early-access version 2698

externals/libressl/crypto/rsa/rsa_ameth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.25 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -916,6 +916,12 @@ rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
 	return 2;
 }
 
+static int
+rsa_pkey_check(const EVP_PKEY *pkey)
+{
+	return RSA_check_key(pkey->pkey.rsa);
+}
+
 #ifndef OPENSSL_NO_CMS
 static RSA_OAEP_PARAMS *
 rsa_oaep_decode(const X509_ALGOR *alg)
@@ -1105,14 +1111,18 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
 		.old_priv_decode = old_rsa_priv_decode,
 		.old_priv_encode = old_rsa_priv_encode,
 		.item_verify = rsa_item_verify,
-		.item_sign = rsa_item_sign
+		.item_sign = rsa_item_sign,
+
+		.pkey_check = rsa_pkey_check,
 	},
 
 	{
 		.pkey_id = EVP_PKEY_RSA2,
 		.pkey_base_id = EVP_PKEY_RSA,
-		.pkey_flags = ASN1_PKEY_ALIAS
-	}
+		.pkey_flags = ASN1_PKEY_ALIAS,
+
+		.pkey_check = rsa_pkey_check,
+	},
 };
 
 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {

externals/libressl/crypto/rsa/rsa_chk.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_chk.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: rsa_chk.c,v 1.16 2022/01/20 11:08:12 inoguchi Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -53,6 +53,7 @@
 #include <openssl/rsa.h>
 
 #include "bn_lcl.h"
+#include "rsa_locl.h"
 
 int
 RSA_check_key(const RSA *key)
@@ -80,6 +81,15 @@ RSA_check_key(const RSA *key)
 		goto err;
 	}
 
+	if (BN_is_one(key->e)) {
+		ret = 0;
+		RSAerror(RSA_R_BAD_E_VALUE);
+	}
+	if (!BN_is_odd(key->e)) {
+		ret = 0;
+		RSAerror(RSA_R_BAD_E_VALUE);
+	}
+
 	/* p prime? */
 	r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
 	if (r != 1) {
@@ -189,7 +199,7 @@ RSA_check_key(const RSA *key)
 		}
 
 		/* iqmp = q^-1 mod p? */
-		if (!BN_mod_inverse_ct(i, key->q, key->p, ctx)) {
+		if (BN_mod_inverse_ct(i, key->q, key->p, ctx) == NULL) {
 			ret = -1;
 			goto err;
 		}

externals/libressl/crypto/rsa/rsa_crpt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_crpt.c,v 1.19 2018/02/18 12:52:13 tb Exp $ */
+/* $OpenBSD: rsa_crpt.c,v 1.20 2022/01/07 09:55:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,6 +67,7 @@
 #include <openssl/rsa.h>
 
 #include "bn_lcl.h"
+#include "rsa_locl.h"
 
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>

externals/libressl/crypto/rsa/rsa_depr.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_depr.c,v 1.8 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_depr.c,v 1.9 2021/12/04 16:08:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -64,6 +64,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 
+#include "bn_lcl.h"
+
 #ifndef OPENSSL_NO_DEPRECATED
 
 RSA *

externals/libressl/crypto/rsa/rsa_eay.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.51 2019/11/02 13:52:31 jsing Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.54 2022/01/20 11:10:11 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -119,6 +119,7 @@
 #include <openssl/rsa.h>
 
 #include "bn_lcl.h"
+#include "rsa_locl.h"
 
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
@@ -446,7 +447,8 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
 			goto err;
 
 	if (padding == RSA_X931_PADDING) {
-		BN_sub(f, rsa->n, ret);
+		if (!BN_sub(f, rsa->n, ret))
+			goto err;
 		if (BN_cmp(ret, f) > 0)
 			res = f;
 		else
@@ -753,6 +755,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 		goto err;
 
 	/* compute I mod p */
+	BN_init(&c);
 	BN_with_flags(&c, I, BN_FLG_CONSTTIME);
 
 	if (!BN_mod_ct(r1, &c, rsa->p, ctx))

externals/libressl/crypto/rsa/rsa_gen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.25 2022/01/20 11:11:17 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,6 +70,7 @@
 #include <openssl/rsa.h>
 
 #include "bn_lcl.h"
+#include "rsa_locl.h"
 
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
 
@@ -194,12 +195,14 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 	if (!BN_mul(r0, r1, r2, ctx))			/* (p-1)(q-1) */
 		goto err;
 
+	BN_init(&pr0);
 	BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
 
-	if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */
+	if (BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx) == NULL) /* d */
 		goto err;
 
