summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h67
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c247
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c135
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c32
-rw-r--r--src/lib/libcrypto/rsa/rsa_test.c5
6 files changed, 300 insertions, 189 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index fc3bb5f86d..0b639cd37f 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -157,33 +157,41 @@ struct rsa_st
157#define RSA_3 0x3L 157#define RSA_3 0x3L
158#define RSA_F4 0x10001L 158#define RSA_F4 0x10001L
159 159
160#define RSA_METHOD_FLAG_NO_CHECK 0x01 /* don't check pub/private match */ 160#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */
161 161
162#define RSA_FLAG_CACHE_PUBLIC 0x02 162#define RSA_FLAG_CACHE_PUBLIC 0x0002
163#define RSA_FLAG_CACHE_PRIVATE 0x04 163#define RSA_FLAG_CACHE_PRIVATE 0x0004
164#define RSA_FLAG_BLINDING 0x08 164#define RSA_FLAG_BLINDING 0x0008
165#define RSA_FLAG_THREAD_SAFE 0x10 165#define RSA_FLAG_THREAD_SAFE 0x0010
166/* This flag means the private key operations will be handled by rsa_mod_exp 166/* This flag means the private key operations will be handled by rsa_mod_exp
167 * and that they do not depend on the private key components being present: 167 * and that they do not depend on the private key components being present:
168 * for example a key stored in external hardware. Without this flag bn_mod_exp 168 * for example a key stored in external hardware. Without this flag bn_mod_exp
169 * gets called when private key components are absent. 169 * gets called when private key components are absent.
170 */ 170 */
171#define RSA_FLAG_EXT_PKEY 0x20 171#define RSA_FLAG_EXT_PKEY 0x0020
172 172
173/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions. 173/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
174 */ 174 */
175#define RSA_FLAG_SIGN_VER 0x40 175#define RSA_FLAG_SIGN_VER 0x0040
176 176
177#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in 177#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
178 * RSA implementation now uses blinding by 178 * RSA implementation now uses blinding by
179 * default (ignoring RSA_FLAG_BLINDING), 179 * default (ignoring RSA_FLAG_BLINDING),
180 * but other engines might not need it 180 * but other engines might not need it
181 */ 181 */
182#define RSA_FLAG_NO_EXP_CONSTTIME 0x0100 /* new with 0.9.7h; the built-in RSA
183 * implementation now uses constant time
184 * modular exponentiation for secret exponents
185 * by default. This flag causes the
186 * faster variable sliding window method to
187 * be used for all exponents.
188 */
182 189
183#define RSA_PKCS1_PADDING 1 190#define RSA_PKCS1_PADDING 1
184#define RSA_SSLV23_PADDING 2 191#define RSA_SSLV23_PADDING 2
185#define RSA_NO_PADDING 3 192#define RSA_NO_PADDING 3
186#define RSA_PKCS1_OAEP_PADDING 4 193#define RSA_PKCS1_OAEP_PADDING 4
194#define RSA_X931_PADDING 5
187 195
188#define RSA_PKCS1_PADDING_SIZE 11 196#define RSA_PKCS1_PADDING_SIZE 11
189 197
@@ -196,6 +204,15 @@ int RSA_size(const RSA *);
196RSA * RSA_generate_key(int bits, unsigned long e,void 204RSA * RSA_generate_key(int bits, unsigned long e,void
197 (*callback)(int,int,void *),void *cb_arg); 205 (*callback)(int,int,void *),void *cb_arg);
198int RSA_check_key(const RSA *); 206int RSA_check_key(const RSA *);
207#ifdef OPENSSL_FIPS
208int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
209 void (*cb)(int, int, void *), void *cb_arg,
210 const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
211 const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
212 const BIGNUM *e);
213RSA *RSA_X931_generate_key(int bits, const BIGNUM *e,
214 void (*cb)(int,int,void *), void *cb_arg);
215#endif
199 /* next 4 return -1 on error */ 216 /* next 4 return -1 on error */
200int RSA_public_encrypt(int flen, const unsigned char *from, 217int RSA_public_encrypt(int flen, const unsigned char *from,
201 unsigned char *to, RSA *rsa,int padding); 218 unsigned char *to, RSA *rsa,int padding);
@@ -268,6 +285,8 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
268 const unsigned char *f,int fl); 285 const unsigned char *f,int fl);
269int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen, 286int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
270 const unsigned char *f,int fl,int rsa_len); 287 const unsigned char *f,int fl,int rsa_len);
288int PKCS1_MGF1(unsigned char *mask, long len,
289 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
271int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen, 290int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
272 const unsigned char *f,int fl, 291 const unsigned char *f,int fl,
273 const unsigned char *p,int pl); 292 const unsigned char *p,int pl);
