 * 24 * prior written permission. For written permission, please contact
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 25 * openssl-core@OpenSSL.org.
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 *
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * 5. Products derived from this software may not be called "OpenSSL"
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * nor may "OpenSSL" appear in their names without prior written
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * permission of the OpenSSL Project.
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 *
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * 6. Redistributions of any form whatsoever must retain the following
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * acknowledgment:
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * "This product includes software developed by the OpenSSL Project
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
51 * SUCH DAMAGE. 35 *
52 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
53 * The licence and distribution terms for any publically available version or 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
55 * copied and put under another distribution licence 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
56 * [including the GNU Public Licence.] 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
57 */ 54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
58#include <stdio.h> 61#include <stdio.h>
59#include "err.h" 62#include <openssl/err.h>
60#include "rsa.h" 63#include <openssl/rsa.h>
61 64
62/* BEGIN ERROR CODES */ 65/* BEGIN ERROR CODES */
63#ifndef NO_ERR 66#ifndef OPENSSL_NO_ERR
64static ERR_STRING_DATA RSA_str_functs[]= 67static ERR_STRING_DATA RSA_str_functs[]=
65 { 68 {
69{ERR_PACK(0,RSA_F_MEMORY_LOCK,0), "MEMORY_LOCK"},
70{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0), "RSA_check_key"},
66{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0), "RSA_EAY_PRIVATE_DECRYPT"}, 71{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0), "RSA_EAY_PRIVATE_DECRYPT"},
67{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0), "RSA_EAY_PRIVATE_ENCRYPT"}, 72{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0), "RSA_EAY_PRIVATE_ENCRYPT"},
68{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0), "RSA_EAY_PUBLIC_DECRYPT"}, 73{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0), "RSA_EAY_PUBLIC_DECRYPT"},
69{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"}, 74{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"},
70{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0), "RSA_generate_key"}, 75{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0), "RSA_generate_key"},
71{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0), "RSA_new_method"}, 76{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0), "RSA_new_method"},
77{ERR_PACK(0,RSA_F_RSA_NULL,0), "RSA_NULL"},
72{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0), "RSA_padding_add_none"}, 78{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0), "RSA_padding_add_none"},
79{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0), "RSA_padding_add_PKCS1_OAEP"},
73{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0), "RSA_padding_add_PKCS1_type_1"}, 80{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0), "RSA_padding_add_PKCS1_type_1"},
74{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0), "RSA_padding_add_PKCS1_type_2"}, 81{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0), "RSA_padding_add_PKCS1_type_2"},
75{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0), "RSA_padding_add_SSLv23"}, 82{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0), "RSA_padding_add_SSLv23"},
76{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0), "RSA_padding_check_none"}, 83{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0), "RSA_padding_check_none"},
84{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0), "RSA_padding_check_PKCS1_OAEP"},
77{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0), "RSA_padding_check_PKCS1_type_1"}, 85{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0), "RSA_padding_check_PKCS1_type_1"},
78{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0), "RSA_padding_check_PKCS1_type_2"}, 86{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0), "RSA_padding_check_PKCS1_type_2"},
79{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0), "RSA_padding_check_SSLv23"}, 87{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0), "RSA_padding_check_SSLv23"},
@@ -83,7 +91,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
83{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0), "RSA_sign_ASN1_OCTET_STRING"}, 91{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0), "RSA_sign_ASN1_OCTET_STRING"},
84{ERR_PACK(0,RSA_F_RSA_VERIFY,0), "RSA_verify"}, 92{ERR_PACK(0,RSA_F_RSA_VERIFY,0), "RSA_verify"},
85{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0), "RSA_verify_ASN1_OCTET_STRING"}, 93{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0), "RSA_verify_ASN1_OCTET_STRING"},
86{0,NULL}, 94{0,NULL}
87 }; 95 };
88 96
89static ERR_STRING_DATA RSA_str_reasons[]= 97static ERR_STRING_DATA RSA_str_reasons[]=
@@ -93,34 +101,46 @@ static ERR_STRING_DATA RSA_str_reasons[]=
93{RSA_R_BAD_FIXED_HEADER_DECRYPT ,"bad fixed header decrypt"}, 101{RSA_R_BAD_FIXED_HEADER_DECRYPT ,"bad fixed header decrypt"},
94{RSA_R_BAD_PAD_BYTE_COUNT ,"bad pad byte count"}, 102{RSA_R_BAD_PAD_BYTE_COUNT ,"bad pad byte count"},
95{RSA_R_BAD_SIGNATURE ,"bad signature"}, 103{RSA_R_BAD_SIGNATURE ,"bad signature"},
96{RSA_R_BAD_ZERO_BYTE ,"bad zero byte"},
97{RSA_R_BLOCK_TYPE_IS_NOT_01 ,"block type is not 01"}, 104{RSA_R_BLOCK_TYPE_IS_NOT_01 ,"block type is not 01"},
98{RSA_R_BLOCK_TYPE_IS_NOT_02 ,"block type is not 02"}, 105{RSA_R_BLOCK_TYPE_IS_NOT_02 ,"block type is not 02"},
99{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"}, 106{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"},
100{RSA_R_DATA_TOO_LARGE ,"data too large"}, 107{RSA_R_DATA_TOO_LARGE ,"data too large"},
101{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, 108{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},
109{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"},
102{RSA_R_DATA_TOO_SMALL ,"data too small"}, 110{RSA_R_DATA_TOO_SMALL ,"data too small"},
111{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"},
103{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"}, 112{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"},
113{RSA_R_DMP1_NOT_CONGRUENT_TO_D ,"dmp1 not congruent to d"},
