[Pkg-openssl-changes] r159 - in
openssl/branches/openssl0.9.7/crypto: . rsa
Kurt Roeckx
kroeckx at costa.debian.org
Tue Sep 5 19:58:24 UTC 2006
Author: kroeckx
Date: 2006-09-05 19:58:24 +0000 (Tue, 05 Sep 2006)
New Revision: 159
Added:
openssl/branches/openssl0.9.7/crypto/rsa/
openssl/branches/openssl0.9.7/crypto/rsa/rsa.h
openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c
openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c
openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c
Log:
Add 0.9.7i upstream sources.
Added: openssl/branches/openssl0.9.7/crypto/rsa/rsa.h
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa.h (rev 0)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa.h 2006-09-05 19:58:24 UTC (rev 159)
@@ -0,0 +1,407 @@
+/* crypto/rsa/rsa.h */
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay at cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay at cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RSA_H
+#define HEADER_RSA_H
+
+#include <openssl/asn1.h>
+
+#ifndef OPENSSL_NO_BIO
+#include <openssl/bio.h>
+#endif
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/ossl_typ.h>
+
+#ifdef OPENSSL_NO_RSA
+#error RSA is disabled.
+#endif
+
+#if defined(OPENSSL_FIPS)
+#define FIPS_RSA_SIZE_T int
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct rsa_st RSA;
+
+typedef struct rsa_meth_st
+ {
+ const char *name;
+ int (*rsa_pub_enc)(int flen,const unsigned char *from,
+ unsigned char *to,
+ RSA *rsa,int padding);
+ int (*rsa_pub_dec)(int flen,const unsigned char *from,
+ unsigned char *to,
+ RSA *rsa,int padding);
+ int (*rsa_priv_enc)(int flen,const unsigned char *from,
+ unsigned char *to,
+ RSA *rsa,int padding);
+ int (*rsa_priv_dec)(int flen,const unsigned char *from,
+ unsigned char *to,
+ RSA *rsa,int padding);
+ int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */
+ int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *m_ctx); /* Can be null */
+ int (*init)(RSA *rsa); /* called at new */
+ int (*finish)(RSA *rsa); /* called at free */
+ int flags; /* RSA_METHOD_FLAG_* things */
+ char *app_data; /* may be needed! */
+/* New sign and verify functions: some libraries don't allow arbitrary data
+ * to be signed/verified: this allows them to be used. Note: for this to work
+ * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
+ * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
+ * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
+ * option is set in 'flags'.
+ */
+ int (*rsa_sign)(int type,
+ const unsigned char *m, unsigned int m_length,
+ unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+ int (*rsa_verify)(int dtype,
+ const unsigned char *m, unsigned int m_length,
+ unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
+
+ } RSA_METHOD;
+
+struct rsa_st
+ {
+ /* The first parameter is used to pickup errors where
+ * this is passed instead of aEVP_PKEY, it is set to 0 */
+ int pad;
+ long version;
+ const RSA_METHOD *meth;
+ /* functional reference if 'meth' is ENGINE-provided */
+ ENGINE *engine;
+ BIGNUM *n;
+ BIGNUM *e;
+ BIGNUM *d;
+ BIGNUM *p;
+ BIGNUM *q;
+ BIGNUM *dmp1;
+ BIGNUM *dmq1;
+ BIGNUM *iqmp;
+ /* be careful using this if the RSA structure is shared */
+ CRYPTO_EX_DATA ex_data;
+ int references;
+ int flags;
+
+ /* Used to cache montgomery values */
+ BN_MONT_CTX *_method_mod_n;
+ BN_MONT_CTX *_method_mod_p;
+ BN_MONT_CTX *_method_mod_q;
+
+ /* all BIGNUM values are actually in the following data, if it is not
+ * NULL */
+ char *bignum_data;
+ BN_BLINDING *blinding;
+ };
+
+#define RSA_3 0x3L
+#define RSA_F4 0x10001L
+
+#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */
+
+#define RSA_FLAG_CACHE_PUBLIC 0x0002
+#define RSA_FLAG_CACHE_PRIVATE 0x0004
+#define RSA_FLAG_BLINDING 0x0008
+#define RSA_FLAG_THREAD_SAFE 0x0010
+/* This flag means the private key operations will be handled by rsa_mod_exp
+ * and that they do not depend on the private key components being present:
+ * for example a key stored in external hardware. Without this flag bn_mod_exp
+ * gets called when private key components are absent.
