summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2020-03-12 15:41:45 +0100
committerMatt Caswell <matt@openssl.org>2020-03-19 19:49:12 +0100
commit0f2deef59d13e852a4bde0e853e9b49bab51a108 (patch)
treea5c9ddb9320ccbe0c2d950f1732722d4f9261fd6
parentMake sure we use the libctx when fetching a MAC (diff)
downloadopenssl-0f2deef59d13e852a4bde0e853e9b49bab51a108.tar.xz
openssl-0f2deef59d13e852a4bde0e853e9b49bab51a108.zip
Use RAND_bytes_ex in crypto/rsa
At various points in crypto/rsa we need to get random numbers. We should ensure that we use the correct libctx when doing so. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11355)
-rw-r--r--crypto/rsa/rsa_local.h15
-rw-r--r--crypto/rsa/rsa_oaep.c39
-rw-r--r--crypto/rsa/rsa_ossl.c10
-rw-r--r--crypto/rsa/rsa_pk1.c31
-rw-r--r--crypto/rsa/rsa_pss.c2
-rw-r--r--crypto/rsa/rsa_ssl.c19
-rw-r--r--include/crypto/rsa.h7
-rw-r--r--providers/implementations/asymciphers/rsa_enc.c3
8 files changed, 87 insertions, 39 deletions
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index 06a7daddbd..423492b909 100644
--- a/crypto/rsa/rsa_local.h
+++ b/crypto/rsa/rsa_local.h
@@ -169,4 +169,19 @@ int rsa_fips186_4_gen_prob_primes(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
const BIGNUM *Xq2, int nbits,
const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to,
+ int tlen, const unsigned char *from,
+ int flen);
+int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from,
+ int flen);
+int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from,
+ int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md);
+
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 23fb8f9f2b..ed486acbe6 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -40,8 +40,9 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen)
{
- return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
- param, plen, NULL, NULL);
+ return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from,
+ flen, param, plen, NULL,
+ NULL);
}
/*
@@ -51,10 +52,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
* Step numbers are included here but not in the constant time inverse below
* to avoid complicating an already difficult enough function.
*/
-int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
- const unsigned char *from, int flen,
- const unsigned char *param, int plen,
- const EVP_MD *md, const EVP_MD *mgf1md)
+int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from,
+ int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md)
{
int rv = 0;
int i, emlen = tlen - 1;
@@ -67,8 +71,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
if (md == NULL)
md = EVP_sha1();
#else
- RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
- ERR_R_PASSED_NULL_PARAMETER);
+ RSAerr(0, ERR_R_PASSED_NULL_PARAMETER);
return 0;
#endif
if (mgf1md == NULL)
@@ -78,14 +81,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
/* step 2b: check KLen > nLen - 2 HLen - 2 */
if (flen > emlen - 2 * mdlen - 1) {
- RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
- RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
if (emlen < 2 * mdlen + 1) {
- RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
- RSA_R_KEY_SIZE_TOO_SMALL);
+ RSAerr(0, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
@@ -103,13 +104,13 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
/* step 3d: generate random byte string */
- if (RAND_bytes(seed, mdlen) <= 0)
+ if (RAND_bytes_ex(libctx, seed, mdlen) <= 0)
goto err;
dbmask_len = emlen - mdlen;
dbmask = OPENSSL_malloc(dbmask_len);
if (dbmask == NULL) {
- RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
+ RSAerr(0, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -134,6 +135,16 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
return rv;
}
+int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param, int plen,
+ const EVP_MD *md, const EVP_MD *mgf1md)
+{
+ return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from,
+ flen, param, plen, md,
+ mgf1md);
+}
+
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num,
const unsigned char *param, int plen)
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 4b54aa86fe..504ad82f17 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -111,14 +111,18 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
switch (padding) {
case RSA_PKCS1_PADDING:
- i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
+ i = rsa_padding_add_PKCS1_type_2_with_libctx(rsa->libctx, buf, num,
+ from, flen);
break;
case RSA_PKCS1_OAEP_PADDING:
- i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
+ i = rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(rsa->libctx, buf, num,
+ from, flen, NULL, 0,
+ NULL, NULL);
break;
#ifndef FIPS_MODE
case RSA_SSLV23_PADDING:
- i = RSA_padding_add_SSLv23(buf, num, from, flen);
+ i = rsa_padding_add_SSLv23_with_libctx(rsa->libctx, buf, num, from,
+ flen);
break;
#endif
case RSA_NO_PADDING:
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index 33391c4fcb..b8aa49d701 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -23,6 +23,7 @@
#include <openssl/ssl.h>