@@ -282,6 +301,17 @@ int RSA_padding_add_none(unsigned char *to,int tlen,
282 const unsigned char *f,int fl); 301 const unsigned char *f,int fl);
283int RSA_padding_check_none(unsigned char *to,int tlen, 302int RSA_padding_check_none(unsigned char *to,int tlen,
284 const unsigned char *f,int fl,int rsa_len); 303 const unsigned char *f,int fl,int rsa_len);
304int RSA_padding_add_X931(unsigned char *to,int tlen,
305 const unsigned char *f,int fl);
306int RSA_padding_check_X931(unsigned char *to,int tlen,
307 const unsigned char *f,int fl,int rsa_len);
308int RSA_X931_hash_id(int nid);
309
310int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
311 const EVP_MD *Hash, const unsigned char *EM, int sLen);
312int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
313 const unsigned char *mHash,
314 const EVP_MD *Hash, int sLen);
285 315
286int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 316int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
287 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 317 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
@@ -311,20 +341,24 @@ void ERR_load_RSA_strings(void);
311#define RSA_F_RSA_NULL 124 341#define RSA_F_RSA_NULL 124
312#define RSA_F_RSA_PADDING_ADD_NONE 107 342#define RSA_F_RSA_PADDING_ADD_NONE 107
313#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 343#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
344#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
314#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 345#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
315#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 346#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
316#define RSA_F_RSA_PADDING_ADD_SSLV23 110 347#define RSA_F_RSA_PADDING_ADD_SSLV23 110
348#define RSA_F_RSA_PADDING_ADD_X931 127
317#define RSA_F_RSA_PADDING_CHECK_NONE 111 349#define RSA_F_RSA_PADDING_CHECK_NONE 111
318#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122 350#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
319#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112 351#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
320#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113 352#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
321#define RSA_F_RSA_PADDING_CHECK_SSLV23 114 353#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
354#define RSA_F_RSA_PADDING_CHECK_X931 128
322#define RSA_F_RSA_PRINT 115 355#define RSA_F_RSA_PRINT 115
323#define RSA_F_RSA_PRINT_FP 116 356#define RSA_F_RSA_PRINT_FP 116
324#define RSA_F_RSA_SIGN 117 357#define RSA_F_RSA_SIGN 117
325#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 358#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
326#define RSA_F_RSA_VERIFY 119 359#define RSA_F_RSA_VERIFY 119
327#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 360#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
361#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
328 362
329/* Reason codes. */ 363/* Reason codes. */
330#define RSA_R_ALGORITHM_MISMATCH 100 364#define RSA_R_ALGORITHM_MISMATCH 100
@@ -344,9 +378,14 @@ void ERR_load_RSA_strings(void);
344#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124 378#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
345#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125 379#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
346#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123 380#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
381#define RSA_R_FIRST_OCTET_INVALID 133
382#define RSA_R_INVALID_HEADER 137
347#define RSA_R_INVALID_MESSAGE_LENGTH 131 383#define RSA_R_INVALID_MESSAGE_LENGTH 131
384#define RSA_R_INVALID_PADDING 138
385#define RSA_R_INVALID_TRAILER 139
348#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 386#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
349#define RSA_R_KEY_SIZE_TOO_SMALL 120 387#define RSA_R_KEY_SIZE_TOO_SMALL 120
388#define RSA_R_LAST_OCTET_INVALID 134
350#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 389#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
351#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 390#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
352#define RSA_R_OAEP_DECODING_ERROR 121 391#define RSA_R_OAEP_DECODING_ERROR 121
@@ -354,6 +393,8 @@ void ERR_load_RSA_strings(void);
354#define RSA_R_P_NOT_PRIME 128 393#define RSA_R_P_NOT_PRIME 128
355#define RSA_R_Q_NOT_PRIME 129 394#define RSA_R_Q_NOT_PRIME 129
356#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 395#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
396#define RSA_R_SLEN_CHECK_FAILED 136
397#define RSA_R_SLEN_RECOVERY_FAILED 135