+ */
+#define RSA_FLAG_EXT_PKEY 0x0020
+
+/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
+ */
+#define RSA_FLAG_SIGN_VER 0x0040
+
+#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
+ * RSA implementation now uses blinding by
+ * default (ignoring RSA_FLAG_BLINDING),
+ * but other engines might not need it
+ */
+#define RSA_FLAG_NO_EXP_CONSTTIME 0x0100 /* new with 0.9.7h; the built-in RSA
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
+
+#define RSA_PKCS1_PADDING 1
+#define RSA_SSLV23_PADDING 2
+#define RSA_NO_PADDING 3
+#define RSA_PKCS1_OAEP_PADDING 4
+#define RSA_X931_PADDING 5
+
+#define RSA_PKCS1_PADDING_SIZE 11
+
+#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
+#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
+
+RSA * RSA_new(void);
+RSA * RSA_new_method(ENGINE *engine);
+int RSA_size(const RSA *);
+RSA * RSA_generate_key(int bits, unsigned long e,void
+ (*callback)(int,int,void *),void *cb_arg);
+int RSA_check_key(const RSA *);
+#ifdef OPENSSL_FIPS
+int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
+ void (*cb)(int, int, void *), void *cb_arg,
+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
+ const BIGNUM *e);
+RSA *RSA_X931_generate_key(int bits, const BIGNUM *e,
+ void (*cb)(int,int,void *), void *cb_arg);
+#endif
+ /* next 4 return -1 on error */
+int RSA_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+int RSA_private_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+int RSA_public_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+int RSA_private_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+void RSA_free (RSA *r);
+/* "up" the RSA object's reference count */
+int RSA_up_ref(RSA *r);
+
+int RSA_flags(const RSA *r);
+
+void RSA_set_default_method(const RSA_METHOD *meth);
+const RSA_METHOD *RSA_get_default_method(void);
+const RSA_METHOD *RSA_get_method(const RSA *rsa);
+int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
+
+/* This function needs the memory locking malloc callbacks to be installed */
+int RSA_memory_lock(RSA *r);
+
+/* these are the actual SSLeay RSA functions */
+const RSA_METHOD *RSA_PKCS1_SSLeay(void);
+
+const RSA_METHOD *RSA_null_method(void);
+
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
+
+#ifndef OPENSSL_NO_FP_API
+int RSA_print_fp(FILE *fp, const RSA *r,int offset);
+#endif
+
+#ifndef OPENSSL_NO_BIO
+int RSA_print(BIO *bp, const RSA *r,int offset);
+#endif
+
+int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey);
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey);
+
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)());
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
+
+/* The following 2 functions sign and verify a X509_SIG ASN1 object
+ * inside PKCS#1 padded RSA encryption */
+int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
+ unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
+ unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+/* The following 2 function sign and verify a ASN1_OCTET_STRING
+ * object inside PKCS#1 padded RSA encryption */
+int RSA_sign_ASN1_OCTET_STRING(int type,
+ const unsigned char *m, unsigned int m_length,
+ unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int RSA_verify_ASN1_OCTET_STRING(int type,
+ const unsigned char *m, unsigned int m_length,
+ unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+void RSA_blinding_off(RSA *rsa);
+
+int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
+ const unsigned char *f,int fl);
+int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
+ const unsigned char *f,int fl);
+int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len);
+int PKCS1_MGF1(unsigned char *mask, long len,
+ const unsigned char *seed, long seedlen, const EVP_MD *dgst);
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,
+ const unsigned char *p,int pl);
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len,
+ const unsigned char *p,int pl);
+int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
+ const unsigned char *f,int fl);
+int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_none(unsigned char *to,int tlen,
+ const unsigned char *f,int fl);
+int RSA_padding_check_none(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_X931(unsigned char *to,int tlen,
+ const unsigned char *f,int fl);
+int RSA_padding_check_X931(unsigned char *to,int tlen,
