ring-native 0.0.0 → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (267) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +1 -0
  3. data/CHANGES.md +7 -0
  4. data/Makefile +5 -0
  5. data/README.md +12 -5
  6. data/Rakefile +4 -0
  7. data/ext/ring/extconf.rb +4 -5
  8. data/lib/ring/native.rb +3 -1
  9. data/lib/ring/native/version.rb +5 -1
  10. data/ring-native.gemspec +6 -6
  11. data/vendor/ring-ffi/Cargo.lock +26 -0
  12. data/vendor/ring-ffi/Cargo.toml +45 -0
  13. data/vendor/ring-ffi/LICENSE +16 -0
  14. data/vendor/ring-ffi/README.md +59 -0
  15. data/vendor/ring-ffi/src/lib.rs +79 -0
  16. metadata +10 -255
  17. data/vendor/ring/BUILDING.md +0 -40
  18. data/vendor/ring/Cargo.toml +0 -43
  19. data/vendor/ring/LICENSE +0 -185
  20. data/vendor/ring/Makefile +0 -35
  21. data/vendor/ring/PORTING.md +0 -163
  22. data/vendor/ring/README.md +0 -113
  23. data/vendor/ring/STYLE.md +0 -197
  24. data/vendor/ring/appveyor.yml +0 -27
  25. data/vendor/ring/build.rs +0 -108
  26. data/vendor/ring/crypto/aes/aes.c +0 -1142
  27. data/vendor/ring/crypto/aes/aes_test.Windows.vcxproj +0 -25
  28. data/vendor/ring/crypto/aes/aes_test.cc +0 -93
  29. data/vendor/ring/crypto/aes/asm/aes-586.pl +0 -2368
  30. data/vendor/ring/crypto/aes/asm/aes-armv4.pl +0 -1249
  31. data/vendor/ring/crypto/aes/asm/aes-x86_64.pl +0 -2246
  32. data/vendor/ring/crypto/aes/asm/aesni-x86.pl +0 -1318
  33. data/vendor/ring/crypto/aes/asm/aesni-x86_64.pl +0 -2084
  34. data/vendor/ring/crypto/aes/asm/aesv8-armx.pl +0 -675
  35. data/vendor/ring/crypto/aes/asm/bsaes-armv7.pl +0 -1364
  36. data/vendor/ring/crypto/aes/asm/bsaes-x86_64.pl +0 -1565
  37. data/vendor/ring/crypto/aes/asm/vpaes-x86.pl +0 -841
  38. data/vendor/ring/crypto/aes/asm/vpaes-x86_64.pl +0 -1116
  39. data/vendor/ring/crypto/aes/internal.h +0 -87
  40. data/vendor/ring/crypto/aes/mode_wrappers.c +0 -61
  41. data/vendor/ring/crypto/bn/add.c +0 -394
  42. data/vendor/ring/crypto/bn/asm/armv4-mont.pl +0 -694
  43. data/vendor/ring/crypto/bn/asm/armv8-mont.pl +0 -1503
  44. data/vendor/ring/crypto/bn/asm/bn-586.pl +0 -774
  45. data/vendor/ring/crypto/bn/asm/co-586.pl +0 -287
  46. data/vendor/ring/crypto/bn/asm/rsaz-avx2.pl +0 -1882
  47. data/vendor/ring/crypto/bn/asm/x86-mont.pl +0 -592
  48. data/vendor/ring/crypto/bn/asm/x86_64-gcc.c +0 -599
  49. data/vendor/ring/crypto/bn/asm/x86_64-mont.pl +0 -1393
  50. data/vendor/ring/crypto/bn/asm/x86_64-mont5.pl +0 -3507
  51. data/vendor/ring/crypto/bn/bn.c +0 -352
  52. data/vendor/ring/crypto/bn/bn_asn1.c +0 -74
  53. data/vendor/ring/crypto/bn/bn_test.Windows.vcxproj +0 -25
  54. data/vendor/ring/crypto/bn/bn_test.cc +0 -1696
  55. data/vendor/ring/crypto/bn/cmp.c +0 -200
  56. data/vendor/ring/crypto/bn/convert.c +0 -433
  57. data/vendor/ring/crypto/bn/ctx.c +0 -311
  58. data/vendor/ring/crypto/bn/div.c +0 -594
  59. data/vendor/ring/crypto/bn/exponentiation.c +0 -1335