357#define RSA_R_SSLV3_ROLLBACK_ATTACK 115 398#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
358#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 399#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
359#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 400#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index d4caab3f95..be4ac96ce3 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58 111
59#include <stdio.h> 112#include <stdio.h>
60#include "cryptlib.h" 113#include "cryptlib.h"
@@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
145 goto err; 198 goto err;
146 } 199 }
147 200
148 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
149 { 202 {
150 BN_MONT_CTX* bn_mont_ctx; 203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
151 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 204 CRYPTO_LOCK_RSA, rsa->n, ctx))
152 goto err;
153 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
154 {
155 BN_MONT_CTX_free(bn_mont_ctx);
156 goto err; 205 goto err;
157 }
158 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
159 {
160 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
161 if (rsa->_method_mod_n == NULL)
162 {
163 rsa->_method_mod_n = bn_mont_ctx;
164 bn_mont_ctx = NULL;
165 }
166 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
167 }
168 if (bn_mont_ctx)
169 BN_MONT_CTX_free(bn_mont_ctx);
170 } 206 }
171 207
172 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
173 rsa->_method_mod_n)) goto err; 209 rsa->_method_mod_n)) goto err;
174 210
@@ -249,7 +285,7 @@ err:
249static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 285static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
250 unsigned char *to, RSA *rsa, int padding) 286 unsigned char *to, RSA *rsa, int padding)
251 { 287 {
252 BIGNUM f,ret; 288 BIGNUM f,ret, *res;
253 int i,j,k,num=0,r= -1; 289 int i,j,k,num=0,r= -1;
254 unsigned char *buf=NULL; 290 unsigned char *buf=NULL;
255 BN_CTX *ctx=NULL; 291 BN_CTX *ctx=NULL;
@@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
331 (rsa->dmp1 != NULL) && 367 (rsa->dmp1 != NULL) &&
332 (rsa->dmq1 != NULL) && 368 (rsa->dmq1 != NULL) &&
333 (rsa->iqmp != NULL)) ) 369 (rsa->iqmp != NULL)) )
334 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 370 {
371 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
372 }
335 else 373 else
336 { 374 {
337 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; 375 BIGNUM local_d;
376 BIGNUM *d = NULL;
377
378 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
379 {
380 BN_init(&local_d);
381 d = &local_d;
382 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
383 }
384 else
385 d = rsa->d;
386 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
338 } 387 }
339 388
340 if (blinding) 389 if (blinding)
341 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 390 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
342 391
392 if (padding == RSA_X931_PADDING)
393 {
394 BN_sub(&f, rsa->n, &ret);
395 if (BN_cmp(&ret, &f))
396 res = &f;
397 else
398 res = &ret;
399 }
400 else
401 res = &ret;
402
343 /* put in leading 0 bytes if the number is less than the 403 /* put in leading 0 bytes if the number is less than the
344 * length of the modulus */ 404 * length of the modulus */
345 j=BN_num_bytes(&ret); 405 j=BN_num_bytes(res);
346 i=BN_bn2bin(&ret,&(to[num-j])); 406 i=BN_bn2bin(res,&(to[num-j]));
347 for (k=0; k<(num-i); k++) 407 for (k=0; k<(num-i); k++)
348 to[k]=0; 408 to[k]=0;
349 409
@@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
444 (rsa->dmp1 != NULL) && 504 (rsa->dmp1 != NULL) &&
445 (rsa->dmq1 != NULL) && 505 (rsa->dmq1 != NULL) &&
446 (rsa->iqmp != NULL)) ) 506 (rsa->iqmp != NULL)) )
447 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 507 {
508 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
509 }
448 else 510 else
449 { 511 {
450 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) 512 BIGNUM local_d;
513 BIGNUM *d = NULL;
514
515 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
516 {
517 d = &local_d;
518 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
519 }
520 else
521 d = rsa->d;
522 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
451 goto err; 523 goto err;
452 } 524 }
453 525
@@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
534 } 606 }
535 607
536 /* do the decrypt */ 608 /* do the decrypt */
537 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 609
610 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
538 { 611 {
539 BN_MONT_CTX* bn_mont_ctx; 612 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
540 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 613 CRYPTO_LOCK_RSA, rsa->n, ctx))
541 goto err;
542 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
543 {
544 BN_MONT_CTX_free(bn_mont_ctx);
