kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
81f030b106
boringssl/crypto/fipsmodule/rsa/rsa.c

856 lines
23 KiB
C
Raw Normal View History

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
#include <openssl/rsa.h>
size_t RSA_private_decrypt's input. Change-Id: If05761052e235b38d9798b2fe4d8ba44293af891 Reviewed-on: https://boringssl-review.googlesource.com/5944 Reviewed-by: Adam Langley <agl@google.com>
2015-09-19 18:35:39 +01:00
#include <limits.h>
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-01-31 01:08:37 +00:00
#include <string.h>
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
#include <openssl/bn.h>
Add crypto/rsa-level RSA-PSS functions. This allows us to implement RSA-PSS in the FIPS module without pulling in EVP_PKEY. It also allows people to use RSA-PSS on an RSA*. Empirically folks seem to use the low-level padding functions a lot, which is unfortunate. This allows us to remove a now redundant length check in p_rsa.c. Change-Id: I5270e01c6999d462d378865db2b858103c335485 Reviewed-on: https://boringssl-review.googlesource.com/15825 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:34:09 +01:00
#include <openssl/digest.h>
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/ex_data.h>
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
#include <openssl/md5.h>
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
#include <openssl/mem.h>
Remove some easy obj.h dependencies. A lot of consumers of obj.h only want the NID values. Others didn't need it at all. This also removes some OBJ_nid2sn and OBJ_nid2ln calls in EVP error paths which isn't worth pulling a large table in for. BUG=chromium:499653 Change-Id: Id6dff578f993012e35b740a13b8e4f9c2edc0744 Reviewed-on: https://boringssl-review.googlesource.com/7563 Reviewed-by: David Benjamin <davidben@google.com>
2016-03-25 22:07:11 +00:00
#include <openssl/nid.h>
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
#include <openssl/sha.h>
Eliminate unnecessary includes from low-level crypto modules. Beyond generally eliminating unnecessary includes, eliminate as many includes of headers that declare/define particularly error-prone functionality like strlen, malloc, and free. crypto/err/internal.h was added to remove the dependency on openssl/thread.h from the public openssl/err.h header. The include of <stdlib.h> in openssl/mem.h was retained since it defines OPENSSL_malloc and friends as macros around the stdlib.h functions. The public x509.h, x509v3.h, and ssl.h headers were not changed in order to minimize breakage of source compatibility with external code. Change-Id: I0d264b73ad0a720587774430b2ab8f8275960329 Reviewed-on: https://boringssl-review.googlesource.com/4220 Reviewed-by: Adam Langley <agl@google.com>
2015-03-28 07:12:01 +00:00
#include <openssl/thread.h>
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
#include "../bn/internal.h"
#include "../delocate.h"
#include "../../internal.h"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
#include "internal.h"
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class);
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
2015-04-15 22:29:53 +01:00
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
RSA *RSA_new(void) { return RSA_new_method(NULL); }
RSA *RSA_new_method(const ENGINE *engine) {
Don't cast |OPENSSL_malloc|/|OPENSSL_realloc| result. C has implicit conversion of |void *| to other pointer types so these casts are unnecessary. Clean them up to make the code easier to read and to make it easier to find dangerous casts. Change-Id: I26988a672e8ed4d69c75cfbb284413999b475464 Reviewed-on: https://boringssl-review.googlesource.com/7102 Reviewed-by: David Benjamin <davidben@google.com>
2016-02-07 19:36:04 +00:00
RSA *rsa = OPENSSL_malloc(sizeof(RSA));
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (rsa == NULL) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return NULL;
}
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memset(rsa, 0, sizeof(RSA));
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (engine) {
rsa->meth = ENGINE_get_RSA_method(engine);
}
if (rsa->meth == NULL) {
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
rsa->meth = (RSA_METHOD *) RSA_default_method();
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
METHOD_ref(rsa->meth);
rsa->references = 1;
rsa->flags = rsa->meth->flags;
Convert BN_MONT_CTX to new-style locking. This introduces a per-RSA/DSA/DH lock. This is good for lock contention, although pthread locks are depressingly bloated. Change-Id: I07c4d1606fc35135fc141ebe6ba904a28c8f8a0c Reviewed-on: https://boringssl-review.googlesource.com/4324 Reviewed-by: Adam Langley <agl@google.com>
2015-04-13 19:04:14 +01:00
CRYPTO_MUTEX_init(&rsa->lock);
Remove the CRYPTO_EX_new callback. This callback is never used. The one caller I've ever seen is in Android code which isn't built with BoringSSL and it was a no-op. It also doesn't actually make much sense. A callback cannot reasonably assume that it sees every, say, SSL_CTX created because the index may be registered after the first SSL_CTX is created. Nor is there any point in an EX_DATA consumer in one file knowing about an SSL_CTX created in completely unrelated code. Replace all the pointers with a typedef to int*. This will ensure code which passes NULL or 0 continues to compile while breaking code which passes an actual function. This simplifies some object creation functions which now needn't worry about CRYPTO_new_ex_data failing. (Also avoids bouncing on the lock, but it's taking a read lock, so this doesn't really matter.) BUG=391192 Change-Id: I02893883c6fa8693682075b7b130aa538a0a1437 Reviewed-on: https://boringssl-review.googlesource.com/6625 Reviewed-by: Adam Langley <agl@google.com>
2015-12-05 04:14:35 +00:00
CRYPTO_new_ex_data(&rsa->ex_data);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (rsa->meth->init && !rsa->meth->init(rsa)) {
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
Fix various malloc failure codepaths. CRYPTO_MUTEX_init needs a CRYPTO_MUTEX_cleanup. Also a pile of problems with x509_lu.c I noticed trying to import some upstream change. Change-Id: I029a65cd2d30aa31f4832e8fbfe5b2ea0dbc66fe Reviewed-on: https://boringssl-review.googlesource.com/6346 Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-23 23:46:16 +01:00
CRYPTO_MUTEX_cleanup(&rsa->lock);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
METHOD_unref(rsa->meth);
OPENSSL_free(rsa);
return NULL;
}
return rsa;
}
void RSA_free(RSA *rsa) {
unsigned u;
if (rsa == NULL) {
return;
}