  60. data/vendor/ring/crypto/bn/gcd.c +0 -711
  61. data/vendor/ring/crypto/bn/generic.c +0 -1019
  62. data/vendor/ring/crypto/bn/internal.h +0 -316
  63. data/vendor/ring/crypto/bn/montgomery.c +0 -516
  64. data/vendor/ring/crypto/bn/mul.c +0 -888
  65. data/vendor/ring/crypto/bn/prime.c +0 -829
  66. data/vendor/ring/crypto/bn/random.c +0 -334
  67. data/vendor/ring/crypto/bn/rsaz_exp.c +0 -262
  68. data/vendor/ring/crypto/bn/rsaz_exp.h +0 -53
  69. data/vendor/ring/crypto/bn/shift.c +0 -276
  70. data/vendor/ring/crypto/bytestring/bytestring_test.Windows.vcxproj +0 -25
  71. data/vendor/ring/crypto/bytestring/bytestring_test.cc +0 -421
  72. data/vendor/ring/crypto/bytestring/cbb.c +0 -399
  73. data/vendor/ring/crypto/bytestring/cbs.c +0 -227
  74. data/vendor/ring/crypto/bytestring/internal.h +0 -46
  75. data/vendor/ring/crypto/chacha/chacha_generic.c +0 -140
  76. data/vendor/ring/crypto/chacha/chacha_vec.c +0 -323
  77. data/vendor/ring/crypto/chacha/chacha_vec_arm.S +0 -1447
  78. data/vendor/ring/crypto/chacha/chacha_vec_arm_generate.go +0 -153
  79. data/vendor/ring/crypto/cipher/cipher_test.Windows.vcxproj +0 -25
  80. data/vendor/ring/crypto/cipher/e_aes.c +0 -390
  81. data/vendor/ring/crypto/cipher/e_chacha20poly1305.c +0 -208
  82. data/vendor/ring/crypto/cipher/internal.h +0 -173
  83. data/vendor/ring/crypto/cipher/test/aes_128_gcm_tests.txt +0 -543
  84. data/vendor/ring/crypto/cipher/test/aes_128_key_wrap_tests.txt +0 -9
  85. data/vendor/ring/crypto/cipher/test/aes_256_gcm_tests.txt +0 -475
  86. data/vendor/ring/crypto/cipher/test/aes_256_key_wrap_tests.txt +0 -23
  87. data/vendor/ring/crypto/cipher/test/chacha20_poly1305_old_tests.txt +0 -422
  88. data/vendor/ring/crypto/cipher/test/chacha20_poly1305_tests.txt +0 -484
  89. data/vendor/ring/crypto/cipher/test/cipher_test.txt +0 -100
  90. data/vendor/ring/crypto/constant_time_test.Windows.vcxproj +0 -25
  91. data/vendor/ring/crypto/constant_time_test.c +0 -304
  92. data/vendor/ring/crypto/cpu-arm-asm.S +0 -32
  93. data/vendor/ring/crypto/cpu-arm.c +0 -199
  94. data/vendor/ring/crypto/cpu-intel.c +0 -261
  95. data/vendor/ring/crypto/crypto.c +0 -151
  96. data/vendor/ring/crypto/curve25519/asm/x25519-arm.S +0 -2118
  97. data/vendor/ring/crypto/curve25519/curve25519.c +0 -4888
  98. data/vendor/ring/crypto/curve25519/x25519_test.cc +0 -128
  99. data/vendor/ring/crypto/digest/md32_common.h +0 -181
  100. data/vendor/ring/crypto/ec/asm/p256-x86_64-asm.pl +0 -2725
  101. data/vendor/ring/crypto/ec/ec.c +0 -193
  102. data/vendor/ring/crypto/ec/ec_curves.c +0 -61
  103. data/vendor/ring/crypto/ec/ec_key.c +0 -228
  104. data/vendor/ring/crypto/ec/ec_montgomery.c +0 -114
  105. data/vendor/ring/crypto/ec/example_mul.Windows.vcxproj +0 -25
  106. data/vendor/ring/crypto/ec/internal.h +0 -243
  107. data/vendor/ring/crypto/ec/oct.c +0 -253
