1 files changed, 99 insertions, 33 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 38f7c0be0b..8e56a8c4cd 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pk1.c,v 1.16 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_pk1.c,v 1.17 2024/03/30 04:34:17 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,31 +64,61 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
+#include "bytestring.h"
 int
 RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
    const unsigned char *from, int flen)
 {
-        int j;
+        CBB cbb;
-        unsigned char *p;
+        int i;
+        int ret = 0;
+        /*
+         * Pad data block with PKCS1 type 1 padding - RFC 2313, section 8.1.
+         */
+        memset(&cbb, 0, sizeof(cbb));
-        if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
+        if (flen < 0 || tlen < 0)
+                goto err;
+        if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
                RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-                return 0;
+                goto err;
+        }
+        if (!CBB_init_fixed(&cbb, to, tlen))
+                goto err;
+        /*
+         * Add leading NUL, block type (0x01), padding bytes (0xff) and
+         * trailing NUL.
+         */
+        if (!CBB_add_u8(&cbb, 0))
+                goto err;
+        if (!CBB_add_u8(&cbb, 1))
+                goto err;
+        for (i = 0; i < tlen - 3 - flen; i++) {
+                if (!CBB_add_u8(&cbb, 0xff))
+                        goto err;
        }
+        if (!CBB_add_u8(&cbb, 0))
+                goto err;
+        /* Now add the actual data. */
+        if (!CBB_add_bytes(&cbb, from, flen))
+                goto err;
-        p = (unsigned char *)to;
+        if (!CBB_finish(&cbb, NULL, NULL))
+                goto err;
-        *(p++) = 0;
+        ret = 1;
-        *(p++) = 1; /* Private Key BT (Block Type) */
-        /* pad out with 0xff data */
+ err:
-        j = tlen - 3 - flen;
+        CBB_cleanup(&cbb);
-        memset(p, 0xff, j);
-        p += j;
-        *(p++) = '\0';
-        memcpy(p, from, flen);
-        return 1;
+        return ret;
 }
 LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_1);
@@ -146,33 +176,69 @@ int
 RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
    const unsigned char *from, int flen)
 {
-        int i, j;
+        uint8_t padding[256];
-        unsigned char *p;
+        uint8_t pad;
+        CBB cbb;
+        CBS cbs;
+        int i;
+        int ret = 0;
+        /*
+         * Pad data block with PKCS1 type 2 padding - RFC 2313, section 8.1.
+         */
-        if (flen > tlen - 11) {
+        memset(&cbb, 0, sizeof(cbb));
+        CBS_init(&cbs, NULL, 0);
+        if (flen < 0 || tlen < 0)
+                goto err;
+        if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
                RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-                return 0;
+                goto err;
        }
-        p = (unsigned char *)to;
+        if (!CBB_init_fixed(&cbb, to, tlen))
+                goto err;
-        *(p++) = 0;
-        *(p++) = 2; /* Public Key BT (Block Type) */
-        /* pad out with non-zero random data */
+        /*
-        j = tlen - 3 - flen;
+         * Add leading NUL, block type (0x02), padding bytes (random non-zero
+         * bytes) and trailing NUL.
+         */
+        if (!CBB_add_u8(&cbb, 0))
+                goto err;
+        if (!CBB_add_u8(&cbb, 2))
+                goto err;
+        for (i = 0; i < tlen - 3 - flen; i++) {
+                do {
+                        if (CBS_len(&cbs) == 0) {
+                                arc4random_buf(padding, sizeof(padding));
+                                CBS_init(&cbs, padding, sizeof(padding));
+                        }
+                        if (!CBS_get_u8(&cbs, &pad))
+                                goto err;
+                } while (pad == 0);
-        arc4random_buf(p, j);
+                if (!CBB_add_u8(&cbb, pad))
-        for (i = 0; i < j; i++) {
+                        goto err;
-                while (*p == '\0')
-                        arc4random_buf(p, 1);
-                p++;
        }
+        if (!CBB_add_u8(&cbb, 0))
+                goto err;
+        /* Now add the actual data. */
+        if (!CBB_add_bytes(&cbb, from, flen))
+                goto err;
+        if (!CBB_finish(&cbb, NULL, NULL))
+                goto err;
+        ret = 1;
-        *(p++) = '\0';
+ err:
+        CBB_cleanup(&cbb);
+        explicit_bzero(padding, sizeof(padding));
-        memcpy(p, from, flen);
+        return ret;
-        return 1;
 }
 LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_2);

diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c index 38f7c0be0b..8e56a8c4cd 100644 --- a/src/lib/libcrypto/rsa/rsa_pk1.c +++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pk1.c,v 1.16 2023/07/08 12:26:45 beck Exp $ */	1	/* $OpenBSD: rsa_pk1.c,v 1.17 2024/03/30 04:34:17 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -64,31 +64,61 @@
64	#include <openssl/err.h>	64	#include <openssl/err.h>
65	#include <openssl/rsa.h>	65	#include <openssl/rsa.h>
66		66
		67	#include "bytestring.h"
		68
67	int	69	int
68	RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,	70	RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
69	const unsigned char *from, int flen)	71	const unsigned char *from, int flen)
70	{	72	{
71	int j;	73	CBB cbb;
72	unsigned char *p;	74	int i;
		75	int ret = 0;
		76
		77	/*
		78	* Pad data block with PKCS1 type 1 padding - RFC 2313, section 8.1.