114{RSA_R_DMQ1_NOT_CONGRUENT_TO_D ,"dmq1 not congruent to d"},
115{RSA_R_D_E_NOT_CONGRUENT_TO_1 ,"d e not congruent to 1"},
116{RSA_R_INVALID_MESSAGE_LENGTH ,"invalid message length"},
117{RSA_R_IQMP_NOT_INVERSE_OF_Q ,"iqmp not inverse of q"},
118{RSA_R_KEY_SIZE_TOO_SMALL ,"key size too small"},
104{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"}, 119{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"},
120{RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"},
121{RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"},
105{RSA_R_PADDING_CHECK_FAILED ,"padding check failed"}, 122{RSA_R_PADDING_CHECK_FAILED ,"padding check failed"},
123{RSA_R_P_NOT_PRIME ,"p not prime"},
124{RSA_R_Q_NOT_PRIME ,"q not prime"},
125{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED ,"rsa operations not supported"},
106{RSA_R_SSLV3_ROLLBACK_ATTACK ,"sslv3 rollback attack"}, 126{RSA_R_SSLV3_ROLLBACK_ATTACK ,"sslv3 rollback attack"},
107{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"}, 127{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
108{RSA_R_UNKNOWN_ALGORITHM_TYPE ,"unknown algorithm type"}, 128{RSA_R_UNKNOWN_ALGORITHM_TYPE ,"unknown algorithm type"},
109{RSA_R_UNKNOWN_PADDING_TYPE ,"unknown padding type"}, 129{RSA_R_UNKNOWN_PADDING_TYPE ,"unknown padding type"},
110{RSA_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"}, 130{RSA_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"},
111{0,NULL}, 131{0,NULL}
112 }; 132 };
113 133
114#endif 134#endif
115 135
116void ERR_load_RSA_strings() 136void ERR_load_RSA_strings(void)
117 { 137 {
118 static int init=1; 138 static int init=1;
119 139
120 if (init); 140 if (init)
121 {; 141 {
122 init=0; 142 init=0;
123#ifndef NO_ERR 143#ifndef OPENSSL_NO_ERR
124 ERR_load_strings(ERR_LIB_RSA,RSA_str_functs); 144 ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
125 ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons); 145 ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
126#endif 146#endif
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 4cbd373829..00c25adbc5 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -59,34 +59,130 @@
59#include <stdio.h> 59#include <stdio.h>
60#include <time.h> 60#include <time.h>
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include "bn.h" 62#include <openssl/bn.h>
63#include "rsa.h" 63#include <openssl/rsa.h>
64 64
65RSA *RSA_generate_key(bits, e_value, callback,cb_arg) 65RSA *RSA_generate_key(int bits, unsigned long e_value,
66int bits; 66 void (*callback)(int,int,void *), void *cb_arg)
67unsigned long e_value;
68void (*callback)(P_I_I_P);
69char *cb_arg;
70 { 67 {
71 RSA *rsa=NULL; 68 RSA *rsa=NULL;
72 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; 69 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
73 int bitsp,bitsq,ok= -1,n=0; 70 int bitsp,bitsq,ok= -1,n=0,i;
74 BN_CTX *ctx=NULL,*ctx2=NULL; 71 BN_CTX *ctx=NULL,*ctx2=NULL;
75 72
76 ctx=BN_CTX_new(); 73 ctx=BN_CTX_new();
77 if (ctx == NULL) goto err; 74 if (ctx == NULL) goto err;
78 ctx2=BN_CTX_new(); 75 ctx2=BN_CTX_new();
79 if (ctx2 == NULL) goto err; 76 if (ctx2 == NULL) goto err;
77 BN_CTX_start(ctx);
78 r0 = BN_CTX_get(ctx);
79 r1 = BN_CTX_get(ctx);
80 r2 = BN_CTX_get(ctx);
81 r3 = BN_CTX_get(ctx);
82 if (r3 == NULL) goto err;
83
84 bitsp=(bits+1)/2;
85 bitsq=bits-bitsp;
86 rsa=RSA_new();
87 if (rsa == NULL) goto err;
88
89 /* set e */
90 rsa->e=BN_new();
91 if (rsa->e == NULL) goto err;
92
93#if 1
94 /* The problem is when building with 8, 16, or 32 BN_ULONG,
95 * unsigned long can be larger */
96 for (i=0; i<sizeof(unsigned long)*8; i++)
97 {
98 if (e_value & (1UL<<i))
99 BN_set_bit(rsa->e,i);
100 }
101#else
102 if (!BN_set_word(rsa->e,e_value)) goto err;
103#endif
104
105 /* generate p and q */
106 for (;;)
107 {
108 rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
109 if (rsa->p == NULL) goto err;
110 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
111 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
112 if (BN_is_one(r1)) break;
113 if (callback != NULL) callback(2,n++,cb_arg);
114 BN_free(rsa->p);
115 }
116 if (callback != NULL) callback(3,0,cb_arg);
117 for (;;)
118 {
119 rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
120 if (rsa->q == NULL) goto err;
121 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
122 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
123 if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
124 break;
125 if (callback != NULL) callback(2,n++,cb_arg);
126 BN_free(rsa->q);
127 }
128 if (callback != NULL) callback(3,1,cb_arg);
129 if (BN_cmp(rsa->p,rsa->q) < 0)
130 {
131 tmp=rsa->p;
132 rsa->p=rsa->q;
133 rsa->q=tmp;
134 }
135
136 /* calculate n */
137 rsa->n=BN_new();
138 if (rsa->n == NULL) goto err;
139 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
140
141 /* calculate d */
142 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
143 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
144 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
145
146/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
147/* for (;;)
148 {
149 if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
150 if (BN_is_one(r3)) break;
151
152 if (1)
153 {
154 if (!BN_add_word(rsa->e,2L)) goto err;
155 continue;
156 }
157 RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
158 goto err;
159 }
160*/
161 rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
162 if (rsa->d == NULL) goto err;
163
164 /* calculate d mod (p-1) */
165 rsa->dmp1=BN_new();
166 if (rsa->dmp1 == NULL) goto err;
167 if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
168
169 /* calculate d mod (q-1) */
170 rsa->dmq1=BN_new();
171 if (rsa->dmq1 == NULL) goto err;
172 if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
173
174 /* calculate inverse of q mod p */
175 rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
176 if (rsa->iqmp == NULL) goto err;
80 177
81 /* Body of this routine removed for OpenBSD - will return 178 ok=1;
82 * when the RSA patent expires
83 */
84err: 179err:
85 if (ok == -1) 180 if (ok == -1)
86 { 181 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN); 182 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
88 ok=0; 183 ok=0;
89 } 184 }
185 BN_CTX_end(ctx);
90 BN_CTX_free(ctx); 186 BN_CTX_free(ctx);
91 BN_CTX_free(ctx2); 187 BN_CTX_free(ctx2);
92 188
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 95a56f8a28..93235744f7 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -57,53 +57,103 @@
57 */ 57 */
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "crypto.h" 60#include <openssl/crypto.h>