+ const unsigned char *f,int fl,int rsa_len);
+int RSA_X931_hash_id(int nid);
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+ const EVP_MD *Hash, const unsigned char *EM, int sLen);
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+ const unsigned char *mHash,
+ const EVP_MD *Hash, int sLen);
+
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int RSA_set_ex_data(RSA *r,int idx,void *arg);
+void *RSA_get_ex_data(const RSA *r, int idx);
+
+RSA *RSAPublicKey_dup(RSA *rsa);
+RSA *RSAPrivateKey_dup(RSA *rsa);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_RSA_strings(void);
+
+/* Error codes for the RSA functions. */
+
+/* Function codes. */
+#define RSA_F_MEMORY_LOCK 100
+#define RSA_F_RSA_CHECK_KEY 123
+#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
+#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
+#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
+#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
+#define RSA_F_RSA_GENERATE_KEY 105
+#define RSA_F_RSA_NEW_METHOD 106
+#define RSA_F_RSA_NULL 124
+#define RSA_F_RSA_PADDING_ADD_NONE 107
+#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
+#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
+#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
+#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
+#define RSA_F_RSA_PADDING_ADD_SSLV23 110
+#define RSA_F_RSA_PADDING_ADD_X931 127
+#define RSA_F_RSA_PADDING_CHECK_NONE 111
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
+#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
+#define RSA_F_RSA_PADDING_CHECK_X931 128
+#define RSA_F_RSA_PRINT 115
+#define RSA_F_RSA_PRINT_FP 116
+#define RSA_F_RSA_SIGN 117
+#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+#define RSA_F_RSA_VERIFY 119
+#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
+#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
+
+/* Reason codes. */
+#define RSA_R_ALGORITHM_MISMATCH 100
+#define RSA_R_BAD_E_VALUE 101
+#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
+#define RSA_R_BAD_PAD_BYTE_COUNT 103
+#define RSA_R_BAD_SIGNATURE 104
+#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
+#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
+#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
+#define RSA_R_DATA_TOO_LARGE 109
+#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
+#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
+#define RSA_R_DATA_TOO_SMALL 111
+#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
+#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
+#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
+#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
+#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
+#define RSA_R_FIRST_OCTET_INVALID 133
+#define RSA_R_INVALID_HEADER 137
+#define RSA_R_INVALID_MESSAGE_LENGTH 131
+#define RSA_R_INVALID_PADDING 138
+#define RSA_R_INVALID_TRAILER 139
+#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
+#define RSA_R_KEY_SIZE_TOO_SMALL 120
+#define RSA_R_LAST_OCTET_INVALID 134
+#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+#define RSA_R_OAEP_DECODING_ERROR 121
+#define RSA_R_SLEN_RECOVERY_FAILED 135
+#define RSA_R_PADDING_CHECK_FAILED 114
+#define RSA_R_P_NOT_PRIME 128
+#define RSA_R_Q_NOT_PRIME 129
+#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
+#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
+#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
+#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
+#define RSA_R_UNKNOWN_PADDING_TYPE 118
+#define RSA_R_WRONG_SIGNATURE_LENGTH 119
+#define RSA_R_SLEN_CHECK_FAILED 136
+
+#ifdef __cplusplus
+}
+#endif
+#endif
Added: openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c (rev 0)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c 2006-09-05 19:58:24 UTC (rev 159)
@@ -0,0 +1,774 @@
+/* crypto/rsa/rsa_eay.c */
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay at cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay at cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
+
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
+static int RSA_eay_init(RSA *rsa);
+static int RSA_eay_finish(RSA *rsa);
+static RSA_METHOD rsa_pkcs1_eay_meth={
+ "Eric Young's PKCS#1 RSA",
+ RSA_eay_public_encrypt,
+ RSA_eay_public_decrypt, /* signature verification */
