mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-24 20:51:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use RAND_bytes_ex in crypto/rsa

Browse Source 
At various points in crypto/rsa we need to get random numbers. We should
ensure that we use the correct libctx when doing so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11355)
This commit is contained in:
Matt Caswell 2020-03-12 14:41:45 +00:00
parent cb57f42528
commit 0f2deef59d
8 changed files with 87 additions and 39 deletions
crypto/rsa
rsa_local.hrsa_oaep.crsa_ossl.crsa_pk1.crsa_pss.crsa_ssl.c
include/crypto
rsa.h
providers/implementations/asymciphers
rsa_enc.c

15
crypto/rsa/rsa_local.h

@ -169,4 +169,19 @@ int rsa_fips186_4_gen_prob_primes(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
const BIGNUM *Xq2, int nbits,
const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to,
int tlen, const unsigned char *from,
int flen);
int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx,
unsigned char *to, int tlen,
const unsigned char *from,
int flen);
int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx,
unsigned char *to, int tlen,
const unsigned char *from,
int flen,
const unsigned char *param,
int plen, const EVP_MD *md,
const EVP_MD *mgf1md);
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */

39
crypto/rsa/rsa_oaep.c

@ -40,8 +40,9 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen)
{
return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
param, plen, NULL, NULL);
return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from,
flen, param, plen, NULL,
NULL);
}
/*
@ -51,10 +52,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
* Step numbers are included here but not in the constant time inverse below
* to avoid complicating an already difficult enough function.
*/
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen,
const EVP_MD *md, const EVP_MD *mgf1md)
int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx,
unsigned char *to, int tlen,
const unsigned char *from,
int flen,
const unsigned char *param,
int plen, const EVP_MD *md,
const EVP_MD *mgf1md)
{
int rv = 0;
int i, emlen = tlen - 1;
@ -67,8 +71,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
if (md == NULL)
md = EVP_sha1();
#else
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
ERR_R_PASSED_NULL_PARAMETER);
RSAerr(0, ERR_R_PASSED_NULL_PARAMETER);
return 0;
#endif
if (mgf1md == NULL)
@ -78,14 +81,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
/* step 2b: check KLen > nLen - 2 HLen - 2 */
if (flen > emlen - 2 * mdlen - 1) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
if (emlen < 2 * mdlen + 1) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
RSA_R_KEY_SIZE_TOO_SMALL);
RSAerr(0, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
@ -103,13 +104,13 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
/* step 3d: generate random byte string */
if (RAND_bytes(seed, mdlen) <= 0)
if (RAND_bytes_ex(libctx, seed, mdlen) <= 0)
goto err;
dbmask_len = emlen - mdlen;
dbmask = OPENSSL_malloc(dbmask_len);
if (dbmask == NULL) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
RSAerr(0, ERR_R_MALLOC_FAILURE);
goto err;
}
@ -134,6 +135,16 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
return rv;
}
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen,
const EVP_MD *md, const EVP_MD *mgf1md)
{
return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from,
flen, param, plen, md,
mgf1md);
}
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num,
const unsigned char *param, int plen)

10
crypto/rsa/rsa_ossl.c

@ -111,14 +111,18 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
switch (padding) {
case RSA_PKCS1_PADDING:
i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
i = rsa_padding_add_PKCS1_type_2_with_libctx(rsa->libctx, buf, num,
from, flen);
break;
case RSA_PKCS1_OAEP_PADDING:
i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
i = rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(rsa->libctx, buf, num,
from, flen, NULL, 0,
NULL, NULL);
break;
#ifndef FIPS_MODE
case RSA_SSLV23_PADDING:
i = RSA_padding_add_SSLv23(buf, num, from, flen);
i = rsa_padding_add_SSLv23_with_libctx(rsa->libctx, buf, num, from,
flen);
break;
#endif
case RSA_NO_PADDING:

31
crypto/rsa/rsa_pk1.c

@ -23,6 +23,7 @@
#include <openssl/ssl.h>
#include "internal/cryptlib.h"
#include "crypto/rsa.h"
#include "rsa_local.h"
int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@ -123,15 +124,16 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
return j;
}
int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
const unsigned char *from, int flen)
int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx,
unsigned char *to, int tlen,
const unsigned char *from,
int flen)
{
int i, j;
unsigned char *p;
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
@ -143,12 +145,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
/* pad out with non-zero random data */
j = tlen - 3 - flen;
if (RAND_bytes(p, j) <= 0)
if (RAND_bytes_ex(libctx, p, j) <= 0)
return 0;
for (i = 0; i < j; i++) {
if (*p == '\0')
do {
if (RAND_bytes(p, 1) <= 0)
if (RAND_bytes_ex(libctx, p, 1) <= 0)
return 0;
} while (*p == '\0');
p++;
@ -160,6 +162,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
return 1;
}
int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
const unsigned char *from, int flen)
{
return rsa_padding_add_PKCS1_type_2_with_libctx(NULL, to, tlen, from, flen);
}
int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
const unsigned char *from, int flen,
int num)
@ -291,9 +299,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* decrypted data will be randomly generated (as per
* https://tools.ietf.org/html/rfc5246#section-7.4.7.1).
*/
int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
const unsigned char *from, size_t flen,
int client_version, int alt_version)
int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *libctx, unsigned char *to,
size_t tlen, const unsigned char *from,
size_t flen, int client_version,
int alt_version)
{
unsigned int i, good, version_good;
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
@ -312,8 +321,8 @@ int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
* Generate a random premaster secret to use in the event that we fail
* to decrypt.
*/
if (RAND_priv_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0) {
if (RAND_priv_bytes_ex(libctx, rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
return -1;
}

2
crypto/rsa/rsa_pss.c

@ -206,7 +206,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (RAND_bytes(salt, sLen) <= 0)
if (RAND_bytes_ex(rsa->libctx, salt, sLen) <= 0)
goto err;
}
maskedDBLen = emLen - hLen - 1;

19
crypto/rsa/rsa_ssl.c

@ -19,16 +19,17 @@
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include "internal/constant_time.h"
#include "rsa_local.h"
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to,
int tlen, const unsigned char *from,
int flen)
{
int i, j;
unsigned char *p;
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
@ -40,12 +41,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
/* pad out with non-zero random data */
j = tlen - 3 - 8 - flen;
if (RAND_bytes(p, j) <= 0)
if (RAND_bytes_ex(libctx, p, j) <= 0)
return 0;
for (i = 0; i < j; i++) {
if (*p == '\0')
do {
if (RAND_bytes(p, 1) <= 0)
if (RAND_bytes_ex(libctx, p, 1) <= 0)
return 0;
} while (*p == '\0');
p++;
@ -59,6 +60,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
return 1;
}
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
{
return rsa_padding_add_SSLv23_with_libctx(NULL, to, tlen, from, flen);
}
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
* if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also

7
include/crypto/rsa.h

@ -21,9 +21,10 @@ int rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
STACK_OF(BIGNUM_const) *exps,
STACK_OF(BIGNUM_const) *coeffs);
int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
const unsigned char *from, size_t flen,
int client_version, int alt_version);
int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *ctx, unsigned char *to,
size_t tlen, const unsigned char *from,
size_t flen, int client_version,
int alt_version);
int rsa_validate_public(const RSA *key);
int rsa_validate_private(const RSA *key);

3
providers/implementations/asymciphers/rsa_enc.c

@ -225,7 +225,8 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_TLS_CLIENT_VERSION);
return 0;
}
ret = rsa_padding_check_PKCS1_type_2_TLS(out, outsize,
ret = rsa_padding_check_PKCS1_type_2_TLS(prsactx->libctx, out,
outsize,
tbuf, len,
prsactx->client_version,
prsactx->alt_version);