  108. data/vendor/ring/crypto/ec/p256-64.c +0 -1794
  109. data/vendor/ring/crypto/ec/p256-x86_64-table.h +0 -9548
  110. data/vendor/ring/crypto/ec/p256-x86_64.c +0 -509
  111. data/vendor/ring/crypto/ec/simple.c +0 -1007
  112. data/vendor/ring/crypto/ec/util-64.c +0 -183
  113. data/vendor/ring/crypto/ec/wnaf.c +0 -508
  114. data/vendor/ring/crypto/ecdh/ecdh.c +0 -155
  115. data/vendor/ring/crypto/ecdsa/ecdsa.c +0 -304
  116. data/vendor/ring/crypto/ecdsa/ecdsa_asn1.c +0 -193
  117. data/vendor/ring/crypto/ecdsa/ecdsa_test.Windows.vcxproj +0 -25
  118. data/vendor/ring/crypto/ecdsa/ecdsa_test.cc +0 -327
  119. data/vendor/ring/crypto/header_removed.h +0 -17
  120. data/vendor/ring/crypto/internal.h +0 -495
  121. data/vendor/ring/crypto/libring.Windows.vcxproj +0 -101
  122. data/vendor/ring/crypto/mem.c +0 -98
  123. data/vendor/ring/crypto/modes/asm/aesni-gcm-x86_64.pl +0 -1045
  124. data/vendor/ring/crypto/modes/asm/ghash-armv4.pl +0 -517
  125. data/vendor/ring/crypto/modes/asm/ghash-x86.pl +0 -1393
  126. data/vendor/ring/crypto/modes/asm/ghash-x86_64.pl +0 -1741
  127. data/vendor/ring/crypto/modes/asm/ghashv8-armx.pl +0 -422
  128. data/vendor/ring/crypto/modes/ctr.c +0 -226
  129. data/vendor/ring/crypto/modes/gcm.c +0 -1206
  130. data/vendor/ring/crypto/modes/gcm_test.Windows.vcxproj +0 -25
  131. data/vendor/ring/crypto/modes/gcm_test.c +0 -348
  132. data/vendor/ring/crypto/modes/internal.h +0 -299
  133. data/vendor/ring/crypto/perlasm/arm-xlate.pl +0 -170
  134. data/vendor/ring/crypto/perlasm/readme +0 -100
  135. data/vendor/ring/crypto/perlasm/x86_64-xlate.pl +0 -1164
  136. data/vendor/ring/crypto/perlasm/x86asm.pl +0 -292
  137. data/vendor/ring/crypto/perlasm/x86gas.pl +0 -263
  138. data/vendor/ring/crypto/perlasm/x86masm.pl +0 -200
  139. data/vendor/ring/crypto/perlasm/x86nasm.pl +0 -187
  140. data/vendor/ring/crypto/poly1305/poly1305.c +0 -331
  141. data/vendor/ring/crypto/poly1305/poly1305_arm.c +0 -301
  142. data/vendor/ring/crypto/poly1305/poly1305_arm_asm.S +0 -2015
  143. data/vendor/ring/crypto/poly1305/poly1305_test.Windows.vcxproj +0 -25
  144. data/vendor/ring/crypto/poly1305/poly1305_test.cc +0 -80
  145. data/vendor/ring/crypto/poly1305/poly1305_test.txt +0 -52
  146. data/vendor/ring/crypto/poly1305/poly1305_vec.c +0 -892
  147. data/vendor/ring/crypto/rand/asm/rdrand-x86_64.pl +0 -75
  148. data/vendor/ring/crypto/rand/internal.h +0 -32
  149. data/vendor/ring/crypto/rand/rand.c +0 -189
  150. data/vendor/ring/crypto/rand/urandom.c +0 -219
  151. data/vendor/ring/crypto/rand/windows.c +0 -56
  152. data/vendor/ring/crypto/refcount_c11.c +0 -66
  153. data/vendor/ring/crypto/refcount_lock.c +0 -53
  154. data/vendor/ring/crypto/refcount_test.Windows.vcxproj +0 -25
  155. data/vendor/ring/crypto/refcount_test.c +0 -58
  156. data/vendor/ring/crypto/rsa/blinding.c +0 -462
  157. data/vendor/ring/crypto/rsa/internal.h +0 -108