+ RSA_eay_private_encrypt, /* signing */
+ RSA_eay_private_decrypt,
+ RSA_eay_mod_exp,
+ BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
+ RSA_eay_init,
+ RSA_eay_finish,
+ 0, /* flags */
+ NULL,
+ 0, /* rsa_sign */
+ 0 /* rsa_verify */
+ };
+
+const RSA_METHOD *RSA_PKCS1_SSLeay(void)
+ {
+ return(&rsa_pkcs1_eay_meth);
+ }
+
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ BIGNUM f,ret;
+ int i,j,k,num=0,r= -1;
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
+ BN_init(&f);
+ BN_init(&ret);
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+ num=BN_num_bytes(rsa->n);
+ if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ switch (padding)
+ {
+ case RSA_PKCS1_PADDING:
+ i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
+ break;
+#ifndef OPENSSL_NO_SHA
+ case RSA_PKCS1_OAEP_PADDING:
+ i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
+ break;
+#endif
+ case RSA_SSLV23_PADDING:
+ i=RSA_padding_add_SSLv23(buf,num,from,flen);
+ break;
+ case RSA_NO_PADDING:
+ i=RSA_padding_add_none(buf,num,from,flen);
+ break;
+ default:
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+ goto err;
+ }
+ if (i <= 0) goto err;
+
+ if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+
+ if (BN_ucmp(&f, rsa->n) >= 0)
+ {
+ /* usually the padding functions would catch this */
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ goto err;
+ }
+
+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+ {
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+ CRYPTO_LOCK_RSA, rsa->n, ctx))
+ goto err;
+ }
+
+ if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
+
+ /* put in leading 0 bytes if the number is less than the
+ * length of the modulus */
+ j=BN_num_bytes(&ret);
+ i=BN_bn2bin(&ret,&(to[num-j]));
+ for (k=0; k<(num-i); k++)
+ to[k]=0;
+
+ r=num;
+err:
+ if (ctx != NULL) BN_CTX_free(ctx);
+ BN_clear_free(&f);
+ BN_clear_free(&ret);
+ if (buf != NULL)
+ {
+ OPENSSL_cleanse(buf,num);
+ OPENSSL_free(buf);
+ }
+ return(r);
+ }
+
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ int ret = 1;
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ /* Check again inside the lock - the macro's check is racey */
+ if(rsa->blinding == NULL)
+ ret = RSA_blinding_on(rsa, ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ return ret;
+ }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+ do { \
+ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
+ } while(0)
+
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ BIGNUM *A, *Ai;
+ BN_BLINDING *ret = NULL;
+
+ /* added in OpenSSL 0.9.6j and 0.9.7b */
+
+ /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+ * this should be placed in a new function of its own, but for reasons
+ * of binary compatibility can't */
+
+ BN_CTX_start(ctx);
+ A = BN_CTX_get(ctx);
+ if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+ {
+ /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+ if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+ }
+ else
+ {
+ if (!BN_rand_range(A,rsa->n)) goto err;
+ }
+ if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+
+ if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+ goto err;
+ ret = BN_BLINDING_new(A,Ai,rsa->n);
+ BN_free(Ai);
+err:
+ BN_CTX_end(ctx);
+ return ret;
+ }
+
+/* signing */
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ BIGNUM f,ret, *res;
+ int i,j,k,num=0,r= -1;
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+ int local_blinding = 0;
+ BN_BLINDING *blinding = NULL;
+
+ BN_init(&f);
+ BN_init(&ret);
+
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+ num=BN_num_bytes(rsa->n);
+ if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ switch (padding)
+ {
+ case RSA_PKCS1_PADDING:
+ i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
+ break;
+ case RSA_NO_PADDING:
+ i=RSA_padding_add_none(buf,num,from,flen);
+ break;
+ case RSA_SSLV23_PADDING:
+ default:
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+ goto err;
+ }
+ if (i <= 0) goto err;
+
+ if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+
+ if (BN_ucmp(&f, rsa->n) >= 0)
+ {
+ /* usually the padding functions would catch this */
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ goto err;
+ }
+
+ BLINDING_HELPER(rsa, ctx, goto err;);
+ blinding = rsa->blinding;
+
+ /* Now unless blinding is disabled, 'blinding' is non-NULL.