 	/* set up d for correct BN_FLG_CONSTTIME flag */
+	BN_init(&d);
 	BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
 	/* calculate d mod (p-1) */
@@ -211,8 +214,9 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 		goto err;
 
 	/* calculate inverse of q mod p */
+	BN_init(&p);
 	BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
-	if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx))
+	if (BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx) == NULL)
 		goto err;
 
 	ok = 1;

externals/libressl/crypto/rsa/rsa_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_lib.c,v 1.40 2020/01/17 10:40:03 inoguchi Exp $ */
+/* $OpenBSD: rsa_lib.c,v 1.42 2022/01/07 09:55:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,6 +68,7 @@
 #include <openssl/rsa.h>
 
 #include "evp_locl.h"
+#include "rsa_locl.h"
 
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -336,6 +337,60 @@ RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
 	return 1;
 }
 
+const BIGNUM *
+RSA_get0_n(const RSA *r)
+{
+	return r->n;
+}
+
+const BIGNUM *
+RSA_get0_e(const RSA *r)
+{
+	return r->e;
+}
+
+const BIGNUM *
+RSA_get0_d(const RSA *r)
+{
+	return r->d;
+}
+
+const BIGNUM *
+RSA_get0_p(const RSA *r)
+{
+	return r->p;
+}
+
+const BIGNUM *
+RSA_get0_q(const RSA *r)
+{
+	return r->q;
+}
+
+const BIGNUM *
+RSA_get0_dmp1(const RSA *r)
+{
+	return r->dmp1;
+}
+
+const BIGNUM *
+RSA_get0_dmq1(const RSA *r)
+{
+	return r->dmq1;
+}
+
+const BIGNUM *
+RSA_get0_iqmp(const RSA *r)
+{
+	return r->iqmp;
+}
+
+const RSA_PSS_PARAMS *
+RSA_get0_pss_params(const RSA *r)
+{
+	return r->pss;
+}
+
 void
 RSA_clear_flags(RSA *r, int flags)
 {

externals/libressl/crypto/rsa/rsa_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_locl.h,v 1.11 2019/11/02 13:47:41 jsing Exp $ */
+/* $OpenBSD: rsa_locl.h,v 1.12 2022/01/14 08:34:39 tb Exp $ */
 
 __BEGIN_HIDDEN_DECLS
 
@@ -8,6 +8,80 @@ __BEGIN_HIDDEN_DECLS
 #define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
 #define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
 
+struct rsa_meth_st {
+	const char *name;
+	int (*rsa_pub_enc)(int flen, const unsigned char *from,
+	    unsigned char *to, RSA *rsa, int padding);
+	int (*rsa_pub_dec)(int flen, const unsigned char *from,
+	    unsigned char *to, RSA *rsa, int padding);
+	int (*rsa_priv_enc)(int flen, const unsigned char *from,
+	    unsigned char *to, RSA *rsa, int padding);
+	int (*rsa_priv_dec)(int flen, const unsigned char *from,
+	    unsigned char *to, RSA *rsa, int padding);
+	int (*rsa_mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+	    BN_CTX *ctx); /* Can be null */
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
+	int (*init)(RSA *rsa);		/* called at new */
+	int (*finish)(RSA *rsa);	/* called at free */
+	int flags;			/* RSA_METHOD_FLAG_* things */
+	char *app_data;			/* may be needed! */
+/* New sign and verify functions: some libraries don't allow arbitrary data
+ * to be signed/verified: this allows them to be used. Note: for this to work
+ * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
+ * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
+ * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
+ * option is set in 'flags'.
+ */
+	int (*rsa_sign)(int type, const unsigned char *m, unsigned int m_length,
+	    unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+	int (*rsa_verify)(int dtype, const unsigned char *m,
+	    unsigned int m_length, const unsigned char *sigbuf,
+	    unsigned int siglen, const RSA *rsa);
+/* If this callback is NULL, the builtin software RSA key-gen will be used. This
+ * is for behavioural compatibility whilst the code gets rewired, but one day
+ * it would be nice to assume there are no such things as "builtin software"
+ * implementations. */
+	int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+};
+
+struct rsa_st {
+	/* The first parameter is used to pickup errors where
+	 * this is passed instead of aEVP_PKEY, it is set to 0 */
+	int pad;
+	long version;
+	const RSA_METHOD *meth;
+
+	/* functional reference if 'meth' is ENGINE-provided */
+	ENGINE *engine;
+	BIGNUM *n;
+	BIGNUM *e;
+	BIGNUM *d;
+	BIGNUM *p;
+	BIGNUM *q;
+	BIGNUM *dmp1;
+	BIGNUM *dmq1;
+	BIGNUM *iqmp;
+
+	/* Parameter restrictions for PSS only keys. */
+	RSA_PSS_PARAMS *pss;
+
+	/* be careful using this if the RSA structure is shared */
+	CRYPTO_EX_DATA ex_data;
+	int references;
+	int flags;
+
+	/* Used to cache montgomery values */
+	BN_MONT_CTX *_method_mod_n;
+	BN_MONT_CTX *_method_mod_p;
+	BN_MONT_CTX *_method_mod_q;
+
+	/* all BIGNUM values are actually in the following data, if it is not
+	 * NULL */
+	BN_BLINDING *blinding;
+	BN_BLINDING *mt_blinding;
+};
+
 RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md,
     int saltlen);
 int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,