545 goto err; 614 goto err;
546 }
547 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
548 {
549 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
550 if (rsa->_method_mod_n == NULL)
551 {
552 rsa->_method_mod_n = bn_mont_ctx;
553 bn_mont_ctx = NULL;
554 }
555 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
556 }
557 if (bn_mont_ctx)
558 BN_MONT_CTX_free(bn_mont_ctx);
559 } 615 }
560 616
561 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 617 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
562 rsa->_method_mod_n)) goto err; 618 rsa->_method_mod_n)) goto err;
563 619
620 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
621 BN_sub(&ret, rsa->n, &ret);
622
564 p=buf; 623 p=buf;
565 i=BN_bn2bin(&ret,p); 624 i=BN_bn2bin(&ret,p);
566 625
@@ -594,6 +653,8 @@ err:
594static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 653static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
595 { 654 {
596 BIGNUM r1,m1,vrfy; 655 BIGNUM r1,m1,vrfy;
656 BIGNUM local_dmp1, local_dmq1;
657 BIGNUM *dmp1, *dmq1;
597 int ret=0; 658 int ret=0;
598 BN_CTX *ctx; 659 BN_CTX *ctx;
599 660
@@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
604 665
605 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 666 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
606 { 667 {
607 if (rsa->_method_mod_p == NULL) 668 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
608 { 669 CRYPTO_LOCK_RSA, rsa->p, ctx))
609 BN_MONT_CTX* bn_mont_ctx; 670 goto err;
610 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 671 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
611 goto err; 672 CRYPTO_LOCK_RSA, rsa->q, ctx))
612 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) 673 goto err;
613 {
614 BN_MONT_CTX_free(bn_mont_ctx);
615 goto err;
616 }
617 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
618 {
619 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
620 if (rsa->_method_mod_p == NULL)
621 {
622 rsa->_method_mod_p = bn_mont_ctx;
623 bn_mont_ctx = NULL;
624 }
625 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
626 }
627 if (bn_mont_ctx)
628 BN_MONT_CTX_free(bn_mont_ctx);
629 }
630
631 if (rsa->_method_mod_q == NULL)
632 {
633 BN_MONT_CTX* bn_mont_ctx;
634 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
635 goto err;
636 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
637 {
638 BN_MONT_CTX_free(bn_mont_ctx);
639 goto err;
640 }
641 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
642 {
643 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
644 if (rsa->_method_mod_q == NULL)
645 {
646 rsa->_method_mod_q = bn_mont_ctx;
647 bn_mont_ctx = NULL;
648 }
649 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
650 }
651 if (bn_mont_ctx)
652 BN_MONT_CTX_free(bn_mont_ctx);
653 }
654 } 674 }
655 675
656 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 676 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
657 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, 677 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
678 {
679 dmq1 = &local_dmq1;
680 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
681 }
682 else
683 dmq1 = rsa->dmq1;
684 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
658 rsa->_method_mod_q)) goto err; 685 rsa->_method_mod_q)) goto err;
659 686
660 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 687 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
661 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, 688 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
689 {
690 dmp1 = &local_dmp1;
691 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
692 }
693 else
694 dmp1 = rsa->dmp1;
695 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
662 rsa->_method_mod_p)) goto err; 696 rsa->_method_mod_p)) goto err;
663 697
664 if (!BN_sub(r0,r0,&m1)) goto err; 698 if (!BN_sub(r0,r0,&m1)) goto err;
@@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
693 if (vrfy.neg) 727 if (vrfy.neg)
694 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 728 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
695 if (!BN_is_zero(&vrfy)) 729 if (!BN_is_zero(&vrfy))
730 {
696 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 731 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
697 * miscalculated CRT output, just do a raw (slower) 732 * miscalculated CRT output, just do a raw (slower)
698 * mod_exp and return that instead. */ 733 * mod_exp and return that instead. */
699 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; 734
735 BIGNUM local_d;
736 BIGNUM *d = NULL;
737
738 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
739 {
740 d = &local_d;
741 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
742 }
743 else
744 d = rsa->d;