		79	*/
		80
		81	memset(&cbb, 0, sizeof(cbb));
73		82
74	if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {	83	if (flen < 0 \|\| tlen < 0)
		84	goto err;
		85
		86	if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
75	RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);	87	RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
76	return 0;	88	goto err;
		89	}
		90
		91	if (!CBB_init_fixed(&cbb, to, tlen))
		92	goto err;
		93
		94	/*
		95	* Add leading NUL, block type (0x01), padding bytes (0xff) and
		96	* trailing NUL.
		97	*/
		98	if (!CBB_add_u8(&cbb, 0))
		99	goto err;
		100	if (!CBB_add_u8(&cbb, 1))
		101	goto err;
		102	for (i = 0; i < tlen - 3 - flen; i++) {
		103	if (!CBB_add_u8(&cbb, 0xff))
		104	goto err;
77	}	105	}
		106	if (!CBB_add_u8(&cbb, 0))
		107	goto err;
		108
		109	/* Now add the actual data. */
		110	if (!CBB_add_bytes(&cbb, from, flen))
		111	goto err;
78		112
79	p = (unsigned char *)to;	113	if (!CBB_finish(&cbb, NULL, NULL))
		114	goto err;
80		115
81	*(p++) = 0;	116	ret = 1;
82	(p++) = 1; / Private Key BT (Block Type) */
83		117
84	/* pad out with 0xff data */	118	err:
85	j = tlen - 3 - flen;	119	CBB_cleanup(&cbb);
86	memset(p, 0xff, j);
87	p += j;
88	*(p++) = '\0';
89	memcpy(p, from, flen);
90		120
91	return 1;	121	return ret;
92	}	122	}
93	LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_1);	123	LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_1);
94		124
@@ -146,33 +176,69 @@ int
146	RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,	176	RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
147	const unsigned char *from, int flen)	177	const unsigned char *from, int flen)
148	{	178	{
149	int i, j;	179	uint8_t padding[256];
150	unsigned char *p;	180	uint8_t pad;
		181	CBB cbb;
		182	CBS cbs;
		183	int i;
		184	int ret = 0;
		185
		186	/*
		187	* Pad data block with PKCS1 type 2 padding - RFC 2313, section 8.1.
		188	*/
151		189
152	if (flen > tlen - 11) {	190	memset(&cbb, 0, sizeof(cbb));
		191	CBS_init(&cbs, NULL, 0);
		192
		193	if (flen < 0 \|\| tlen < 0)
		194	goto err;
		195
		196	if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
153	RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);	197	RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
154	return 0;	198	goto err;
155	}	199	}
156		200
157	p = (unsigned char *)to;	201	if (!CBB_init_fixed(&cbb, to, tlen))
158		202	goto err;
159	*(p++) = 0;
160	(p++) = 2; / Public Key BT (Block Type) */
161		203
162	/* pad out with non-zero random data */	204	/*
163	j = tlen - 3 - flen;	205	* Add leading NUL, block type (0x02), padding bytes (random non-zero
		206	* bytes) and trailing NUL.
		207	*/
		208	if (!CBB_add_u8(&cbb, 0))
		209	goto err;
		210	if (!CBB_add_u8(&cbb, 2))
		211	goto err;
		212	for (i = 0; i < tlen - 3 - flen; i++) {
		213	do {
		214	if (CBS_len(&cbs) == 0) {
		215	arc4random_buf(padding, sizeof(padding));
		216	CBS_init(&cbs, padding, sizeof(padding));
		217	}
		218	if (!CBS_get_u8(&cbs, &pad))
		219	goto err;
		220	} while (pad == 0);
164		221
165	arc4random_buf(p, j);	222	if (!CBB_add_u8(&cbb, pad))
166	for (i = 0; i < j; i++) {	223	goto err;
167	while (*p == '\0')
168	arc4random_buf(p, 1);
169	p++;
170	}	224	}
		225	if (!CBB_add_u8(&cbb, 0))
		226	goto err;
		227
		228	/* Now add the actual data. */
		229	if (!CBB_add_bytes(&cbb, from, flen))
		230	goto err;
		231
		232	if (!CBB_finish(&cbb, NULL, NULL))
		233	goto err;
		234
		235	ret = 1;
171		236
172	*(p++) = '\0';	237	err:
		238	CBB_cleanup(&cbb);
		239	explicit_bzero(padding, sizeof(padding));
173		240
174	memcpy(p, from, flen);	241	return ret;
175	return 1;
176	}	242	}
177	LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_2);	243	LCRYPTO_ALIAS(RSA_padding_add_PKCS1_type_2);
178		244