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include "lhash.h" 62#include <openssl/lhash.h>
63#include "bn.h" 63#include <openssl/bn.h>
64#include "rsa.h" 64#include <openssl/rsa.h>
65#include <openssl/engine.h>
65 66
66char *RSA_version="RSA part of SSLeay 0.9.0b 29-Jun-1998"; 67const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
67 68
68static RSA_METHOD *default_RSA_meth=NULL; 69static const RSA_METHOD *default_RSA_meth=NULL;
69static int rsa_meth_num=0;
70static STACK *rsa_meth=NULL;
71 70
72RSA *RSA_new() 71RSA *RSA_new(void)
73 { 72 {
74 return(RSA_new_method(NULL)); 73 return(RSA_new_method(NULL));
75 } 74 }
76 75
77void RSA_set_default_method(meth) 76void RSA_set_default_method(const RSA_METHOD *meth)
78RSA_METHOD *meth;
79 { 77 {
80 default_RSA_meth=meth; 78 default_RSA_meth = meth;
81 } 79 }
82 80
83RSA *RSA_new_method(meth) 81const RSA_METHOD *RSA_get_default_method(void)
84RSA_METHOD *meth;
85 { 82 {
86 RSA *ret;
87
88 if (default_RSA_meth == NULL) 83 if (default_RSA_meth == NULL)
89 { 84 {
90#ifdef RSAref 85#ifdef RSA_NULL
86 default_RSA_meth=RSA_null_method();
87#else
88#if 0 /* was: #ifdef RSAref */
91 default_RSA_meth=RSA_PKCS1_RSAref(); 89 default_RSA_meth=RSA_PKCS1_RSAref();
92#else 90#else
93 default_RSA_meth=RSA_PKCS1_SSLeay(); 91 default_RSA_meth=RSA_PKCS1_SSLeay();
94#endif 92#endif
93#endif
94 }
95
96 return default_RSA_meth;
97 }
98
99const RSA_METHOD *RSA_get_method(const RSA *rsa)
100 {
101 return rsa->meth;
102 }
103
104int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
105 {
106 /* NB: The caller is specifically setting a method, so it's not up to us
107 * to deal with which ENGINE it comes from. */
108 const RSA_METHOD *mtmp;
109 mtmp = rsa->meth;
110 if (mtmp->finish) mtmp->finish(rsa);
111 if (rsa->engine)
112 {
113 ENGINE_finish(rsa->engine);
114 rsa->engine = NULL;
95 } 115 }
96 ret=(RSA *)Malloc(sizeof(RSA)); 116 rsa->meth = meth;
117 if (meth->init) meth->init(rsa);
118 return 1;
119 }
120
121RSA *RSA_new_method(ENGINE *engine)
122 {
123 RSA *ret;
124
125 ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
97 if (ret == NULL) 126 if (ret == NULL)
98 { 127 {
99 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE); 128 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
100 return(NULL); 129 return NULL;
101 } 130 }
102 131
103 if (meth == NULL) 132 ret->meth = RSA_get_default_method();
104 ret->meth=default_RSA_meth; 133 if (engine)
134 {
135 if (!ENGINE_init(engine))
136 {
137 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
138 OPENSSL_free(ret);
139 return NULL;
140 }
141 ret->engine = engine;
142 }
105 else 143 else
106 ret->meth=meth; 144 ret->engine = ENGINE_get_default_RSA();
145 if(ret->engine)
146 {
147 ret->meth = ENGINE_get_RSA(ret->engine);
148 if(!ret->meth)
149 {
150 RSAerr(RSA_F_RSA_NEW_METHOD,
151 ERR_R_ENGINE_LIB);
152 ENGINE_finish(ret->engine);
153 OPENSSL_free(ret);
154 return NULL;
155 }
156 }
107 157
108 ret->pad=0; 158 ret->pad=0;
109 ret->version=0; 159 ret->version=0;
@@ -116,22 +166,25 @@ RSA_METHOD *meth;
116 ret->dmq1=NULL; 166 ret->dmq1=NULL;
117 ret->iqmp=NULL; 167 ret->iqmp=NULL;
118 ret->references=1; 168 ret->references=1;
119 ret->method_mod_n=NULL; 169 ret->_method_mod_n=NULL;
120 ret->method_mod_p=NULL; 170 ret->_method_mod_p=NULL;
121 ret->method_mod_q=NULL; 171 ret->_method_mod_q=NULL;
122 ret->blinding=NULL; 172 ret->blinding=NULL;
173 ret->bignum_data=NULL;
123 ret->flags=ret->meth->flags; 174 ret->flags=ret->meth->flags;
175 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
124 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 176 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
125 { 177 {
126 Free(ret); 178 if (ret->engine)
179 ENGINE_finish(ret->engine);
180 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
181 OPENSSL_free(ret);
127 ret=NULL; 182 ret=NULL;
128 } 183 }
129 CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
130 return(ret); 184 return(ret);
131 } 185 }
132 186
133void RSA_free(r) 187void RSA_free(RSA *r)
134RSA *r;
135 { 188 {
136 int i; 189 int i;
137 190
@@ -150,10 +203,12 @@ RSA *r;
150 } 203 }
151#endif 204#endif
152 205
153 CRYPTO_free_ex_data(rsa_meth,(char *)r,&r->ex_data); 206 if (r->meth->finish)
154
155 if (r->meth->finish != NULL)
156 r->meth->finish(r); 207 r->meth->finish(r);
208 if (r->engine)
209 ENGINE_finish(r->engine);
210
211 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
157 212
158 if (r->n != NULL) BN_clear_free(r->n); 213 if (r->n != NULL) BN_clear_free(r->n);
159 if (r->e != NULL) BN_clear_free(r->e); 214 if (r->e != NULL) BN_clear_free(r->e);
@@ -164,90 +219,78 @@ RSA *r;
164 if (r->dmq1 != NULL) BN_clear_free(r->dmq1); 219 if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
165 if (r->iqmp != NULL) BN_clear_free(r->iqmp); 220 if (r->iqmp != NULL) BN_clear_free(r->iqmp);
166 if (r->blinding != NULL) BN_BLINDING_free(r->blinding); 221 if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
167 Free(r); 222 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
223 OPENSSL_free(r);
168 } 224 }
169 225
170int RSA_get_ex_new_index(argl,argp,new_func,dup_func,free_func) 226int RSA_up_ref(RSA *r)
171long argl; 227 {
172char *argp; 228 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
173int (*new_func)(); 229#ifdef REF_PRINT
174int (*dup_func)(); 230 REF_PRINT("RSA",r);
175void (*free_func)(); 231#endif
232#ifdef REF_CHECK
233 if (i < 2)
234 {
235 fprintf(stderr, "RSA_up_ref, bad reference count\n");
236 abort();
237 }
238#endif
239 return ((i > 1) ? 1 : 0);
240 }
241
242int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
243 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
176 { 244 {
177 rsa_meth_num++; 245 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
178 return(CRYPTO_get_ex_new_index(rsa_meth_num-1, 246 new_func, dup_func, free_func);
179 &rsa_meth,argl,argp,new_func,dup_func,free_func));
180 } 247 }
181 248
182int RSA_set_ex_data(r,idx,arg) 249int RSA_set_ex_data(RSA *r, int idx, void *arg)
183RSA *r;
184int idx;
185char *arg;
186 { 250 {
187 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg)); 251 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
188 } 252 }
189 253
190char *RSA_get_ex_data(r,idx) 254void *RSA_get_ex_data(const RSA *r, int idx)
191RSA *r;
192int idx;
193 { 255 {
194 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 256 return(CRYPTO_get_ex_data(&r->ex_data,idx));
195 } 257 }
196 258
197int RSA_size(r) 259int RSA_size(const RSA *r)
198RSA *r;
199 { 260 {
200 return(BN_num_bytes(r->n)); 261 return(BN_num_bytes(r->n));