745 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
746 }
700 } 747 }
701 ret=1; 748 ret=1;
702err: 749err:
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index a7766c3b76..2ec4b30ff7 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
1/* crypto/rsa/rsa_err.c */ 1/* crypto/rsa/rsa_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -64,70 +64,85 @@
64 64
65/* BEGIN ERROR CODES */ 65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR 66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
70
67static ERR_STRING_DATA RSA_str_functs[]= 71static ERR_STRING_DATA RSA_str_functs[]=
68 { 72 {
69{ERR_PACK(0,RSA_F_MEMORY_LOCK,0), "MEMORY_LOCK"}, 73{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
70{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0), "RSA_check_key"}, 74{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
71{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0), "RSA_EAY_PRIVATE_DECRYPT"}, 75{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
72{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0), "RSA_EAY_PRIVATE_ENCRYPT"}, 76{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
73{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0), "RSA_EAY_PUBLIC_DECRYPT"}, 77{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
74{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"}, 78{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
75{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0), "RSA_generate_key"}, 79{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
76{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0), "RSA_new_method"}, 80{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
77{ERR_PACK(0,RSA_F_RSA_NULL,0), "RSA_NULL"}, 81{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
78{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0), "RSA_padding_add_none"}, 82{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
79{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0), "RSA_padding_add_PKCS1_OAEP"}, 83{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
80{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0), "RSA_padding_add_PKCS1_type_1"}, 84{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
81{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0), "RSA_padding_add_PKCS1_type_2"}, 85{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
82{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0), "RSA_padding_add_SSLv23"}, 86{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
83{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0), "RSA_padding_check_none"}, 87{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
84{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0), "RSA_padding_check_PKCS1_OAEP"}, 88{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
85{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0), "RSA_padding_check_PKCS1_type_1"}, 89{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
86{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0), "RSA_padding_check_PKCS1_type_2"}, 90{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
87{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0), "RSA_padding_check_SSLv23"}, 91{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
88{ERR_PACK(0,RSA_F_RSA_PRINT,0), "RSA_print"}, 92{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
89{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0), "RSA_print_fp"}, 93{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
90{ERR_PACK(0,RSA_F_RSA_SIGN,0), "RSA_sign"}, 94{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
91{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0), "RSA_sign_ASN1_OCTET_STRING"}, 95{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
92{ERR_PACK(0,RSA_F_RSA_VERIFY,0), "RSA_verify"}, 96{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
93{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0), "RSA_verify_ASN1_OCTET_STRING"}, 97{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
98{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
99{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
100{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
101{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
94{0,NULL} 102{0,NULL}
95 }; 103 };
96 104
97static ERR_STRING_DATA RSA_str_reasons[]= 105static ERR_STRING_DATA RSA_str_reasons[]=
98 { 106 {
99{RSA_R_ALGORITHM_MISMATCH ,"algorithm mismatch"}, 107{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"},
100{RSA_R_BAD_E_VALUE ,"bad e value"}, 108{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"},
101{RSA_R_BAD_FIXED_HEADER_DECRYPT ,"bad fixed header decrypt"}, 109{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