Convert reference counts in crypto/ This change converts the reference counts in crypto/ to use |CRYPTO_refcount_t|. The reference counts in |X509_PKEY| and |X509_INFO| were never actually used and so were dropped. Change-Id: I75d572cdac1f8c1083c482e29c9519282d7fd16c Reviewed-on: https://boringssl-review.googlesource.com/4772 Reviewed-by: Adam Langley <agl@google.com>
2015-05-15 20:49:30 +01:00
if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return;
}
Free BN_MONT_CTX in generic code. Although those are only created by code owned by RSA_METHOD, custom RSA_METHODs shouldn't be allowed to squat our internal fields and then change how you free things. Remove 'method' from their names now that they're not method-specific. Change-Id: I9494ef9a7754ad59ac9fba7fd463b3336d826e0b Reviewed-on: https://boringssl-review.googlesource.com/6423 Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 23:24:07 +00:00
if (rsa->meth->finish) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
rsa->meth->finish(rsa);
}
METHOD_unref(rsa->meth);
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
2015-04-22 21:09:09 +01:00
BN_clear_free(rsa->n);
BN_clear_free(rsa->e);
BN_clear_free(rsa->d);
BN_clear_free(rsa->p);
BN_clear_free(rsa->q);
BN_clear_free(rsa->dmp1);
BN_clear_free(rsa->dmq1);
BN_clear_free(rsa->iqmp);
Free BN_MONT_CTX in generic code. Although those are only created by code owned by RSA_METHOD, custom RSA_METHODs shouldn't be allowed to squat our internal fields and then change how you free things. Remove 'method' from their names now that they're not method-specific. Change-Id: I9494ef9a7754ad59ac9fba7fd463b3336d826e0b Reviewed-on: https://boringssl-review.googlesource.com/6423 Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 23:24:07 +00:00
BN_MONT_CTX_free(rsa->mont_n);
BN_MONT_CTX_free(rsa->mont_p);
BN_MONT_CTX_free(rsa->mont_q);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
for (u = 0; u < rsa->num_blindings; u++) {
BN_BLINDING_free(rsa->blindings[u]);
}
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
2015-04-22 21:09:09 +01:00
OPENSSL_free(rsa->blindings);
OPENSSL_free(rsa->blindings_inuse);
Convert BN_MONT_CTX to new-style locking. This introduces a per-RSA/DSA/DH lock. This is good for lock contention, although pthread locks are depressingly bloated. Change-Id: I07c4d1606fc35135fc141ebe6ba904a28c8f8a0c Reviewed-on: https://boringssl-review.googlesource.com/4324 Reviewed-by: Adam Langley <agl@google.com>
2015-04-13 19:04:14 +01:00
CRYPTO_MUTEX_cleanup(&rsa->lock);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
OPENSSL_free(rsa);
}
int RSA_up_ref(RSA *rsa) {
Convert reference counts in crypto/ This change converts the reference counts in crypto/ to use |CRYPTO_refcount_t|. The reference counts in |X509_PKEY| and |X509_INFO| were never actually used and so were dropped. Change-Id: I75d572cdac1f8c1083c482e29c9519282d7fd16c Reviewed-on: https://boringssl-review.googlesource.com/4772 Reviewed-by: Adam Langley <agl@google.com>
2015-05-15 20:49:30 +01:00
CRYPTO_refcount_inc(&rsa->references);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return 1;
}
Add various 1.1.0 accessors. This gets cURL building against both BoringSSL as it is and BoringSSL with OPENSSL_VERSION_NUMBER set to 1.1.0. BUG=91 Change-Id: I5be73b84df701fe76f3055b1239ae4704a931082 Reviewed-on: https://boringssl-review.googlesource.com/10180 CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-08-09 16:04:24 +01:00
void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
const BIGNUM **out_d) {
if (out_n != NULL) {
*out_n = rsa->n;
}
if (out_e != NULL) {
*out_e = rsa->e;
}
if (out_d != NULL) {
*out_d = rsa->d;
}
}
void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
const BIGNUM **out_q) {
if (out_p != NULL) {
*out_p = rsa->p;
}
if (out_q != NULL) {
*out_q = rsa->q;
}
}
void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
if (out_dmp1 != NULL) {
*out_dmp1 = rsa->dmp1;
}
if (out_dmq1 != NULL) {
*out_dmq1 = rsa->dmq1;
}
if (out_iqmp != NULL) {
*out_iqmp = rsa->iqmp;
}
}
Switch OPENSSL_VERSION_NUMBER to 1.1.0. Although we are derived from 1.0.2, we mimic 1.1.0 in some ways around our FOO_up_ref functions and opaque libssl types. This causes some difficulties when porting third-party code as any OPENSSL_VERSION_NUMBER checks for 1.1.0 APIs we have will be wrong. Moreover, adding accessors without changing OPENSSL_VERSION_NUMBER can break external projects. It is common to implement a compatibility version of an accessor under #ifdef as a static function. This then conflicts with our headers if we, unlike OpenSSL 1.0.2, have this function. This change switches OPENSSL_VERSION_NUMBER to 1.1.0 and atomically adds enough accessors for software with 1.1.0 support already. The hope is this will unblock hiding SSL_CTX and SSL_SESSION, which will be especially useful with C++-ficiation. The cost is we will hit some growing pains as more 1.1.0 consumers enter the ecosystem and we converge on the right set of APIs to import from upstream. It does not remove any 1.0.2 APIs, so we will not require that all projects support 1.1.0. The exception is APIs which changed in 1.1.0 but did not change the function signature. Those are breaking changes. Specifically: - SSL_CTX_sess_set_get_cb is now const-correct. - X509_get0_signature is now const-correct. For C++ consumers only, this change temporarily includes an overload hack for SSL_CTX_sess_set_get_cb that keeps the old callback working. This is a workaround for Node not yet supporting OpenSSL 1.1.0. The version number is set at (the as yet unreleased) 1.1.0g to denote that this change includes https://github.com/openssl/openssl/pull/4384. Bug: 91 Change-Id: I5eeb27448a6db4c25c244afac37f9604d9608a76 Reviewed-on: https://boringssl-review.googlesource.com/10340 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2016-08-12 19:48:19 +01:00
int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
if ((rsa->n == NULL && n == NULL) ||
(rsa->e == NULL && e == NULL)) {
return 0;
}
if (n != NULL) {
BN_free(rsa->n);
rsa->n = n;
}
if (e != NULL) {
BN_free(rsa->e);
rsa->e = e;
}
if (d != NULL) {
BN_free(rsa->d);
rsa->d = d;
}
return 1;
}
int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
if ((rsa->p == NULL && p == NULL) ||
(rsa->q == NULL && q == NULL)) {
return 0;
}
if (p != NULL) {
BN_free(rsa->p);
rsa->p = p;
}
if (q != NULL) {
BN_free(rsa->q);
rsa->q = q;
}
return 1;
}
int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
(rsa->dmq1 == NULL && dmq1 == NULL) ||
(rsa->iqmp == NULL && iqmp == NULL)) {
return 0;
}
if (dmp1 != NULL) {
BN_free(rsa->dmp1);
rsa->dmp1 = dmp1;
}