201 } 262 }
202 263
203int RSA_public_encrypt(flen, from, to, rsa, padding) 264int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
204int flen; 265 RSA *rsa, int padding)
205unsigned char *from;
206unsigned char *to;
207RSA *rsa;
208int padding;
209 { 266 {
210 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 267 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
211 } 268 }
212 269
213int RSA_private_encrypt(flen, from, to, rsa, padding) 270int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
214int flen; 271 RSA *rsa, int padding)
215unsigned char *from;
216unsigned char *to;
217RSA *rsa;
218int padding;
219 { 272 {
220 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 273 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
221 } 274 }
222 275
223int RSA_private_decrypt(flen, from, to, rsa, padding) 276int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
224int flen; 277 RSA *rsa, int padding)
225unsigned char *from;
226unsigned char *to;
227RSA *rsa;
228int padding;
229 { 278 {
230 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 279 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
231 } 280 }
232 281
233int RSA_public_decrypt(flen, from, to, rsa, padding) 282int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
234int flen; 283 RSA *rsa, int padding)
235unsigned char *from;
236unsigned char *to;
237RSA *rsa;
238int padding;
239 { 284 {
240 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 285 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
241 } 286 }
242 287
243int RSA_flags(r) 288int RSA_flags(const RSA *r)
244RSA *r;
245 { 289 {
246 return((r == NULL)?0:r->meth->flags); 290 return((r == NULL)?0:r->meth->flags);
247 } 291 }
248 292
249void RSA_blinding_off(rsa) 293void RSA_blinding_off(RSA *rsa)
250RSA *rsa;
251 { 294 {
252 if (rsa->blinding != NULL) 295 if (rsa->blinding != NULL)
253 { 296 {
@@ -257,9 +300,7 @@ RSA *rsa;
257 rsa->flags&= ~RSA_FLAG_BLINDING; 300 rsa->flags&= ~RSA_FLAG_BLINDING;
258 } 301 }
259 302
260int RSA_blinding_on(rsa,p_ctx) 303int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
261RSA *rsa;
262BN_CTX *p_ctx;
263 { 304 {
264 BIGNUM *A,*Ai; 305 BIGNUM *A,*Ai;
265 BN_CTX *ctx; 306 BN_CTX *ctx;
@@ -275,20 +316,64 @@ BN_CTX *p_ctx;
275 if (rsa->blinding != NULL) 316 if (rsa->blinding != NULL)
276 BN_BLINDING_free(rsa->blinding); 317 BN_BLINDING_free(rsa->blinding);
277 318
278 A=ctx->bn[0]; 319 BN_CTX_start(ctx);
279 ctx->tos++; 320 A = BN_CTX_get(ctx);
280 if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err; 321 if (!BN_rand_range(A,rsa->n)) goto err;
281 if ((Ai=BN_mod_inverse(A,rsa->n,ctx)) == NULL) goto err; 322 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
282 323
283 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx, 324 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
284 (char *)rsa->method_mod_n)) goto err; 325 goto err;
285 rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); 326 rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
286 ctx->tos--;
287 rsa->flags|=RSA_FLAG_BLINDING; 327 rsa->flags|=RSA_FLAG_BLINDING;
288 BN_free(Ai); 328 BN_free(Ai);
289 ret=1; 329 ret=1;
290err: 330err:
331 BN_CTX_end(ctx);
291 if (ctx != p_ctx) BN_CTX_free(ctx); 332 if (ctx != p_ctx) BN_CTX_free(ctx);
292 return(ret); 333 return(ret);
293 } 334 }
294 335
336int RSA_memory_lock(RSA *r)
337 {
338 int i,j,k,off;
339 char *p;
340 BIGNUM *bn,**t[6],*b;
341 BN_ULONG *ul;
342
343 if (r->d == NULL) return(1);
344 t[0]= &r->d;
345 t[1]= &r->p;
346 t[2]= &r->q;
347 t[3]= &r->dmp1;
348 t[4]= &r->dmq1;
349 t[5]= &r->iqmp;
350 k=sizeof(BIGNUM)*6;
351 off=k/sizeof(BN_ULONG)+1;
352 j=1;
353 for (i=0; i<6; i++)
354 j+= (*t[i])->top;
355 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
356 {
357 RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
358 return(0);
359 }
360 bn=(BIGNUM *)p;
361 ul=(BN_ULONG *)&(p[off]);
362 for (i=0; i<6; i++)
363 {
364 b= *(t[i]);
365 *(t[i])= &(bn[i]);
366 memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
367 bn[i].flags=BN_FLG_STATIC_DATA;
368 bn[i].d=ul;
369 memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
370 ul+=b->top;
371 BN_clear_free(b);
372 }
373
374 /* I should fix this so it can still be done */
375 r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
376
377 r->bignum_data=p;
378 return(1);
379 }
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
index f0dd943657..e6f3e627ca 100644
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -58,52 +58,41 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include "bn.h" 61#include <openssl/bn.h>
62#include "rsa.h" 62#include <openssl/rsa.h>
63#include "rand.h" 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_none(to,tlen,from,flen) 65int RSA_padding_add_none(unsigned char *to, int tlen,
66unsigned char *to; 66 const unsigned char *from, int flen)
67int tlen;
68unsigned char *from;
69int flen;
70 { 67 {
71 if (flen >= tlen) 68 if (flen > tlen)
72 { 69 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0); 71 return(0);
75 } 72 }
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
76 79
77 *(to++)=0;
78 memcpy(to,from,(unsigned int)flen); 80 memcpy(to,from,(unsigned int)flen);
79 return(1); 81 return(1);
80 } 82 }
81 83
82int RSA_padding_check_none(to,tlen,from,flen) 84int RSA_padding_check_none(unsigned char *to, int tlen,
83unsigned char *to; 85 const unsigned char *from, int flen, int num)
84int tlen;
85unsigned char *from;
86int flen;
87 { 86 {
88 int j;
89 87
90 from++; 88 if (flen > tlen)
91 if (flen+1 > tlen)
92 { 89 {
93 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE); 90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE);
94 return(-1); 91 return(-1);
95 } 92 }
96 if (*(from++) != 0)
97 {
98 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_BAD_ZERO_BYTE);
99 return(-1);
100 }
101 93
102 /* scan over padding data */ 94 memset(to,0,tlen-flen);
103 j=flen-1; /* one for type and one for the prepended 0. */ 95 memcpy(to+tlen-flen,from,flen);
104 memset(to,0,tlen-j); 96 return(tlen);
105 to+=(tlen-j);
106 memcpy(to,from,j);
107 return(j);
108 } 97 }
109 98
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 843c40c864..e3f7c608ec 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -2,161 +2,205 @@
2/* Written by Ulf Moeller. This software is distributed on an "AS IS" 2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ 3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4 4
5/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ 5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6 6