+ * But the BN_BLINDING object may be owned by some other thread
+ * (we don't want to keep it constant and we don't want to use
+ * lots of locking to avoid race conditions, so only a single
+ * thread can use it; other threads have to use local blinding
+ * factors) */
+ if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+ {
+ if (blinding == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (blinding != NULL)
+ {
+ if (blinding->thread_id != CRYPTO_thread_id())
+ {
+ /* we need a local one-time blinding factor */
+
+ blinding = setup_blinding(rsa, ctx);
+ if (blinding == NULL)
+ goto err;
+ local_blinding = 1;
+ }
+ }
+
+ if (blinding)
+ if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+
+ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+ ((rsa->p != NULL) &&
+ (rsa->q != NULL) &&
+ (rsa->dmp1 != NULL) &&
+ (rsa->dmq1 != NULL) &&
+ (rsa->iqmp != NULL)) )
+ {
+ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+ }
+ else
+ {
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ BN_init(&local_d);
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
+ }
+
+ if (blinding)
+ if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+
+ if (padding == RSA_X931_PADDING)
+ {
+ BN_sub(&f, rsa->n, &ret);
+ if (BN_cmp(&ret, &f))
+ res = &f;
+ else
+ res = &ret;
+ }
+ else
+ res = &ret;
+
+ /* put in leading 0 bytes if the number is less than the
+ * length of the modulus */
+ j=BN_num_bytes(res);
+ i=BN_bn2bin(res,&(to[num-j]));
+ for (k=0; k<(num-i); k++)
+ to[k]=0;
+
+ r=num;
+err:
+ if (ctx != NULL) BN_CTX_free(ctx);
+ BN_clear_free(&ret);
+ BN_clear_free(&f);
+ if (local_blinding)
+ BN_BLINDING_free(blinding);
+ if (buf != NULL)
+ {
+ OPENSSL_cleanse(buf,num);
+ OPENSSL_free(buf);
+ }
+ return(r);
+ }
+
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ BIGNUM f,ret;
+ int j,num=0,r= -1;
+ unsigned char *p;
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+ int local_blinding = 0;
+ BN_BLINDING *blinding = NULL;
+
+ BN_init(&f);
+ BN_init(&ret);
+ ctx=BN_CTX_new();
+ if (ctx == NULL) goto err;
+
+ num=BN_num_bytes(rsa->n);
+
+ if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ /* This check was for equality but PGP does evil things
+ * and chops off the top '0' bytes */
+ if (flen > num)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+ goto err;
+ }
+
+ /* make data into a big number */
+ if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
+
+ if (BN_ucmp(&f, rsa->n) >= 0)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ goto err;
+ }
+
+ BLINDING_HELPER(rsa, ctx, goto err;);
+ blinding = rsa->blinding;
+
+ /* Now unless blinding is disabled, 'blinding' is non-NULL.