  158. data/vendor/ring/crypto/rsa/padding.c +0 -300
  159. data/vendor/ring/crypto/rsa/rsa.c +0 -450
  160. data/vendor/ring/crypto/rsa/rsa_asn1.c +0 -261
  161. data/vendor/ring/crypto/rsa/rsa_impl.c +0 -944
  162. data/vendor/ring/crypto/rsa/rsa_test.Windows.vcxproj +0 -25
  163. data/vendor/ring/crypto/rsa/rsa_test.cc +0 -437
  164. data/vendor/ring/crypto/sha/asm/sha-armv8.pl +0 -436
  165. data/vendor/ring/crypto/sha/asm/sha-x86_64.pl +0 -2390
  166. data/vendor/ring/crypto/sha/asm/sha256-586.pl +0 -1275
  167. data/vendor/ring/crypto/sha/asm/sha256-armv4.pl +0 -735
  168. data/vendor/ring/crypto/sha/asm/sha256-armv8.pl +0 -14
  169. data/vendor/ring/crypto/sha/asm/sha256-x86_64.pl +0 -14
  170. data/vendor/ring/crypto/sha/asm/sha512-586.pl +0 -911
  171. data/vendor/ring/crypto/sha/asm/sha512-armv4.pl +0 -666
  172. data/vendor/ring/crypto/sha/asm/sha512-armv8.pl +0 -14
  173. data/vendor/ring/crypto/sha/asm/sha512-x86_64.pl +0 -14
  174. data/vendor/ring/crypto/sha/sha1.c +0 -271
  175. data/vendor/ring/crypto/sha/sha256.c +0 -204
  176. data/vendor/ring/crypto/sha/sha512.c +0 -355
  177. data/vendor/ring/crypto/test/file_test.cc +0 -326
  178. data/vendor/ring/crypto/test/file_test.h +0 -181
  179. data/vendor/ring/crypto/test/malloc.cc +0 -150
  180. data/vendor/ring/crypto/test/scoped_types.h +0 -95
  181. data/vendor/ring/crypto/test/test.Windows.vcxproj +0 -35
  182. data/vendor/ring/crypto/test/test_util.cc +0 -46
  183. data/vendor/ring/crypto/test/test_util.h +0 -41
  184. data/vendor/ring/crypto/thread_none.c +0 -55
  185. data/vendor/ring/crypto/thread_pthread.c +0 -165
  186. data/vendor/ring/crypto/thread_test.Windows.vcxproj +0 -25
  187. data/vendor/ring/crypto/thread_test.c +0 -200
  188. data/vendor/ring/crypto/thread_win.c +0 -282
  189. data/vendor/ring/examples/checkdigest.rs +0 -103
  190. data/vendor/ring/include/openssl/aes.h +0 -121
  191. data/vendor/ring/include/openssl/arm_arch.h +0 -129
  192. data/vendor/ring/include/openssl/base.h +0 -156
  193. data/vendor/ring/include/openssl/bn.h +0 -794
  194. data/vendor/ring/include/openssl/buffer.h +0 -18
  195. data/vendor/ring/include/openssl/bytestring.h +0 -235
  196. data/vendor/ring/include/openssl/chacha.h +0 -37
  197. data/vendor/ring/include/openssl/cmac.h +0 -76
  198. data/vendor/ring/include/openssl/cpu.h +0 -184
  199. data/vendor/ring/include/openssl/crypto.h +0 -43
  200. data/vendor/ring/include/openssl/curve25519.h +0 -88
  201. data/vendor/ring/include/openssl/ec.h +0 -225
  202. data/vendor/ring/include/openssl/ec_key.h +0 -129
  203. data/vendor/ring/include/openssl/ecdh.h +0 -110
  204. data/vendor/ring/include/openssl/ecdsa.h +0 -156
  205. data/vendor/ring/include/openssl/err.h +0 -201
  206. data/vendor/ring/include/openssl/mem.h +0 -101
  207. data/vendor/ring/include/openssl/obj_mac.h +0 -71
  208. data/vendor/ring/include/openssl/opensslfeatures.h +0 -68