7#if !defined(NO_SHA) && !defined(NO_SHA1) 7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21
22#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
8#include <stdio.h> 23#include <stdio.h>
9#include "cryptlib.h" 24#include "cryptlib.h"
10#include <openssl/bn.h> 25#include <openssl/bn.h>
11#include <openssl/rsa.h> 26#include <openssl/rsa.h>
12#include <openssl/sha.h> 27#include <openssl/evp.h>
13#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h>
14 30
15int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen); 31int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
16 33
17int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
18 unsigned char *from, int flen, unsigned char *param, int plen) 35 const unsigned char *from, int flen,
19 { 36 const unsigned char *param, int plen)
20 int i, emlen = tlen - 1;
21 unsigned char *db, *seed;
22 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
23
24 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
25 { 37 {
26 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, 38 int i, emlen = tlen - 1;
27 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 39 unsigned char *db, *seed;
28 return (0); 40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
29 }
30 41
31 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) 42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
32 { 43 {
33 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); 44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
34 return (0); 45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
35 } 46 return 0;
36 47 }
37 dbmask = Malloc(emlen - SHA_DIGEST_LENGTH); 48
38 if (dbmask == NULL) 49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
39 { 50 {
40 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
41 return (0); 52 return 0;
42 } 53 }
43 54
44 to[0] = 0; 55 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
45 seed = to + 1; 56 if (dbmask == NULL)
46 db = to + SHA_DIGEST_LENGTH + 1; 57 {
58 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
59 return 0;
60 }
47 61
48 SHA1(param, plen, db); 62 to[0] = 0;
49 memset(db + SHA_DIGEST_LENGTH, 0, 63 seed = to + 1;
50 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); 64 db = to + SHA_DIGEST_LENGTH + 1;
51 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; 65
52 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); 66 EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
53 RAND_bytes(seed, SHA_DIGEST_LENGTH); 67 memset(db + SHA_DIGEST_LENGTH, 0,
68 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
69 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
70 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
71 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
72 return 0;
54#ifdef PKCS_TESTVECT 73#ifdef PKCS_TESTVECT
55 memcpy(seed, 74 memcpy(seed,
56 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", 75 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
57 20); 76 20);
58#endif 77#endif
59 78
60 MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); 79 MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
61 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 80 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
62 db[i] ^= dbmask[i]; 81 db[i] ^= dbmask[i];
63 82
64 MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); 83 MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
65 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 84 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
66 seed[i] ^= seedmask[i]; 85 seed[i] ^= seedmask[i];
67 86
68 Free(dbmask); 87 OPENSSL_free(dbmask);
69 return (1); 88 return 1;
70 } 89 }
71 90
72int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, 91int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
73 unsigned char *from, int flen, int num, unsigned char *param, 92 const unsigned char *from, int flen, int num,
74 int plen) 93 const unsigned char *param, int plen)
75 {
76 int i, dblen, mlen = -1;
77 unsigned char *maskeddb;
78 int lzero;
79 unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
80
81 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
82 { 94 {
83 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); 95 int i, dblen, mlen = -1;
84 return (-1); 96 const unsigned char *maskeddb;
85 } 97 int lzero;
98 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
99 int bad = 0;
100
101 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
102 /* 'num' is the length of the modulus, i.e. does not depend on the
103 * particular ciphertext. */
104 goto decoding_err;
105
106 lzero = num - flen;
107 if (lzero < 0)
108 {
109 /* lzero == -1 */
110
111 /* signalling this error immediately after detection might allow
112 * for side-channel attacks (e.g. timing if 'plen' is huge
113 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
114 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
115 * so we use a 'bad' flag */
116 bad = 1;
117 lzero = 0;
118 }
119 maskeddb = from - lzero + SHA_DIGEST_LENGTH;
86 120
87 dblen = num - SHA_DIGEST_LENGTH; 121 dblen = num - SHA_DIGEST_LENGTH;
88 db = Malloc(dblen); 122 db = OPENSSL_malloc(dblen);
89 if (db == NULL) 123 if (db == NULL)
90 { 124 {
91 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 125 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
92 return (-1); 126 return -1;
93 } 127 }
94 128
95 lzero = num - flen; 129 MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
96 maskeddb = from - lzero + SHA_DIGEST_LENGTH; 130 for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
97 131 seed[i] ^= from[i - lzero];
98 MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
99 for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
100 seed[i] ^= from[i - lzero];
101 132
102 MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); 133 MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
103 for (i = 0; i < dblen; i++) 134 for (i = 0; i < dblen; i++)
104 db[i] ^= maskeddb[i]; 135 db[i] ^= maskeddb[i];
105 136
106 SHA1(param, plen, phash); 137 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
107 138
108 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) 139 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
109 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); 140 goto decoding_err;
110 else
111 {
112 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
113 if (db[i] != 0x00)
114 break;
115 if (db[i] != 0x01 || i++ >= dblen)
116 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
117 RSA_R_OAEP_DECODING_ERROR);
118 else 141 else
119 {
120 mlen = dblen - i;
121 if (tlen < mlen)
122 { 142 {