102{RSA_R_BAD_PAD_BYTE_COUNT ,"bad pad byte count"}, 110{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"},
103{RSA_R_BAD_SIGNATURE ,"bad signature"}, 111{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"},
104{RSA_R_BLOCK_TYPE_IS_NOT_01 ,"block type is not 01"}, 112{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"},
105{RSA_R_BLOCK_TYPE_IS_NOT_02 ,"block type is not 02"}, 113{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"},
106{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"}, 114{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
107{RSA_R_DATA_TOO_LARGE ,"data too large"}, 115{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"},
108{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, 116{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
109{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"}, 117{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
110{RSA_R_DATA_TOO_SMALL ,"data too small"}, 118{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"},
111{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"}, 119{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
112{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"}, 120{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
113{RSA_R_DMP1_NOT_CONGRUENT_TO_D ,"dmp1 not congruent to d"}, 121{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
114{RSA_R_DMQ1_NOT_CONGRUENT_TO_D ,"dmq1 not congruent to d"}, 122{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
115{RSA_R_D_E_NOT_CONGRUENT_TO_1 ,"d e not congruent to 1"}, 123{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
116{RSA_R_INVALID_MESSAGE_LENGTH ,"invalid message length"}, 124{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"},
117{RSA_R_IQMP_NOT_INVERSE_OF_Q ,"iqmp not inverse of q"}, 125{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
118{RSA_R_KEY_SIZE_TOO_SMALL ,"key size too small"}, 126{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
119{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"}, 127{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
120{RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"}, 128{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
121{RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"}, 129{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
122{RSA_R_PADDING_CHECK_FAILED ,"padding check failed"}, 130{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
123{RSA_R_P_NOT_PRIME ,"p not prime"}, 131{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
124{RSA_R_Q_NOT_PRIME ,"q not prime"}, 132{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
125{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED ,"rsa operations not supported"}, 133{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
126{RSA_R_SSLV3_ROLLBACK_ATTACK ,"sslv3 rollback attack"}, 134{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
127{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"}, 135{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
128{RSA_R_UNKNOWN_ALGORITHM_TYPE ,"unknown algorithm type"}, 136{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
129{RSA_R_UNKNOWN_PADDING_TYPE ,"unknown padding type"}, 137{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
130{RSA_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"}, 138{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
139{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
140{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
141{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
142{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
143{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
144{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
145{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
131{0,NULL} 146{0,NULL}
132 }; 147 };
133 148
@@ -141,8 +156,8 @@ void ERR_load_RSA_strings(void)
141 { 156 {
142 init=0; 157 init=0;
143#ifndef OPENSSL_NO_ERR 158#ifndef OPENSSL_NO_ERR
144 ERR_load_strings(ERR_LIB_RSA,RSA_str_functs); 159 ERR_load_strings(0,RSA_str_functs);
145 ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons); 160 ERR_load_strings(0,RSA_str_reasons);
146#endif 161#endif
147 162
148 } 163 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index adb5e34da5..dd1422cc98 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -184,7 +184,8 @@ err:
184 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN); 184 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
185 ok=0; 185 ok=0;
186 } 186 }
187 BN_CTX_end(ctx); 187 if (ctx != NULL)
188 BN_CTX_end(ctx);
188 BN_CTX_free(ctx); 189 BN_CTX_free(ctx);
189 BN_CTX_free(ctx2); 190 BN_CTX_free(ctx2);
190 191