  209. data/vendor/ring/include/openssl/opensslv.h +0 -18
  210. data/vendor/ring/include/openssl/ossl_typ.h +0 -18
  211. data/vendor/ring/include/openssl/poly1305.h +0 -51
  212. data/vendor/ring/include/openssl/rand.h +0 -70
  213. data/vendor/ring/include/openssl/rsa.h +0 -399
  214. data/vendor/ring/include/openssl/thread.h +0 -133
  215. data/vendor/ring/include/openssl/type_check.h +0 -71
  216. data/vendor/ring/mk/Common.props +0 -63
  217. data/vendor/ring/mk/Windows.props +0 -42
  218. data/vendor/ring/mk/WindowsTest.props +0 -18
  219. data/vendor/ring/mk/appveyor.bat +0 -62
  220. data/vendor/ring/mk/bottom_of_makefile.mk +0 -54
  221. data/vendor/ring/mk/ring.mk +0 -266
  222. data/vendor/ring/mk/top_of_makefile.mk +0 -214
  223. data/vendor/ring/mk/travis.sh +0 -40
  224. data/vendor/ring/mk/update-travis-yml.py +0 -229
  225. data/vendor/ring/ring.sln +0 -153
  226. data/vendor/ring/src/aead.rs +0 -682
  227. data/vendor/ring/src/agreement.rs +0 -248
  228. data/vendor/ring/src/c.rs +0 -129
  229. data/vendor/ring/src/constant_time.rs +0 -37
  230. data/vendor/ring/src/der.rs +0 -96
  231. data/vendor/ring/src/digest.rs +0 -690
  232. data/vendor/ring/src/digest_tests.txt +0 -57
  233. data/vendor/ring/src/ecc.rs +0 -28
  234. data/vendor/ring/src/ecc_build.rs +0 -279
  235. data/vendor/ring/src/ecc_curves.rs +0 -117
  236. data/vendor/ring/src/ed25519_tests.txt +0 -2579
  237. data/vendor/ring/src/exe_tests.rs +0 -46
  238. data/vendor/ring/src/ffi.rs +0 -29
  239. data/vendor/ring/src/file_test.rs +0 -187
  240. data/vendor/ring/src/hkdf.rs +0 -153
  241. data/vendor/ring/src/hkdf_tests.txt +0 -59
  242. data/vendor/ring/src/hmac.rs +0 -414
  243. data/vendor/ring/src/hmac_tests.txt +0 -97
  244. data/vendor/ring/src/input.rs +0 -312
  245. data/vendor/ring/src/lib.rs +0 -41
  246. data/vendor/ring/src/pbkdf2.rs +0 -265
  247. data/vendor/ring/src/pbkdf2_tests.txt +0 -113
  248. data/vendor/ring/src/polyfill.rs +0 -57
  249. data/vendor/ring/src/rand.rs +0 -28
  250. data/vendor/ring/src/signature.rs +0 -314
  251. data/vendor/ring/third-party/NIST/README.md +0 -9
  252. data/vendor/ring/third-party/NIST/SHAVS/SHA1LongMsg.rsp +0 -263
  253. data/vendor/ring/third-party/NIST/SHAVS/SHA1Monte.rsp +0 -309
  254. data/vendor/ring/third-party/NIST/SHAVS/SHA1ShortMsg.rsp +0 -267
  255. data/vendor/ring/third-party/NIST/SHAVS/SHA224LongMsg.rsp +0 -263
  256. data/vendor/ring/third-party/NIST/SHAVS/SHA224Monte.rsp +0 -309
  257. data/vendor/ring/third-party/NIST/SHAVS/SHA224ShortMsg.rsp +0 -267
  258. data/vendor/ring/third-party/NIST/SHAVS/SHA256LongMsg.rsp +0 -263
  259. data/vendor/ring/third-party/NIST/SHAVS/SHA256Monte.rsp +0 -309
  260. data/vendor/ring/third-party/NIST/SHAVS/SHA256ShortMsg.rsp +0 -267
  261. data/vendor/ring/third-party/NIST/SHAVS/SHA384LongMsg.rsp +0 -519
  262. data/vendor/ring/third-party/NIST/SHAVS/SHA384Monte.rsp +0 -309