+ * But the BN_BLINDING object may be owned by some other thread
+ * (we don't want to keep it constant and we don't want to use
+ * lots of locking to avoid race conditions, so only a single
+ * thread can use it; other threads have to use local blinding
+ * factors) */
+ if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+ {
+ if (blinding == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (blinding != NULL)
+ {
+ if (blinding->thread_id != CRYPTO_thread_id())
+ {
+ /* we need a local one-time blinding factor */
+
+ blinding = setup_blinding(rsa, ctx);
+ if (blinding == NULL)
+ goto err;
+ local_blinding = 1;
+ }
+ }
+
+ if (blinding)
+ if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+
+ /* do the decrypt */
+ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+ ((rsa->p != NULL) &&
+ (rsa->q != NULL) &&
+ (rsa->dmp1 != NULL) &&
+ (rsa->dmq1 != NULL) &&
+ (rsa->iqmp != NULL)) )
+ {
+ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+ }
+ else
+ {
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
+ goto err;
+ }
+
+ if (blinding)
+ if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+
+ p=buf;
+ j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
+
+ switch (padding)
+ {
+ case RSA_PKCS1_PADDING:
+ r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
+ break;
+#ifndef OPENSSL_NO_SHA
+ case RSA_PKCS1_OAEP_PADDING:
+ r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
+ break;
+#endif
+ case RSA_SSLV23_PADDING:
+ r=RSA_padding_check_SSLv23(to,num,buf,j,num);
+ break;
+ case RSA_NO_PADDING:
+ r=RSA_padding_check_none(to,num,buf,j,num);
+ break;
+ default:
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+ goto err;
+ }
+ if (r < 0)
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
+
+err:
+ if (ctx != NULL) BN_CTX_free(ctx);
+ BN_clear_free(&f);
+ BN_clear_free(&ret);
+ if (local_blinding)
+ BN_BLINDING_free(blinding);
+ if (buf != NULL)
+ {
+ OPENSSL_cleanse(buf,num);
+ OPENSSL_free(buf);
+ }
+ return(r);
+ }
+
+/* signature verification */
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ BIGNUM f,ret;
+ int i,num=0,r= -1;
+ unsigned char *p;
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
+ BN_init(&f);
+ BN_init(&ret);
+ ctx=BN_CTX_new();
+ if (ctx == NULL) goto err;
+
+ num=BN_num_bytes(rsa->n);
+ buf=(unsigned char *)OPENSSL_malloc(num);
+ if (buf == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ /* This check was for equality but PGP does evil things
+ * and chops off the top '0' bytes */
+ if (flen > num)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+ goto err;
+ }
+
+ if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+
+ if (BN_ucmp(&f, rsa->n) >= 0)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ goto err;
+ }
+
+ /* do the decrypt */
+
+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+ {
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+ CRYPTO_LOCK_RSA, rsa->n, ctx))
+ goto err;
+ }
+
+ if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
+
+ if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
+ BN_sub(&ret, rsa->n, &ret);
+
+ p=buf;
+ i=BN_bn2bin(&ret,p);
+
+ switch (padding)
+ {
+ case RSA_PKCS1_PADDING:
+ r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+ break;
+ case RSA_NO_PADDING:
+ r=RSA_padding_check_none(to,num,buf,i,num);
+ break;
+ default:
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+ goto err;
+ }
+ if (r < 0)
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
+
+err:
+ if (ctx != NULL) BN_CTX_free(ctx);
+ BN_clear_free(&f);
+ BN_clear_free(&ret);
+ if (buf != NULL)
+ {
+ OPENSSL_cleanse(buf,num);
+ OPENSSL_free(buf);
+ }
+ return(r);
+ }
+
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+ {
+ BIGNUM r1,m1,vrfy;
+ BIGNUM local_dmp1, local_dmq1;
+ BIGNUM *dmp1, *dmq1;
+ int ret=0;
+ BN_CTX *ctx;
+
+ BN_init(&m1);
+ BN_init(&r1);
+ BN_init(&vrfy);
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+
+ if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+ {
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
+ CRYPTO_LOCK_RSA, rsa->p, ctx))
+ goto err;
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+ CRYPTO_LOCK_RSA, rsa->q, ctx))
+ goto err;
+ }
+
+ if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ dmq1 = &local_dmq1;
+ BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ dmq1 = rsa->dmq1;
+ if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
+ rsa->_method_mod_q)) goto err;
+
+ if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ dmp1 = &local_dmp1;
+ BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ dmp1 = rsa->dmp1;
+ if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
+ rsa->_method_mod_p)) goto err;
+
+ if (!BN_sub(r0,r0,&m1)) goto err;
+ /* This will help stop the size of r0 increasing, which does
+ * affect the multiply if it optimised for a power of 2 size */
+ if (r0->neg)
+ if (!BN_add(r0,r0,rsa->p)) goto err;
+
+ if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
+ if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
+ /* If p < q it is occasionally possible for the correction of
+ * adding 'p' if r0 is negative above to leave the result still
+ * negative. This can break the private key operations: the following
+ * second correction should *always* correct this rare occurrence.