if (dmq1 != NULL) {
BN_free(rsa->dmq1);
rsa->dmq1 = dmq1;
}
if (iqmp != NULL) {
BN_free(rsa->iqmp);
rsa->iqmp = iqmp;
}
return 1;
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int padding) {
size_t out_len;
if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
return -1;
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
if (out_len > INT_MAX) {
OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
return -1;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return out_len;
}
int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding) {
if (rsa->meth->sign_raw) {
return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
}
Make it possible for a static linker to discard unused RSA functions. Having a single RSA_METHOD means they all get pulled in. Notably, RSA key generation pulls in the primality-checking code. Change-Id: Iece480113754da090ddf87b64d8769f01e05d26c Reviewed-on: https://boringssl-review.googlesource.com/6389 Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 17:19:12 +00:00
return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int padding) {
size_t out_len;
if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
return -1;
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
if (out_len > INT_MAX) {
OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
return -1;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return out_len;
}
int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding) {
if (rsa->meth->decrypt) {
return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
}
Make it possible for a static linker to discard unused RSA functions. Having a single RSA_METHOD means they all get pulled in. Notably, RSA key generation pulls in the primality-checking code. Change-Id: Iece480113754da090ddf87b64d8769f01e05d26c Reviewed-on: https://boringssl-review.googlesource.com/6389 Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 17:19:12 +00:00
return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
size_t RSA_private_decrypt's input. Change-Id: If05761052e235b38d9798b2fe4d8ba44293af891 Reviewed-on: https://boringssl-review.googlesource.com/5944 Reviewed-by: Adam Langley <agl@google.com>
2015-09-19 18:35:39 +01:00
int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int padding) {
size_t out_len;
if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
return -1;
}
size_t RSA_private_decrypt's input. Change-Id: If05761052e235b38d9798b2fe4d8ba44293af891 Reviewed-on: https://boringssl-review.googlesource.com/5944 Reviewed-by: Adam Langley <agl@google.com>
2015-09-19 18:35:39 +01:00
if (out_len > INT_MAX) {
OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
return -1;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return out_len;
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int padding) {
size_t out_len;
if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
return -1;
}
size_t RSA functions. This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|, and |RSA_public_decrypt|. It benefits Conscrypt, which expects these functions to have the same signature as |RSA_public_private_decrypt|. Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b Reviewed-on: https://boringssl-review.googlesource.com/6286 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 21:38:36 +01:00
if (out_len > INT_MAX) {
OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
return -1;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return out_len;
}
unsigned RSA_size(const RSA *rsa) {
Add a size hook to RSA_METHOD. This is to avoid having to copy over the RSA modulus in all of Chromium's platform-specific keys. Change-Id: I20bf22446a5cfb633b900c3b392b7a1da81a5431 Reviewed-on: https://boringssl-review.googlesource.com/1151 Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 19:14:08 +01:00
if (rsa->meth->size) {
return rsa->meth->size(rsa);
}
Make it possible for a static linker to discard unused RSA functions. Having a single RSA_METHOD means they all get pulled in. Notably, RSA key generation pulls in the primality-checking code. Change-Id: Iece480113754da090ddf87b64d8769f01e05d26c Reviewed-on: https://boringssl-review.googlesource.com/6389 Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 17:19:12 +00:00
return rsa_default_size(rsa);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK. Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque" bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the sanity checks for certificate and key matching. Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc Reviewed-on: https://boringssl-review.googlesource.com/1255 Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 23:39:42 +01:00
int RSA_is_opaque(const RSA *rsa) {
return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
}
Remove the CRYPTO_EX_new callback. This callback is never used. The one caller I've ever seen is in Android code which isn't built with BoringSSL and it was a no-op. It also doesn't actually make much sense. A callback cannot reasonably assume that it sees every, say, SSL_CTX created because the index may be registered after the first SSL_CTX is created. Nor is there any point in an EX_DATA consumer in one file knowing about an SSL_CTX created in completely unrelated code. Replace all the pointers with a typedef to int*. This will ensure code which passes NULL or 0 continues to compile while breaking code which passes an actual function. This simplifies some object creation functions which now needn't worry about CRYPTO_new_ex_data failing. (Also avoids bouncing on the lock, but it's taking a read lock, so this doesn't really matter.) BUG=391192 Change-Id: I02893883c6fa8693682075b7b130aa538a0a1437 Reviewed-on: https://boringssl-review.googlesource.com/6625 Reviewed-by: Adam Langley <agl@google.com>
2015-12-05 04:14:35 +00:00
int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
Remove ex_data's dup hook. The only place it is used is EC_KEY_{dup,copy} and no one calls that function on an EC_KEY with ex_data. This aligns with functions like RSAPublicKey_dup which do not copy ex_data. The logic is also somewhat subtle in the face of malloc errors (upstream's PR 3323). In fact, we'd even changed the function pointer signature from upstream, so BoringSSL-only code is needed to pass this pointer in anyway. (I haven't switched it to CRYPTO_EX_unused because there are some callers which pass in an implementation anyway.) Note, in upstream, the dup hook is also used for SSL_SESSIONs when those are duplicated (for TLS 1.2 ticket renewal or TLS 1.3 resumption). Our interpretation is that callers should treat those SSL_SESSIONs equivalently to newly-established ones. This avoids every consumer providing a dup hook and simplifies the interface. (I've gone ahead and removed the TODO(fork). I don't think we'll be able to change this API. Maybe introduce a new one, but it may not be worth it? Then again, this API is atrocious... I've never seen anyone use argl and argp even.) BUG=21 Change-Id: I6c9e9d5a02347cb229d4c084c1e85125bd741d2b Reviewed-on: https://boringssl-review.googlesource.com/16344 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-14 22:10:18 +01:00
CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
2015-04-15 22:29:53 +01:00
int index;
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
Remove ex_data's dup hook. The only place it is used is EC_KEY_{dup,copy} and no one calls that function on an EC_KEY with ex_data. This aligns with functions like RSAPublicKey_dup which do not copy ex_data. The logic is also somewhat subtle in the face of malloc errors (upstream's PR 3323). In fact, we'd even changed the function pointer signature from upstream, so BoringSSL-only code is needed to pass this pointer in anyway. (I haven't switched it to CRYPTO_EX_unused because there are some callers which pass in an implementation anyway.) Note, in upstream, the dup hook is also used for SSL_SESSIONs when those are duplicated (for TLS 1.2 ticket renewal or TLS 1.3 resumption). Our interpretation is that callers should treat those SSL_SESSIONs equivalently to newly-established ones. This avoids every consumer providing a dup hook and simplifies the interface. (I've gone ahead and removed the TODO(fork). I don't think we'll be able to change this API. Maybe introduce a new one, but it may not be worth it? Then again, this API is atrocious... I've never seen anyone use argl and argp even.) BUG=21 Change-Id: I6c9e9d5a02347cb229d4c084c1e85125bd741d2b Reviewed-on: https://boringssl-review.googlesource.com/16344 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-14 22:10:18 +01:00
argp, free_func)) {
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
2015-04-15 22:29:53 +01:00
return -1;
}
return index;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Fix miscellaneous clang-tidy warnings. There are still a ton of them, almost exclusively complaints that function declaration and definitions have different parameter names. I just fixed a few randomly. Change-Id: I1072f3dba8f63372cda92425aa94f4aa9e3911fa Reviewed-on: https://boringssl-review.googlesource.com/18706 Reviewed-by: Steven Valdez <svaldez@google.com>
2017-08-01 00:09:42 +01:00
int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Fix miscellaneous clang-tidy warnings. There are still a ton of them, almost exclusively complaints that function declaration and definitions have different parameter names. I just fixed a few randomly. Change-Id: I1072f3dba8f63372cda92425aa94f4aa9e3911fa Reviewed-on: https://boringssl-review.googlesource.com/18706 Reviewed-by: Steven Valdez <svaldez@google.com>
2017-08-01 00:09:42 +01:00
void *RSA_get_ex_data(const RSA *rsa, int idx) {
return CRYPTO_get_ex_data(&rsa->ex_data, idx);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
// the length of an MD5 and SHA1 hash.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
static const unsigned SSL_SIG_LENGTH = 36;
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
// to be signed with PKCS#1.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
struct pkcs1_sig_prefix {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// nid identifies the hash function.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int nid;
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// hash_len is the expected length of the hash function.
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
uint8_t hash_len;
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// len is the number of bytes of |bytes| which are valid.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
uint8_t len;
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// bytes contains the DER bytes.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
uint8_t bytes[19];
};
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
// different hash functions.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
{
NID_md5,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
MD5_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
18,
{0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
},
{
NID_sha1,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
SHA_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
15,
{0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
0x00, 0x04, 0x14},
},
{
NID_sha224,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
SHA224_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
19,
{0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
},
{
NID_sha256,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
SHA256_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
19,
{0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
},
{
NID_sha384,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
SHA384_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
19,
{0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
},
{
NID_sha512,
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
SHA512_DIGEST_LENGTH,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
19,
{0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
},
{
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
NID_undef, 0, 0, {0},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
},
};
Export pkcs1_prefixed_msg as RSA_add_pkcs1_prefix. Platform crypto APIs for PKCS#1 RSA signatures vary between expecting the caller to prepend the DigestInfo prefix (RSA_sign_raw) and prepending it internally (RSA_sign). Currently, Chromium implements sign or sign_raw as appropriate. To avoid needing both variants, the new asynchronous methods will only expose the higher-level one, sign. To satisfy ports which previously implemented sign_raw, expose the DigestInfo prefix as a utility function. BUG=347404 Change-Id: I04c397b5e9502b2942f6698ecf81662a3c9282e6 Reviewed-on: https://boringssl-review.googlesource.com/4940 Reviewed-by: Adam Langley <agl@google.com>
2015-05-28 21:53:31 +01:00
int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
int *is_alloced, int hash_nid, const uint8_t *msg,
size_t msg_len) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
unsigned i;
if (hash_nid == NID_md5_sha1) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// Special case: SSL signature, just check the length.