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index e3f7c608ec..d43ecaca63 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -28,9 +28,6 @@
28#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h> 29#include <openssl/sha.h>
30 30
31int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 31int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
35 const unsigned char *from, int flen, 32 const unsigned char *from, int flen,
36 const unsigned char *param, int plen) 33 const unsigned char *param, int plen)
@@ -76,11 +73,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
76 20); 73 20);
77#endif 74#endif
78 75
79 MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); 76 PKCS1_MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH,
77 EVP_sha1());
80 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 78 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
81 db[i] ^= dbmask[i]; 79 db[i] ^= dbmask[i];
82 80
83 MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); 81 PKCS1_MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH,
82 EVP_sha1());
84 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 83 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
85 seed[i] ^= seedmask[i]; 84 seed[i] ^= seedmask[i];
86 85
@@ -126,11 +125,11 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
126 return -1; 125 return -1;
127 } 126 }
128 127
129 MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); 128 PKCS1_MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen, EVP_sha1());
130 for (i = lzero; i < SHA_DIGEST_LENGTH; i++) 129 for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
131 seed[i] ^= from[i - lzero]; 130 seed[i] ^= from[i - lzero];
132 131
133 MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); 132 PKCS1_MGF1(db, dblen, seed, SHA_DIGEST_LENGTH, EVP_sha1());
134 for (i = 0; i < dblen; i++) 133 for (i = 0; i < dblen; i++)
135 db[i] ^= maskeddb[i]; 134 db[i] ^= maskeddb[i];
136 135
@@ -170,28 +169,30 @@ decoding_err:
170 return -1; 169 return -1;
171 } 170 }
172 171
173int MGF1(unsigned char *mask, long len, 172int PKCS1_MGF1(unsigned char *mask, long len,
174 const unsigned char *seed, long seedlen) 173 const unsigned char *seed, long seedlen, const EVP_MD *dgst)
175 { 174 {
176 long i, outlen = 0; 175 long i, outlen = 0;
177 unsigned char cnt[4]; 176 unsigned char cnt[4];
178 EVP_MD_CTX c; 177 EVP_MD_CTX c;
179 unsigned char md[SHA_DIGEST_LENGTH]; 178 unsigned char md[EVP_MAX_MD_SIZE];
179 int mdlen;
180 180
181 EVP_MD_CTX_init(&c); 181 EVP_MD_CTX_init(&c);
182 mdlen = EVP_MD_size(dgst);
182 for (i = 0; outlen < len; i++) 183 for (i = 0; outlen < len; i++)
183 { 184 {
184 cnt[0] = (unsigned char)((i >> 24) & 255); 185 cnt[0] = (unsigned char)((i >> 24) & 255);
185 cnt[1] = (unsigned char)((i >> 16) & 255); 186 cnt[1] = (unsigned char)((i >> 16) & 255);
186 cnt[2] = (unsigned char)((i >> 8)) & 255; 187 cnt[2] = (unsigned char)((i >> 8)) & 255;
187 cnt[3] = (unsigned char)(i & 255); 188 cnt[3] = (unsigned char)(i & 255);
188 EVP_DigestInit_ex(&c,EVP_sha1(), NULL); 189 EVP_DigestInit_ex(&c,dgst, NULL);
189 EVP_DigestUpdate(&c, seed, seedlen); 190 EVP_DigestUpdate(&c, seed, seedlen);
190 EVP_DigestUpdate(&c, cnt, 4); 191 EVP_DigestUpdate(&c, cnt, 4);
191 if (outlen + SHA_DIGEST_LENGTH <= len) 192 if (outlen + mdlen <= len)
192 { 193 {
193 EVP_DigestFinal_ex(&c, mask + outlen, NULL); 194 EVP_DigestFinal_ex(&c, mask + outlen, NULL);
194 outlen += SHA_DIGEST_LENGTH; 195 outlen += mdlen;
195 } 196 }
196 else 197 else
197 { 198 {
@@ -203,4 +204,9 @@ int MGF1(unsigned char *mask, long len,
203 EVP_MD_CTX_cleanup(&c); 204 EVP_MD_CTX_cleanup(&c);
204 return 0; 205 return 0;
205 } 206 }
207
208int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
209 {
210 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
211 }
206#endif 212#endif
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index 924e9ad1f6..218bb2a39b 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -227,10 +227,10 @@ int main(int argc, char *argv[])
227 227
228 plen = sizeof(ptext_ex) - 1; 228 plen = sizeof(ptext_ex) - 1;
229 229
230 for (v = 0; v < 3; v++) 230 for (v = 0; v < 6; v++)
231 { 231 {
232 key = RSA_new(); 232 key = RSA_new();
233 switch (v) { 233 switch (v%3) {
234 case 0: 234 case 0:
235 clen = key1(key, ctext_ex); 235 clen = key1(key, ctext_ex);
236 break; 236 break;
@@ -241,6 +241,7 @@ int main(int argc, char *argv[])
241 clen = key3(key, ctext_ex); 241 clen = key3(key, ctext_ex);
242 break; 242 break;
243 } 243 }
244 if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;
244 245
245 num = RSA_public_encrypt(plen, ptext_ex, ctext, key, 246 num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
246 RSA_PKCS1_PADDING); 247 RSA_PKCS1_PADDING);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:17:38 +0000