+ * This will *never* happen with OpenSSL generated keys because
+ * they ensure p > q [steve]
+ */
+ if (r0->neg)
+ if (!BN_add(r0,r0,rsa->p)) goto err;
+ if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
+ if (!BN_add(r0,&r1,&m1)) goto err;
+
+ if (rsa->e && rsa->n)
+ {
+ if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+ /* If 'I' was greater than (or equal to) rsa->n, the operation
+ * will be equivalent to using 'I mod n'. However, the result of
+ * the verify will *always* be less than 'n' so we don't check
+ * for absolute equality, just congruency. */
+ if (!BN_sub(&vrfy, &vrfy, I)) goto err;
+ if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
+ if (vrfy.neg)
+ if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
+ if (!BN_is_zero(&vrfy))
+ {
+ /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
+ * miscalculated CRT output, just do a raw (slower)
+ * mod_exp and return that instead. */
+
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
+ }
+ }
+ ret=1;
+err:
+ BN_clear_free(&m1);
+ BN_clear_free(&r1);
+ BN_clear_free(&vrfy);
+ BN_CTX_free(ctx);
+ return(ret);
+ }
+
+static int RSA_eay_init(RSA *rsa)
+ {
+ rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
+ return(1);
+ }
+
+static int RSA_eay_finish(RSA *rsa)
+ {
+ if (rsa->_method_mod_n != NULL)
+ BN_MONT_CTX_free(rsa->_method_mod_n);
+ if (rsa->_method_mod_p != NULL)
+ BN_MONT_CTX_free(rsa->_method_mod_p);
+ if (rsa->_method_mod_q != NULL)
+ BN_MONT_CTX_free(rsa->_method_mod_q);
+ return(1);
+ }
+
+#endif
Added: openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c (rev 0)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c 2006-09-05 19:58:24 UTC (rev 159)
@@ -0,0 +1,164 @@
+/* crypto/rsa/rsa_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
+
+static ERR_STRING_DATA RSA_str_functs[]=
+ {
+{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
+{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
+{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
+{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
+{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
+{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
+{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
+{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
+{0,NULL}
+ };
+
+static ERR_STRING_DATA RSA_str_reasons[]=
+ {
+{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"},
+{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"},
+{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
+{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"},
+{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"},
+{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
+{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
+{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
+{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
+{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
+{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"},
+{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
+{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
+{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
+{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
+{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
+{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
+{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
+{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
+{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
+{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
+{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
+{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
+{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
+{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
+{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
+{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
+{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
+{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
+{0,NULL}
+ };
+
+#endif
+
+void ERR_load_RSA_strings(void)
+ {
+ static int init=1;
+
+ if (init)
+ {
+ init=0;
+#ifndef OPENSSL_NO_ERR
+ ERR_load_strings(0,RSA_str_functs);