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (msg_len != SSL_SIG_LENGTH) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return 0;
}
*out_msg = (uint8_t*) msg;
*out_msg_len = SSL_SIG_LENGTH;
*is_alloced = 0;
return 1;
}
for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
if (sig_prefix->nid != hash_nid) {
continue;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Consistently check length in RSA_add_pkcs1_prefix. We check the length for MD5+SHA1 but not the normal cases. Instead, EVP_PKEY_sign externally checks the length (largely because the silly RSA-PSS padding function forces it). We especially should be checking the length for these because otherwise the prefix built into the ASN.1 prefix is wrong. The primary motivation is to avoid putting EVP_PKEY inside the FIPS module. This means all logic for supported algorithms should live in crypto/rsa. This requires fixing up the verify_recover logic and some tests, including bcm.c's KAT bits. (evp_tests.txt is now this odd mixture of EVP-level and RSA-level error codes. A follow-up change will add new APIs for RSA-PSS which will allow p_rsa.c to be trimmed down and make things consistent.) Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7 Reviewed-on: https://boringssl-review.googlesource.com/15824 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:15:21 +01:00
if (msg_len != sig_prefix->hash_len) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
const uint8_t* prefix = sig_prefix->bytes;
unsigned prefix_len = sig_prefix->len;
unsigned signed_msg_len;
uint8_t *signed_msg;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
signed_msg_len = prefix_len + msg_len;
if (signed_msg_len < prefix_len) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
return 0;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
signed_msg = OPENSSL_malloc(signed_msg_len);
if (!signed_msg) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
return 0;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memcpy(signed_msg, prefix, prefix_len);
OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
*out_msg = signed_msg;
*out_msg_len = signed_msg_len;
*is_alloced = 1;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
return 1;
}
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
Enable MSVC warning C4701, use of potentially uninitialized variable. C4701 is "potentially uninitialized local variable 'buf' used". It sometimes results in false positives, which can now be suppressed using the macro OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS. Change-Id: I15068b5a48e1c704702e7752982b9ead855e7633 Reviewed-on: https://boringssl-review.googlesource.com/3160 Reviewed-by: Adam Langley <agl@google.com>
2015-01-29 23:03:18 +00:00
return 0;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
unsigned *out_len, RSA *rsa) {
const unsigned rsa_size = RSA_size(rsa);
int ret = 0;
Shush some uninitialized variable warnings. We seem to have tweaked some inlining one way or another and confused the compiler's uninitialized value warning. https://build.chromium.org/p/client.boringssl/builders/android_aarch64_rel/builds/1010/steps/ninja/logs/stdio Change-Id: I0115da889eb7fffedaa4bd7ecc896f5b68215d68 Reviewed-on: https://boringssl-review.googlesource.com/15832 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 22:21:15 +01:00
uint8_t *signed_msg = NULL;
size_t signed_msg_len = 0;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int signed_msg_is_alloced = 0;
size_t size_t_out_len;
if (rsa->meth->sign) {
return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
}
Export pkcs1_prefixed_msg as RSA_add_pkcs1_prefix. Platform crypto APIs for PKCS#1 RSA signatures vary between expecting the caller to prepend the DigestInfo prefix (RSA_sign_raw) and prepending it internally (RSA_sign). Currently, Chromium implements sign or sign_raw as appropriate. To avoid needing both variants, the new asynchronous methods will only expose the higher-level one, sign. To satisfy ports which previously implemented sign_raw, expose the DigestInfo prefix as a utility function. BUG=347404 Change-Id: I04c397b5e9502b2942f6698ecf81662a3c9282e6 Reviewed-on: https://boringssl-review.googlesource.com/4940 Reviewed-by: Adam Langley <agl@google.com>
2015-05-28 21:53:31 +01:00
if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
Remove redundant check in RSA_sign. This is just some idle cleanup. The padding functions already must handle size checks. Swap out the error code in the low-level portions to keep that unchanged. Also remove an old TODO(fork) about constant-time-ness. Signature verification padding checks don't need to be constant time, and decryption ones should be resolved now. Change-Id: I20e7affdb7f2dce167a304afe707bfd537dd412a Reviewed-on: https://boringssl-review.googlesource.com/14946 Reviewed-by: Adam Langley <agl@google.com>
2017-04-11 17:54:06 +01:00
&signed_msg_is_alloced, hash_nid, in, in_len) ||
!RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
signed_msg_len, RSA_PKCS1_PADDING)) {
goto err;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Remove redundant check in RSA_sign. This is just some idle cleanup. The padding functions already must handle size checks. Swap out the error code in the low-level portions to keep that unchanged. Also remove an old TODO(fork) about constant-time-ness. Signature verification padding checks don't need to be constant time, and decryption ones should be resolved now. Change-Id: I20e7affdb7f2dce167a304afe707bfd537dd412a Reviewed-on: https://boringssl-review.googlesource.com/14946 Reviewed-by: Adam Langley <agl@google.com>
2017-04-11 17:54:06 +01:00
*out_len = size_t_out_len;
ret = 1;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Remove redundant check in RSA_sign. This is just some idle cleanup. The padding functions already must handle size checks. Swap out the error code in the low-level portions to keep that unchanged. Also remove an old TODO(fork) about constant-time-ness. Signature verification padding checks don't need to be constant time, and decryption ones should be resolved now. Change-Id: I20e7affdb7f2dce167a304afe707bfd537dd412a Reviewed-on: https://boringssl-review.googlesource.com/14946 Reviewed-by: Adam Langley <agl@google.com>
2017-04-11 17:54:06 +01:00
err:
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (signed_msg_is_alloced) {