externals/libressl/crypto/rsa/rsa_meth.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsa_meth.c,v 1.3 2019/06/05 15:41:33 gilles Exp $	*/
+/*	$OpenBSD: rsa_meth.c,v 1.4 2022/01/07 09:55:32 tb Exp $	*/
 /*
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
  *
@@ -21,6 +21,8 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "rsa_locl.h"
+
 RSA_METHOD *
 RSA_meth_new(const char *name, int flags)
 {

externals/libressl/crypto/rsa/rsa_oaep.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_oaep.c,v 1.33 2019/10/17 14:31:56 jsing Exp $ */
+/* $OpenBSD: rsa_oaep.c,v 1.35 2022/02/20 19:16:34 tb Exp $ */
 /*
  * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -80,6 +80,7 @@
 #include <openssl/sha.h>
 
 #include "constant_time_locl.h"
+#include "evp_locl.h"
 #include "rsa_locl.h"
 
 int
@@ -223,17 +224,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
 		from -= 1 & mask;
 		*--em = *from & mask;
 	}
-	from = em;
 
 	/*
 	 * The first byte must be zero, however we must not leak if this is
 	 * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
 	 * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
 	 */
-	good = constant_time_is_zero(from[0]);
+	good = constant_time_is_zero(em[0]);
 
-	maskedseed = from + 1;
-	maskeddb = from + 1 + mdlen;
+	maskedseed = em + 1;
+	maskeddb = em + 1 + mdlen;
 
 	if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
 		goto cleanup;
@@ -289,15 +289,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
 	 * should be noted that failure is indistinguishable from normal
 	 * operation if |tlen| is fixed by protocol.
 	 */
-	tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
+	tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+	    dblen - mdlen - 1, tlen);
 	msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
 	mlen = dblen - msg_index;
-	for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
-		unsigned int equals = constant_time_eq(i, mlen);
+	for (mask = good, i = 0; i < tlen; i++) {
+		unsigned int equals = constant_time_eq(msg_index, dblen);
 
-		from -= dblen & equals; /* if (i == mlen) rewind   */
-		mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
-		to[i] = constant_time_select_8(mask, from[i], to[i]);
+		msg_index -= tlen & equals;	/* rewind at EOF */
+		mask &= ~equals;		/* mask = 0 at EOF */
+		to[i] = constant_time_select_8(mask, db[msg_index++], to[i]);
 	}
 
 	/*

externals/libressl/crypto/rsa/rsa_pmeth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.32 2019/10/31 14:05:30 jsing Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.33 2021/12/04 16:08:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -70,6 +70,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "bn_lcl.h"
 #include "evp_locl.h"
 #include "rsa_locl.h"
 

externals/libressl/crypto/rsa/rsa_pss.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.13 2018/09/05 00:55:33 djm Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.15 2022/01/07 09:55:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -66,6 +66,9 @@
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
+#include "evp_locl.h"
+#include "rsa_locl.h"
+
 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
 
 int

externals/libressl/crypto/rsa/rsa_sign.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.34 2022/01/07 11:13:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,7 +65,9 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+#include "asn1_locl.h"
 #include "rsa_locl.h"
+#include "x509_lcl.h"
 
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH	36
@@ -108,7 +110,7 @@ encode_pkcs1(unsigned char **out, int *out_len, int type,
 	sig.algor->parameter = &parameter;
 
 	sig.digest = &digest;
-	sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */
+	sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
 	sig.digest->length = m_len;
 
 	if ((len = i2d_X509_SIG(&sig, &der)) < 0)
@@ -194,7 +196,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 	if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
 	    rsa, RSA_PKCS1_PADDING)) <= 0)
 		goto err;
-	   
+
 	if (type == NID_md5_sha1) {
 		/*
 		 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
@@ -229,7 +231,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 		if (rm != NULL) {
 			const EVP_MD *md;
 
-		       	if ((md = EVP_get_digestbynid(type)) == NULL) {
+			if ((md = EVP_get_digestbynid(type)) == NULL) {
 				RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
 				goto err;
 			}