123 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); 143 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
124 mlen = -1; 144 if (db[i] != 0x00)
145 break;
146 if (db[i] != 0x01 || i++ >= dblen)
147 goto decoding_err;
148 else
149 {
150 /* everything looks OK */
151
152 mlen = dblen - i;
153 if (tlen < mlen)
154 {
155 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
156 mlen = -1;
157 }
158 else
159 memcpy(to, db + i, mlen);
160 }
125 } 161 }
126 else 162 OPENSSL_free(db);
127 memcpy(to, db + i, mlen); 163 return mlen;
128 } 164
165decoding_err:
166 /* to avoid chosen ciphertext attacks, the error message should not reveal
167 * which kind of decoding error happened */
168 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
169 if (db != NULL) OPENSSL_free(db);
170 return -1;
129 } 171 }
130 Free(db); 172
131 return (mlen); 173int MGF1(unsigned char *mask, long len,
132 } 174 const unsigned char *seed, long seedlen)
133
134int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
135 {
136 long i, outlen = 0;
137 unsigned char cnt[4];
138 SHA_CTX c;
139 unsigned char md[SHA_DIGEST_LENGTH];
140
141 for (i = 0; outlen < len; i++)
142 { 175 {
143 cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255, 176 long i, outlen = 0;
144 cnt[2] = (i >> 8) & 255, cnt[3] = i & 255; 177 unsigned char cnt[4];
145 SHA1_Init(&c); 178 EVP_MD_CTX c;
146 SHA1_Update(&c, seed, seedlen); 179 unsigned char md[SHA_DIGEST_LENGTH];
147 SHA1_Update(&c, cnt, 4); 180
148 if (outlen + SHA_DIGEST_LENGTH <= len) 181 EVP_MD_CTX_init(&c);
149 { 182 for (i = 0; outlen < len; i++)
150 SHA1_Final(mask + outlen, &c); 183 {
151 outlen += SHA_DIGEST_LENGTH; 184 cnt[0] = (unsigned char)((i >> 24) & 255);
152 } 185 cnt[1] = (unsigned char)((i >> 16) & 255);
153 else 186 cnt[2] = (unsigned char)((i >> 8)) & 255;
154 { 187 cnt[3] = (unsigned char)(i & 255);
155 SHA1_Final(md, &c); 188 EVP_DigestInit_ex(&c,EVP_sha1(), NULL);
156 memcpy(mask + outlen, md, len - outlen); 189 EVP_DigestUpdate(&c, seed, seedlen);
157 outlen = len; 190 EVP_DigestUpdate(&c, cnt, 4);
158 } 191 if (outlen + SHA_DIGEST_LENGTH <= len)
192 {
193 EVP_DigestFinal_ex(&c, mask + outlen, NULL);
194 outlen += SHA_DIGEST_LENGTH;
195 }
196 else
197 {
198 EVP_DigestFinal_ex(&c, md, NULL);
199 memcpy(mask + outlen, md, len - outlen);
200 outlen = len;
201 }
202 }
203 EVP_MD_CTX_cleanup(&c);
204 return 0;
159 } 205 }
160 return (0);
161 }
162#endif 206#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 2791291b94..c1edd6764f 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -58,27 +58,12 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include "bn.h" 61#include <openssl/bn.h>
62#include "rsa.h" 62#include <openssl/rsa.h>
63#include "rand.h" 63#include <openssl/rand.h>
64
65#ifndef NOPROTO
66int RSA_padding_add_PKCS1_type_1();
67int RSA_padding_check_PKCS1_type_1();
68int RSA_padding_add_PKCS1_type_2();
69int RSA_padding_check_PKCS1_type_2();
70int RSA_padding_add_SSLv23();
71int RSA_padding_check_SSLv23();
72int RSA_padding_add_none();
73int RSA_padding_check_none();
74 64
75#endif 65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
76 66 const unsigned char *from, int flen)
77int RSA_padding_add_PKCS1_type_1(to,tlen,from,flen)
78unsigned char *to;
79int tlen;
80unsigned char *from;
81int flen;
82 { 67 {
83 int j; 68 int j;
84 unsigned char *p; 69 unsigned char *p;
@@ -94,7 +79,7 @@ int flen;
94 *(p++)=0; 79 *(p++)=0;
95 *(p++)=1; /* Private Key BT (Block Type) */ 80 *(p++)=1; /* Private Key BT (Block Type) */
96 81
97 /* padd out with 0xff data */ 82 /* pad out with 0xff data */
98 j=tlen-3-flen; 83 j=tlen-3-flen;
99 memset(p,0xff,j); 84 memset(p,0xff,j);
100 p+=j; 85 p+=j;
@@ -103,17 +88,14 @@ int flen;
103 return(1); 88 return(1);
104 } 89 }
105 90
106int RSA_padding_check_PKCS1_type_1(to,tlen,from,flen) 91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
107unsigned char *to; 92 const unsigned char *from, int flen, int num)
108int tlen;
109unsigned char *from;
110int flen;
111 { 93 {
112 int i,j; 94 int i,j;
113 unsigned char *p; 95 const unsigned char *p;
114 96
115 p=from; 97 p=from;
116 if (*(p++) != 01) 98 if ((num != (flen+1)) || (*(p++) != 01))
117 { 99 {
118 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01); 100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
119 return(-1); 101 return(-1);
@@ -148,16 +130,18 @@ int flen;
148 } 130 }
149 i++; /* Skip over the '\0' */ 131 i++; /* Skip over the '\0' */
150 j-=i; 132 j-=i;
133 if (j > tlen)
134 {
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
136 return(-1);
137 }
151 memcpy(to,p,(unsigned int)j); 138 memcpy(to,p,(unsigned int)j);
152 139
153 return(j); 140 return(j);
154 } 141 }
155 142
156int RSA_padding_add_PKCS1_type_2(to,tlen,from,flen) 143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
157unsigned char *to; 144 const unsigned char *from, int flen)
158int tlen;
159unsigned char *from;
160int flen;
161 { 145 {
162 int i,j; 146 int i,j;
163 unsigned char *p; 147 unsigned char *p;
@@ -176,12 +160,14 @@ int flen;
176 /* pad out with non-zero random data */ 160 /* pad out with non-zero random data */
177 j=tlen-3-flen; 161 j=tlen-3-flen;
178 162
179 RAND_bytes(p,j); 163 if (RAND_bytes(p,j) <= 0)
164 return(0);
180 for (i=0; i<j; i++) 165 for (i=0; i<j; i++)
181 { 166 {
182 if (*p == '\0') 167 if (*p == '\0')
183 do { 168 do {
184 RAND_bytes(p,1); 169 if (RAND_bytes(p,1) <= 0)
170 return(0);
185 } while (*p == '\0'); 171 } while (*p == '\0');
186 p++; 172 p++;
187 } 173 }
@@ -192,21 +178,21 @@ int flen;
192 return(1); 178 return(1);
193 } 179 }
194 180
195int RSA_padding_check_PKCS1_type_2(to,tlen,from,flen) 181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
196unsigned char *to; 182 const unsigned char *from, int flen, int num)
197int tlen;
198unsigned char *from;
199int flen;
200 { 183 {
201 int i,j; 184 int i,j;
202 unsigned char *p; 185 const unsigned char *p;
203 186
204 p=from; 187 p=from;
205 if (*(p++) != 02) 188 if ((num != (flen+1)) || (*(p++) != 02))
206 { 189 {
207 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); 190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
208 return(-1); 191 return(-1);
209 } 192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
210 196
211 /* scan over padding data */ 197 /* scan over padding data */
212 j=flen-1; /* one for type. */ 198 j=flen-1; /* one for type. */
@@ -226,6 +212,11 @@ int flen;
226 } 212 }
227 i++; /* Skip over the '\0' */ 213 i++; /* Skip over the '\0' */
228 j-=i; 214 j-=i;
215 if (j > tlen)
216 {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