OPENSSL_free(signed_msg);
}
return ret;
}
Add crypto/rsa-level RSA-PSS functions. This allows us to implement RSA-PSS in the FIPS module without pulling in EVP_PKEY. It also allows people to use RSA-PSS on an RSA*. Empirically folks seem to use the low-level padding functions a lot, which is unfortunate. This allows us to remove a now redundant length check in p_rsa.c. Change-Id: I5270e01c6999d462d378865db2b858103c335485 Reviewed-on: https://boringssl-review.googlesource.com/15825 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:34:09 +01:00
int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, const EVP_MD *md,
const EVP_MD *mgf1_md, int salt_len) {
if (in_len != EVP_MD_size(md)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
size_t padded_len = RSA_size(rsa);
uint8_t *padded = OPENSSL_malloc(padded_len);
if (padded == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
int ret =
RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
RSA_NO_PADDING);
OPENSSL_free(padded);
return ret;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
const uint8_t *sig, size_t sig_len, RSA *rsa) {
Drop support for engines-provided signature verification. We do not need to support engine-provided verification methods. Change-Id: Iaad8369d403082b728c831167cc386fdcabfb067 Reviewed-on: https://boringssl-review.googlesource.com/7311 Reviewed-by: David Benjamin <davidben@google.com>
2016-03-04 18:54:07 +00:00
if (rsa->n == NULL || rsa->e == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
return 0;
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
const size_t rsa_size = RSA_size(rsa);
uint8_t *buf = NULL;
int ret = 0;
uint8_t *signed_msg = NULL;
Shush some uninitialized variable warnings. We seem to have tweaked some inlining one way or another and confused the compiler's uninitialized value warning. https://build.chromium.org/p/client.boringssl/builders/android_aarch64_rel/builds/1010/steps/ninja/logs/stdio Change-Id: I0115da889eb7fffedaa4bd7ecc896f5b68215d68 Reviewed-on: https://boringssl-review.googlesource.com/15832 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 22:21:15 +01:00
size_t signed_msg_len = 0, len;
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
int signed_msg_is_alloced = 0;
if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return 0;
}
buf = OPENSSL_malloc(rsa_size);
if (!buf) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
return 0;
}
if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
RSA_PKCS1_PADDING)) {
goto out;
}
Export pkcs1_prefixed_msg as RSA_add_pkcs1_prefix. Platform crypto APIs for PKCS#1 RSA signatures vary between expecting the caller to prepend the DigestInfo prefix (RSA_sign_raw) and prepending it internally (RSA_sign). Currently, Chromium implements sign or sign_raw as appropriate. To avoid needing both variants, the new asynchronous methods will only expose the higher-level one, sign. To satisfy ports which previously implemented sign_raw, expose the DigestInfo prefix as a utility function. BUG=347404 Change-Id: I04c397b5e9502b2942f6698ecf81662a3c9282e6 Reviewed-on: https://boringssl-review.googlesource.com/4940 Reviewed-by: Adam Langley <agl@google.com>
2015-05-28 21:53:31 +01:00
if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
&signed_msg_is_alloced, hash_nid, msg, msg_len)) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
goto out;
}
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// Check that no other information follows the hash value (FIPS 186-4 Section
// 5.5) and it matches the expected hash.
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
goto out;
}
ret = 1;
out:
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
2015-04-22 21:09:09 +01:00
OPENSSL_free(buf);
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if (signed_msg_is_alloced) {
OPENSSL_free(signed_msg);
}
return ret;
}
Add function to recover RSA CRT params. Some RSA private keys are specified with only n, e and d. Although we can use these keys directly, it's nice to have a uniform representation that includes the precomputed CRT values. This change adds a function that can recover the primes from a minimal private key of that form.
2014-06-20 20:00:00 +01:00
Add crypto/rsa-level RSA-PSS functions. This allows us to implement RSA-PSS in the FIPS module without pulling in EVP_PKEY. It also allows people to use RSA-PSS on an RSA*. Empirically folks seem to use the low-level padding functions a lot, which is unfortunate. This allows us to remove a now redundant length check in p_rsa.c. Change-Id: I5270e01c6999d462d378865db2b858103c335485 Reviewed-on: https://boringssl-review.googlesource.com/15825 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 19:34:09 +01:00
int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
const uint8_t *sig, size_t sig_len) {
if (msg_len != EVP_MD_size(md)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
size_t em_len = RSA_size(rsa);
uint8_t *em = OPENSSL_malloc(em_len);
if (em == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
int ret = 0;
if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
goto err;
}
if (em_len != RSA_size(rsa)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
err:
OPENSSL_free(em);
return ret;
}
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
int RSA_check_key(const RSA *key) {
Avoid one |BN_mod_inverse| in |RSA_check_key|. |BN_mod_inverse| is expensive and leaky. In this case, we can avoid it completely by taking advantage of the fact that we already have the two values that are supposed to be inverses of each other. Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3 Reviewed-on: https://boringssl-review.googlesource.com/8925 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 03:01:10 +01:00
BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
BN_CTX *ctx;
int ok = 0, has_crt_values;
if (RSA_is_opaque(key)) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// Opaque keys can't be checked.
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
return 1;
}
if ((key->p != NULL) != (key->q != NULL)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
return 0;
}
if (!key->n || !key->e) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
return 0;
}
if (!key->d || !key->p) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// For a public key, or without p and q, there's nothing that can be
// checked.