+ ERR_load_strings(0,RSA_str_reasons);
+#endif
+
+ }
+ }
Added: openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c (rev 0)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c 2006-09-05 19:58:24 UTC (rev 159)
@@ -0,0 +1,232 @@
+/* crypto/rsa/rsa_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay at cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay at cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH 36
+
+int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
+ unsigned char *sigret, unsigned int *siglen, RSA *rsa)
+ {
+ X509_SIG sig;
+ ASN1_TYPE parameter;
+ int i,j,ret=1;
+ unsigned char *p, *tmps = NULL;
+ const unsigned char *s = NULL;
+ X509_ALGOR algor;
+ ASN1_OCTET_STRING digest;
+ if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
+ {
+ return rsa->meth->rsa_sign(type, m, m_len,
+ sigret, siglen, rsa);
+ }
+ /* Special case: SSL signature, just check the length */
+ if(type == NID_md5_sha1) {
+ if(m_len != SSL_SIG_LENGTH) {
+ RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
+ return(0);
+ }
+ i = SSL_SIG_LENGTH;
+ s = m;
+ } else {
+ sig.algor= &algor;
+ sig.algor->algorithm=OBJ_nid2obj(type);
+ if (sig.algor->algorithm == NULL)
+ {
+ RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
+ return(0);
+ }
+ if (sig.algor->algorithm->length == 0)
+ {
+ RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+ return(0);
+ }
+ parameter.type=V_ASN1_NULL;
+ parameter.value.ptr=NULL;
+ sig.algor->parameter= ¶meter;
+
+ sig.digest= &digest;
+ sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
+ sig.digest->length=m_len;
+
+ i=i2d_X509_SIG(&sig,NULL);
+ }
+ j=RSA_size(rsa);
+ if (i > (j-RSA_PKCS1_PADDING_SIZE))
+ {
+ RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+ return(0);
+ }
+ if(type != NID_md5_sha1) {
+ tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
+ if (tmps == NULL)
+ {
+ RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ p=tmps;
+ i2d_X509_SIG(&sig,&p);
+ s=tmps;
+ }
+ i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+ if (i <= 0)
+ ret=0;
+ else
+ *siglen=i;
+
+ if(type != NID_md5_sha1) {
+ OPENSSL_cleanse(tmps,(unsigned int)j+1);
+ OPENSSL_free(tmps);
+ }
+ return(ret);
+ }
+
+int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
+ unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
+ {
+ int i,ret=0,sigtype;
+ unsigned char *p,*s;
+ X509_SIG *sig=NULL;
+
+ if (siglen != (unsigned int)RSA_size(rsa))
+ {
+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
+ return(0);
+ }
+
+ if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
+ {
+ return rsa->meth->rsa_verify(dtype, m, m_len,
+ sigbuf, siglen, rsa);
+ }
+
+ s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
+ if (s == NULL)
+ {
+ RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
+ goto err;
+ }
+ i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+
+ if (i <= 0) goto err;
+
+ /* Special case: SSL signature */
+ if(dtype == NID_md5_sha1) {
+ if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+ else ret = 1;
+ } else {
+ p=s;
+ sig=d2i_X509_SIG(NULL,&p,(long)i);
+
+ if (sig == NULL) goto err;
+ sigtype=OBJ_obj2nid(sig->algor->algorithm);
+
+
+ #ifdef RSA_DEBUG
+ /* put a backward compatibility flag in EAY */
+ fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
+ OBJ_nid2ln(dtype));
+ #endif
+ if (sigtype != dtype)
+ {
+ if (((dtype == NID_md5) &&
+ (sigtype == NID_md5WithRSAEncryption)) ||
+ ((dtype == NID_md2) &&
+ (sigtype == NID_md2WithRSAEncryption)))
+ {
+ /* ok, we will let it through */
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
+ fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
+#endif
+ }
+ else
+ {
+ RSAerr(RSA_F_RSA_VERIFY,
+ RSA_R_ALGORITHM_MISMATCH);
+ goto err;
+ }
+ }
+ if ( ((unsigned int)sig->digest->length != m_len) ||
+ (memcmp(m,sig->digest->data,m_len) != 0))
+ {
+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+ }
+ else
+ ret=1;
+ }
+err:
+ if (sig != NULL) X509_SIG_free(sig);
+ if (s != NULL)
+ {
+ OPENSSL_cleanse(s,(unsigned int)siglen);
+ OPENSSL_free(s);
+ }
+ return(ret);
+ }
+
More information about the Pkg-openssl-changes
mailing list