218 return(-1);
219 }
229 memcpy(to,p,(unsigned int)j); 220 memcpy(to,p,(unsigned int)j);
230 221
231 return(j); 222 return(j);
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index fb0fae5a43..85adacc08f 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -58,18 +58,14 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include "bn.h" 61#include <openssl/bn.h>
62#include "rsa.h" 62#include <openssl/rsa.h>
63#include "objects.h" 63#include <openssl/objects.h>
64#include "x509.h" 64#include <openssl/x509.h>
65 65
66int RSA_sign_ASN1_OCTET_STRING(type,m,m_len,sigret,siglen,rsa) 66int RSA_sign_ASN1_OCTET_STRING(int type,
67int type; 67 const unsigned char *m, unsigned int m_len,
68unsigned char *m; 68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69unsigned int m_len;
70unsigned char *sigret;
71unsigned int *siglen;
72RSA *rsa;
73 { 69 {
74 ASN1_OCTET_STRING sig; 70 ASN1_OCTET_STRING sig;
75 int i,j,ret=1; 71 int i,j,ret=1;
@@ -77,7 +73,7 @@ RSA *rsa;
77 73
78 sig.type=V_ASN1_OCTET_STRING; 74 sig.type=V_ASN1_OCTET_STRING;
79 sig.length=m_len; 75 sig.length=m_len;
80 sig.data=m; 76 sig.data=(unsigned char *)m;
81 77
82 i=i2d_ASN1_OCTET_STRING(&sig,NULL); 78 i=i2d_ASN1_OCTET_STRING(&sig,NULL);
83 j=RSA_size(rsa); 79 j=RSA_size(rsa);
@@ -86,7 +82,7 @@ RSA *rsa;
86 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
87 return(0); 83 return(0);
88 } 84 }
89 s=(unsigned char *)Malloc((unsigned int)j+1); 85 s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
90 if (s == NULL) 86 if (s == NULL)
91 { 87 {
92 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
@@ -101,17 +97,14 @@ RSA *rsa;
101 *siglen=i; 97 *siglen=i;
102 98
103 memset(s,0,(unsigned int)j+1); 99 memset(s,0,(unsigned int)j+1);
104 Free(s); 100 OPENSSL_free(s);
105 return(ret); 101 return(ret);
106 } 102 }
107 103
108int RSA_verify_ASN1_OCTET_STRING(dtype, m, m_len, sigbuf, siglen, rsa) 104int RSA_verify_ASN1_OCTET_STRING(int dtype,
109int dtype; 105 const unsigned char *m,
110unsigned char *m; 106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
111unsigned int m_len; 107 RSA *rsa)
112unsigned char *sigbuf;
113unsigned int siglen;
114RSA *rsa;
115 { 108 {
116 int i,ret=0; 109 int i,ret=0;
117 unsigned char *p,*s; 110 unsigned char *p,*s;
@@ -123,7 +116,7 @@ RSA *rsa;
123 return(0); 116 return(0);
124 } 117 }
125 118
126 s=(unsigned char *)Malloc((unsigned int)siglen); 119 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
127 if (s == NULL) 120 if (s == NULL)
128 { 121 {
129 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 122 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
@@ -145,9 +138,9 @@ RSA *rsa;
145 else 138 else
146 ret=1; 139 ret=1;
147err: 140err:
148 if (sig != NULL) ASN1_OCTET_STRING_free(sig); 141 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
149 memset(s,0,(unsigned int)siglen); 142 memset(s,0,(unsigned int)siglen);
150 Free(s); 143 OPENSSL_free(s);
151 return(ret); 144 return(ret);
152 } 145 }
153 146
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 28c5571e74..2a440901de 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -58,79 +58,92 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include "bn.h" 61#include <openssl/bn.h>
62#include "rsa.h" 62#include <openssl/rsa.h>
63#include "objects.h" 63#include <openssl/objects.h>
64#include "x509.h" 64#include <openssl/x509.h>
65 65#include <openssl/engine.h>
66int RSA_sign(type,m,m_len,sigret,siglen,rsa) 66
67int type; 67/* Size of an SSL signature: MD5+SHA1 */
68unsigned char *m; 68#define SSL_SIG_LENGTH 36
69unsigned int m_len; 69
70unsigned char *sigret; 70int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
71unsigned int *siglen; 71 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
72RSA *rsa;
73 { 72 {
74 X509_SIG sig; 73 X509_SIG sig;
75 ASN1_TYPE parameter; 74 ASN1_TYPE parameter;
76 int i,j,ret=1; 75 int i,j,ret=1;
77 unsigned char *p,*s; 76 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL;
78 X509_ALGOR algor; 78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 79 ASN1_OCTET_STRING digest;
80 80 if((rsa->flags & RSA_FLAG_SIGN_VER)
81 sig.algor= &algor; 81 && ENGINE_get_RSA(rsa->engine)->rsa_sign)
82 sig.algor->algorithm=OBJ_nid2obj(type); 82 return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
83 if (sig.algor->algorithm == NULL) 83 m, m_len, sigret, siglen, rsa);
84 { 84 /* Special case: SSL signature, just check the length */
85 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); 85 if(type == NID_md5_sha1) {
86 return(0); 86 if(m_len != SSL_SIG_LENGTH) {
87 } 87 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
88 if (sig.algor->algorithm->length == 0) 88 return(0);
89 {
90 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
91 return(0);
92 } 89 }
93 parameter.type=V_ASN1_NULL; 90 i = SSL_SIG_LENGTH;
94 parameter.value.ptr=NULL; 91 s = m;
95 sig.algor->parameter= &parameter; 92 } else {
93 sig.algor= &algor;
94 sig.algor->algorithm=OBJ_nid2obj(type);
95 if (sig.algor->algorithm == NULL)
96 {
97 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
98 return(0);
99 }
100 if (sig.algor->algorithm->length == 0)
101 {
102 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
103 return(0);
104 }
105 parameter.type=V_ASN1_NULL;
106 parameter.value.ptr=NULL;
107 sig.algor->parameter= &parameter;
96 108
97 sig.digest= &digest; 109 sig.digest= &digest;
98 sig.digest->data=m; 110 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
99 sig.digest->length=m_len; 111 sig.digest->length=m_len;
100 112
101 i=i2d_X509_SIG(&sig,NULL); 113 i=i2d_X509_SIG(&sig,NULL);
114 }
102 j=RSA_size(rsa); 115 j=RSA_size(rsa);
103 if ((i-RSA_PKCS1_PADDING) > j) 116 if ((i-RSA_PKCS1_PADDING) > j)
104 { 117 {
105 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 118 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
106 return(0); 119 return(0);
107 } 120 }
108 s=(unsigned char *)Malloc((unsigned int)j+1); 121 if(type != NID_md5_sha1) {
109 if (s == NULL) 122 tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
110 { 123 if (tmps == NULL)
111 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE); 124 {
112 return(0); 125 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
113 } 126 return(0);
114 p=s; 127 }
115 i2d_X509_SIG(&sig,&p); 128 p=tmps;
129 i2d_X509_SIG(&sig,&p);
130 s=tmps;
131 }
116 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING); 132 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
117 if (i <= 0) 133 if (i <= 0)
118 ret=0; 134 ret=0;
119 else 135 else
120 *siglen=i; 136 *siglen=i;
121 137
122 memset(s,0,(unsigned int)j+1); 138 if(type != NID_md5_sha1) {