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
return 1;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
return 0;
}
BN_init(&n);
BN_init(&pm1);
BN_init(&qm1);
BN_init(&lcm);
BN_init(&gcd);
BN_init(&de);
BN_init(&dmp1);
BN_init(&dmq1);
Avoid one |BN_mod_inverse| in |RSA_check_key|. |BN_mod_inverse| is expensive and leaky. In this case, we can avoid it completely by taking advantage of the fact that we already have the two values that are supposed to be inverses of each other. Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3 Reviewed-on: https://boringssl-review.googlesource.com/8925 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 03:01:10 +01:00
BN_init(&iqmp_times_q);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
Multi-prime RSA support. RSA with more than two primes is specified in https://tools.ietf.org/html/rfc3447, although the idea goes back far earier than that. This change ports some of the changes in http://rt.openssl.org/Ticket/Display.html?id=3477&user=guest&pass=guest to BoringSSL—specifically those bits that are under an OpenSSL license. Change-Id: I51e8e345e2148702b8ce12e00518f6ef4683d3e1 Reviewed-on: https://boringssl-review.googlesource.com/4870 Reviewed-by: Adam Langley <agl@google.com>
2015-05-26 19:36:46 +01:00
if (!BN_mul(&n, key->p, key->q, ctx) ||
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// lcm = lcm(p, q)
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
!BN_sub(&pm1, key->p, BN_value_one()) ||
!BN_sub(&qm1, key->q, BN_value_one()) ||
!BN_mul(&lcm, &pm1, &qm1, ctx) ||
Multi-prime RSA support. RSA with more than two primes is specified in https://tools.ietf.org/html/rfc3447, although the idea goes back far earier than that. This change ports some of the changes in http://rt.openssl.org/Ticket/Display.html?id=3477&user=guest&pass=guest to BoringSSL—specifically those bits that are under an OpenSSL license. Change-Id: I51e8e345e2148702b8ce12e00518f6ef4683d3e1 Reviewed-on: https://boringssl-review.googlesource.com/4870 Reviewed-by: Adam Langley <agl@google.com>
2015-05-26 19:36:46 +01:00
!BN_gcd(&gcd, &pm1, &qm1, ctx)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
Multi-prime RSA support. RSA with more than two primes is specified in https://tools.ietf.org/html/rfc3447, although the idea goes back far earier than that. This change ports some of the changes in http://rt.openssl.org/Ticket/Display.html?id=3477&user=guest&pass=guest to BoringSSL—specifically those bits that are under an OpenSSL license. Change-Id: I51e8e345e2148702b8ce12e00518f6ef4683d3e1 Reviewed-on: https://boringssl-review.googlesource.com/4870 Reviewed-by: Adam Langley <agl@google.com>
2015-05-26 19:36:46 +01:00
goto out;
}
if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
!BN_gcd(&gcd, &pm1, &qm1, ctx) ||
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// de = d*e mod lcm(p, q).
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
!BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
if (BN_cmp(&n, key->n) != 0) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
if (!BN_is_one(&de)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
has_crt_values = key->dmp1 != NULL;
if (has_crt_values != (key->dmq1 != NULL) ||
has_crt_values != (key->iqmp != NULL)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
Unwind multiprime RSA support. FIPS is not compatible with multiprime RSA. Any multiprime RSA private keys will fail to parse after this change. Change-Id: I8d969d668bf0be4f66c66a30e56f0e7f6795f3e9 Reviewed-on: https://boringssl-review.googlesource.com/14984 Reviewed-by: Adam Langley <agl@google.com>
2017-04-12 23:28:48 +01:00
if (has_crt_values) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
if (// dmp1 = d mod (p-1)
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
!BN_mod(&dmp1, key->d, &pm1, ctx) ||
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// dmq1 = d mod (q-1)
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
!BN_mod(&dmq1, key->d, &qm1, ctx) ||
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// iqmp = q^-1 mod p
Avoid one |BN_mod_inverse| in |RSA_check_key|. |BN_mod_inverse| is expensive and leaky. In this case, we can avoid it completely by taking advantage of the fact that we already have the two values that are supposed to be inverses of each other. Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3 Reviewed-on: https://boringssl-review.googlesource.com/8925 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 03:01:10 +01:00
!BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
if (BN_cmp(&dmp1, key->dmp1) != 0 ||
BN_cmp(&dmq1, key->dmq1) != 0 ||
Avoid one |BN_mod_inverse| in |RSA_check_key|. |BN_mod_inverse| is expensive and leaky. In this case, we can avoid it completely by taking advantage of the fact that we already have the two values that are supposed to be inverses of each other. Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3 Reviewed-on: https://boringssl-review.googlesource.com/8925 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 03:01:10 +01:00
BN_cmp(key->iqmp, key->p) >= 0 ||
!BN_is_one(&iqmp_times_q)) {
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
2015-06-29 05:28:17 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
goto out;
}
}
ok = 1;
out:
BN_free(&n);
BN_free(&pm1);
BN_free(&qm1);
BN_free(&lcm);
BN_free(&gcd);
BN_free(&de);
BN_free(&dmp1);
BN_free(&dmq1);
Avoid one |BN_mod_inverse| in |RSA_check_key|. |BN_mod_inverse| is expensive and leaky. In this case, we can avoid it completely by taking advantage of the fact that we already have the two values that are supposed to be inverses of each other. Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3 Reviewed-on: https://boringssl-review.googlesource.com/8925 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 03:01:10 +01:00
BN_free(&iqmp_times_q);
Add RSA_check_key function. This is function that is available in OpenSSL too. Here it only returns zero or one and doesn't do expensive primality checks on p and q. https://code.google.com/p/chromium/issues/detail?id=396250 Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576 Reviewed-on: https://boringssl-review.googlesource.com/1334 Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:03:51 +01:00
BN_CTX_free(ctx);
return ok;
}
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// This is the product of the 132 smallest odd primes, from 3 to 751.
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
static const BN_ULONG kSmallFactorsLimbs[] = {
TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
0x000017b1
};
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
out->d = (BN_ULONG *) kSmallFactorsLimbs;
out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
out->dmax = out->top;
out->neg = 0;
out->flags = BN_FLG_STATIC_DATA;
}
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
int RSA_check_fips(RSA *key) {
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
if (RSA_is_opaque(key)) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// Opaque keys can't be checked.