#include "internal/cryptlib.h"
#include "crypto/rsa.h"
+#include "rsa_local.h"
int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@@ -123,15 +124,16 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
return j;
}
-int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
- const unsigned char *from, int flen)
+int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from,
+ int flen)
{
int i, j;
unsigned char *p;
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
- RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
- RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
@@ -143,12 +145,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
/* pad out with non-zero random data */
j = tlen - 3 - flen;
- if (RAND_bytes(p, j) <= 0)
+ if (RAND_bytes_ex(libctx, p, j) <= 0)
return 0;
for (i = 0; i < j; i++) {
if (*p == '\0')
do {
- if (RAND_bytes(p, 1) <= 0)
+ if (RAND_bytes_ex(libctx, p, 1) <= 0)
return 0;
} while (*p == '\0');
p++;
@@ -160,6 +162,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
return 1;
}
+int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+ const unsigned char *from, int flen)
+{
+ return rsa_padding_add_PKCS1_type_2_with_libctx(NULL, to, tlen, from, flen);
+}
+
int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
const unsigned char *from, int flen,
int num)
@@ -291,9 +299,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* decrypted data will be randomly generated (as per
* https://tools.ietf.org/html/rfc5246#section-7.4.7.1).
*/
-int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
- const unsigned char *from, size_t flen,
- int client_version, int alt_version)
+int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *libctx, unsigned char *to,
+ size_t tlen, const unsigned char *from,
+ size_t flen, int client_version,
+ int alt_version)
{
unsigned int i, good, version_good;
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
@@ -312,8 +321,8 @@ int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
* Generate a random premaster secret to use in the event that we fail
* to decrypt.
*/
- if (RAND_priv_bytes(rand_premaster_secret,
- sizeof(rand_premaster_secret)) <= 0) {
+ if (RAND_priv_bytes_ex(libctx, rand_premaster_secret,
+ sizeof(rand_premaster_secret)) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
return -1;
}
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 054fca9fd1..999fc3122f 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -206,7 +206,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (RAND_bytes(salt, sLen) <= 0)
+ if (RAND_bytes_ex(rsa->libctx, salt, sLen) <= 0)
goto err;
}
maskedDBLen = emLen - hLen - 1;
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 48731dfb90..0309665338 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -19,16 +19,17 @@
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include "internal/constant_time.h"
+#include "rsa_local.h"
-int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
- const unsigned char *from, int flen)
+int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to,
+ int tlen, const unsigned char *from,
+ int flen)
{
int i, j;
unsigned char *p;
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
- RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
- RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
@@ -40,12 +41,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
/* pad out with non-zero random data */
j = tlen - 3 - 8 - flen;
- if (RAND_bytes(p, j) <= 0)
+ if (RAND_bytes_ex(libctx, p, j) <= 0)
return 0;
for (i = 0; i < j; i++) {
if (*p == '\0')
do {
- if (RAND_bytes(p, 1) <= 0)
+ if (RAND_bytes_ex(libctx, p, 1) <= 0)
return 0;
} while (*p == '\0');
p++;
@@ -59,6 +60,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
return 1;
}
+int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+ const unsigned char *from, int flen)
+{
+ return rsa_padding_add_SSLv23_with_libctx(NULL, to, tlen, from, flen);
+}
+
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
* if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
index 51ac0148af..09335fafe4 100644
--- a/include/crypto/rsa.h
+++ b/include/crypto/rsa.h
@@ -21,9 +21,10 @@ int rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
STACK_OF(BIGNUM_const) *exps,
STACK_OF(BIGNUM_const) *coeffs);
-int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen,
- const unsigned char *from, size_t flen,
- int client_version, int alt_version);
+int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *ctx, unsigned char *to,
+ size_t tlen, const unsigned char *from,
+ size_t flen, int client_version,
+ int alt_version);
int rsa_validate_public(const RSA *key);
int rsa_validate_private(const RSA *key);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 5f071a56ca..5f05d1810b 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -225,7 +225,8 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_TLS_CLIENT_VERSION);
return 0;
}
- ret = rsa_padding_check_PKCS1_type_2_TLS(out, outsize,
+ ret = rsa_padding_check_PKCS1_type_2_TLS(prsactx->libctx, out,
+ outsize,
tbuf, len,
prsactx->client_version,
prsactx->alt_version);