123 Free(s); 139 memset(tmps,0,(unsigned int)j+1);
140 OPENSSL_free(tmps);
141 }
124 return(ret); 142 return(ret);
125 } 143 }
126 144
127int RSA_verify(dtype, m, m_len, sigbuf, siglen, rsa) 145int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
128int dtype; 146 unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
129unsigned char *m;
130unsigned int m_len;
131unsigned char *sigbuf;
132unsigned int siglen;
133RSA *rsa;
134 { 147 {
135 int i,ret=0,sigtype; 148 int i,ret=0,sigtype;
136 unsigned char *p,*s; 149 unsigned char *p,*s;
@@ -142,55 +155,74 @@ RSA *rsa;
142 return(0); 155 return(0);
143 } 156 }
144 157
145 s=(unsigned char *)Malloc((unsigned int)siglen); 158 if((rsa->flags & RSA_FLAG_SIGN_VER)
159 && ENGINE_get_RSA(rsa->engine)->rsa_verify)
160 return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
161 m, m_len, sigbuf, siglen, rsa);
162
163 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
146 if (s == NULL) 164 if (s == NULL)
147 { 165 {
148 RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE); 166 RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
149 goto err; 167 goto err;
150 } 168 }
169 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
170 RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
171 return(0);
172 }
151 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 173 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
152 174
153 if (i <= 0) goto err; 175 if (i <= 0) goto err;
154 176
155 p=s; 177 /* Special case: SSL signature */
156 sig=d2i_X509_SIG(NULL,&p,(long)i); 178 if(dtype == NID_md5_sha1) {
157 if (sig == NULL) goto err; 179 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
158 sigtype=OBJ_obj2nid(sig->algor->algorithm); 180 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
181 else ret = 1;
182 } else {
183 p=s;
184 sig=d2i_X509_SIG(NULL,&p,(long)i);
159 185
160#ifdef RSA_DEBUG 186 if (sig == NULL) goto err;
161 /* put a backward compatability flag in EAY */ 187 sigtype=OBJ_obj2nid(sig->algor->algorithm);
162 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype), 188
163 OBJ_nid2ln(dtype)); 189
164#endif 190 #ifdef RSA_DEBUG
165 if (sigtype != dtype) 191 /* put a backward compatibility flag in EAY */
166 { 192 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
167 if (((dtype == NID_md5) && 193 OBJ_nid2ln(dtype));
168 (sigtype == NID_md5WithRSAEncryption)) || 194 #endif
169 ((dtype == NID_md2) && 195 if (sigtype != dtype)
170 (sigtype == NID_md2WithRSAEncryption)))
171 { 196 {
172 /* ok, we will let it through */ 197 if (((dtype == NID_md5) &&
173#if !defined(NO_STDIO) && !defined(WIN16) 198 (sigtype == NID_md5WithRSAEncryption)) ||
174 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n"); 199 ((dtype == NID_md2) &&
200 (sigtype == NID_md2WithRSAEncryption)))
201 {
202 /* ok, we will let it through */
203#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
204 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
175#endif 205#endif
206 }
207 else
208 {
209 RSAerr(RSA_F_RSA_VERIFY,
210 RSA_R_ALGORITHM_MISMATCH);
211 goto err;
212 }
176 } 213 }
177 else 214 if ( ((unsigned int)sig->digest->length != m_len) ||
215 (memcmp(m,sig->digest->data,m_len) != 0))
178 { 216 {
179 RSAerr(RSA_F_RSA_VERIFY,RSA_R_ALGORITHM_MISMATCH); 217 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
180 goto err;
181 } 218 }
182 } 219 else
183 if ( ((unsigned int)sig->digest->length != m_len) || 220 ret=1;
184 (memcmp(m,sig->digest->data,m_len) != 0)) 221 }
185 {
186 RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
187 }
188 else
189 ret=1;
190err: 222err:
191 if (sig != NULL) X509_SIG_free(sig); 223 if (sig != NULL) X509_SIG_free(sig);
192 memset(s,0,(unsigned int)siglen); 224 memset(s,0,(unsigned int)siglen);
193 Free(s); 225 OPENSSL_free(s);
194 return(ret); 226 return(ret);
195 } 227 }
196 228
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index 9bcd4b2c03..ea72629494 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -58,15 +58,12 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include "bn.h" 61#include <openssl/bn.h>
62#include "rsa.h" 62#include <openssl/rsa.h>
63#include "rand.h" 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_SSLv23(to,tlen,from,flen) 65int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
66unsigned char *to; 66 const unsigned char *from, int flen)
67int tlen;
68unsigned char *from;
69int flen;
70 { 67 {
71 int i,j; 68 int i,j;
72 unsigned char *p; 69 unsigned char *p;
@@ -85,12 +82,14 @@ int flen;
85 /* pad out with non-zero random data */ 82 /* pad out with non-zero random data */
86 j=tlen-3-8-flen; 83 j=tlen-3-8-flen;
87 84
88 RAND_bytes(p,j); 85 if (RAND_bytes(p,j) <= 0)
86 return(0);
89 for (i=0; i<j; i++) 87 for (i=0; i<j; i++)
90 { 88 {
91 if (*p == '\0') 89 if (*p == '\0')
92 do { 90 do {
93 RAND_bytes(p,1); 91 if (RAND_bytes(p,1) <= 0)
92 return(0);
94 } while (*p == '\0'); 93 } while (*p == '\0');
95 p++; 94 p++;
96 } 95 }
@@ -103,14 +102,11 @@ int flen;
103 return(1); 102 return(1);
104 } 103 }
105 104
106int RSA_padding_check_SSLv23(to,tlen,from,flen) 105int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
107unsigned char *to; 106 const unsigned char *from, int flen, int num)
108int tlen;
109unsigned char *from;
110int flen;
111 { 107 {
112 int i,j,k; 108 int i,j,k;
113 unsigned char *p; 109 const unsigned char *p;
114 110
115 p=from; 111 p=from;
116 if (flen < 10) 112 if (flen < 10)
@@ -118,7 +114,7 @@ int flen;
118 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL); 114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL);
119 return(-1); 115 return(-1);
120 } 116 }
121 if (*(p++) != 02) 117 if ((num != (flen+1)) || (*(p++) != 02))
122 { 118 {
123 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02); 119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02);
124 return(-1); 120 return(-1);
@@ -138,7 +134,7 @@ int flen;
138 { 134 {
139 if (p[k] != 0x03) break; 135 if (p[k] != 0x03) break;
140 } 136 }
141 if (k == 0) 137 if (k == -1)
142 { 138 {
143 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK); 139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
144 return(-1); 140 return(-1);
@@ -146,6 +142,11 @@ int flen;
146 142
147 i++; /* Skip over the '\0' */ 143 i++; /* Skip over the '\0' */
148 j-=i; 144 j-=i;
145 if (j > tlen)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
148 return(-1);
149 }
149 memcpy(to,p,(unsigned int)j); 150 memcpy(to,p,(unsigned int)j);
150 151
151 return(j); 152 return(j);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-30 01:15:33 +0000