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
return 0;
}
if (!RSA_check_key(key)) {
return 0;
}
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
BIGNUM small_gcd;
BN_init(&small_gcd);
int ret = 1;
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
Add primality checking for RSA_check_fips. This also fixes the comments regarding BN_prime_checks to match the security level guarantees provided by BN_prime_checks. Change-Id: I8032e88680bf51e8876e134b4253ed26c2072617 Reviewed-on: https://boringssl-review.googlesource.com/15304 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
2017-04-20 15:45:25 +01:00
enum bn_primality_result_t primality_result;
Fix lower bound in e in FIPS RSA checking. SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/ that's section B.3.1 which says: (b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶. But that means that e has to be at least 17 bits. The check for BN_is_odd ensures that 2¹⁶ itself is rejected. Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291 Reviewed-on: https://boringssl-review.googlesource.com/15324 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 20:36:18 +01:00
if (BN_num_bits(key->e) <= 16 ||
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
BN_num_bits(key->e) > 256 ||
!BN_is_odd(key->n) ||
!BN_is_odd(key->e) ||
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-03 19:50:51 +01:00
!BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
Add primality checking for RSA_check_fips. This also fixes the comments regarding BN_prime_checks to match the security level guarantees provided by BN_prime_checks. Change-Id: I8032e88680bf51e8876e134b4253ed26c2072617 Reviewed-on: https://boringssl-review.googlesource.com/15304 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
2017-04-20 15:45:25 +01:00
!BN_is_one(&small_gcd) ||
!BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
BN_prime_checks, ctx, NULL) ||
primality_result != bn_non_prime_power_composite) {
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
ret = 0;
}
BN_free(&small_gcd);
BN_CTX_free(ctx);
Fix check_fips for public keys and synchronize the EC and RSA versions. Change-Id: Ibebf787445578608845df8861d67cd1e65ed0b35 Reviewed-on: https://boringssl-review.googlesource.com/15004 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-13 18:14:12 +01:00
if (!ret || key->d == NULL || key->p == NULL) {
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// On a failure or on only a public key, there's nothing else can be
// checked.
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
return ret;
}
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 19:06:02 +01:00
// FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
// section 9.9, it is not known whether |rsa| will be used for signing or
// encryption, so either pair-wise consistency self-test is acceptable. We
// perform a signing test.
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
uint8_t data[32] = {0};
unsigned sig_len = RSA_size(key);
uint8_t *sig = OPENSSL_malloc(sig_len);
if (sig == NULL) {
Fix check_fips for public keys and synchronize the EC and RSA versions. Change-Id: Ibebf787445578608845df8861d67cd1e65ed0b35 Reviewed-on: https://boringssl-review.googlesource.com/15004 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-13 18:14:12 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
return 0;
}
fipstools: Add a sample binary that exercises methods from the FIPS module. Also allow breaking ECDSA/RSA pair-wise consistency tests and ECDSA self-test. Change-Id: I1c7723f6082568ebf93158cfaa184cbdeb7480a0 Reviewed-on: https://boringssl-review.googlesource.com/16305 Reviewed-by: Adam Langley <agl@google.com>
2017-05-12 23:34:45 +01:00
if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
ret = 0;
goto cleanup;
}
#if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
data[0] = ~data[0];
#endif
if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
Fix check_fips for public keys and synchronize the EC and RSA versions. Change-Id: Ibebf787445578608845df8861d67cd1e65ed0b35 Reviewed-on: https://boringssl-review.googlesource.com/15004 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-13 18:14:12 +01:00
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
ret = 0;
}
fipstools: Add a sample binary that exercises methods from the FIPS module. Also allow breaking ECDSA/RSA pair-wise consistency tests and ECDSA self-test. Change-Id: I1c7723f6082568ebf93158cfaa184cbdeb7480a0 Reviewed-on: https://boringssl-review.googlesource.com/16305 Reviewed-by: Adam Langley <agl@google.com>
2017-05-12 23:34:45 +01:00
cleanup:
Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-06 19:55:18 +01:00
OPENSSL_free(sig);
Add RSA_check_fips to support public key validation checks. Change-Id: I0e00f099a17d88f56b49970e612b0911afd9661e Reviewed-on: https://boringssl-review.googlesource.com/14866 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-11 17:46:03 +01:00
return ret;
}
Split off private_transform function in RSA. This change extracts two, common parts of RSA_decrypt and RSA_sign into a function called |private_transform|. It also allows this to be overridden in a method, which is convenient for opaque keys that only expose the raw RSA transform as it means that the padding code from BoringSSL can be easily reimplemented. One significant change here is that short RSA ciphertexts will no longer be accepted. I think this is correct and OpenSSL has a comment about PGP mistakenly stripping leading zeros. However, these is the possibility that it could break something. Change-Id: I258c5cbbf21314cc9b6e8d2a2b898fd9a440cd40 Reviewed-on: https://boringssl-review.googlesource.com/1554 Reviewed-by: Adam Langley <agl@google.com>
2014-08-18 21:29:45 +01:00
int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
size_t len) {
if (rsa->meth->private_transform) {
return rsa->meth->private_transform(rsa, out, in, len);
}
Make it possible for a static linker to discard unused RSA functions. Having a single RSA_METHOD means they all get pulled in. Notably, RSA key generation pulls in the primality-checking code. Change-Id: Iece480113754da090ddf87b64d8769f01e05d26c Reviewed-on: https://boringssl-review.googlesource.com/6389 Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 17:19:12 +00:00
return rsa_default_private_transform(rsa, out, in, len);
Split off private_transform function in RSA. This change extracts two, common parts of RSA_decrypt and RSA_sign into a function called |private_transform|. It also allows this to be overridden in a method, which is convenient for opaque keys that only expose the raw RSA transform as it means that the padding code from BoringSSL can be easily reimplemented. One significant change here is that short RSA ciphertexts will no longer be accepted. I think this is correct and OpenSSL has a comment about PGP mistakenly stripping leading zeros. However, these is the possibility that it could break something. Change-Id: I258c5cbbf21314cc9b6e8d2a2b898fd9a440cd40 Reviewed-on: https://boringssl-review.googlesource.com/1554 Reviewed-by: Adam Langley <agl@google.com>
2014-08-18 21:29:45 +01:00
}
Compatibility changes for wpa_supplicant and OpenSSH. OpenSSH, especially, does some terrible things that mean that it needs the EVP_CIPHER structure to be exposed ☹. Damian is open to a better API to replace this, but only if OpenSSL agree too. Either way, it won't be happening soon. Change-Id: I393b7a6af6694d4d2fe9ebcccd40286eff4029bd Reviewed-on: https://boringssl-review.googlesource.com/4330 Reviewed-by: Adam Langley <agl@google.com>
2015-04-13 22:34:17 +01:00
int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
return 1;
}
Reference in New Issue Copy Permalink