  263. data/vendor/ring/third-party/NIST/SHAVS/SHA384ShortMsg.rsp +0 -523
  264. data/vendor/ring/third-party/NIST/SHAVS/SHA512LongMsg.rsp +0 -519
  265. data/vendor/ring/third-party/NIST/SHAVS/SHA512Monte.rsp +0 -309
  266. data/vendor/ring/third-party/NIST/SHAVS/SHA512ShortMsg.rsp +0 -523
  267. data/vendor/ring/third-party/NIST/sha256sums.txt +0 -1
@@ -1,261 +0,0 @@
1
- /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2
- * project 2000.
3
- */
4
- /* ====================================================================
5
- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
6
- *
7
- * Redistribution and use in source and binary forms, with or without
8
- * modification, are permitted provided that the following conditions
9
- * are met:
10
- *
11
- * 1. Redistributions of source code must retain the above copyright
12
- * notice, this list of conditions and the following disclaimer.
13
- *
14
- * 2. Redistributions in binary form must reproduce the above copyright
15
- * notice, this list of conditions and the following disclaimer in
16
- * the documentation and/or other materials provided with the
17
- * distribution.
18
- *
19
- * 3. All advertising materials mentioning features or use of this
20
- * software must display the following acknowledgment:
21
- * "This product includes software developed by the OpenSSL Project
22
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23
- *
24
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25
- * endorse or promote products derived from this software without
26
- * prior written permission. For written permission, please contact
27
- * licensing@OpenSSL.org.
28
- *
29
- * 5. Products derived from this software may not be called "OpenSSL"
30
- * nor may "OpenSSL" appear in their names without prior written
31
- * permission of the OpenSSL Project.
32
- *
33
- * 6. Redistributions of any form whatsoever must retain the following
34
- * acknowledgment:
35
- * "This product includes software developed by the OpenSSL Project
36
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37
- *
38
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49
- * OF THE POSSIBILITY OF SUCH DAMAGE.
50
- * ====================================================================
51
- *
52
- * This product includes cryptographic software written by Eric Young
53
- * (eay@cryptsoft.com). This product includes software written by Tim
54
- * Hudson (tjh@cryptsoft.com). */
55
-
56
- #include <openssl/rsa.h>
57
-
58
- #include <assert.h>
59
- #include <limits.h>
60
- #include <string.h>
61
-
62
- #include <openssl/bn.h>
63
- #include <openssl/bytestring.h>
64
- #include <openssl/err.h>
65
- #include <openssl/mem.h>
66
-
67
- #include "internal.h"
68
-
69
-
70
- static int parse_integer(CBS *cbs, BIGNUM **out) {
71
- assert(*out == NULL);
72
- *out = BN_new();
73
- if (*out == NULL) {
74
- return 0;
75
- }
76
- return BN_cbs2unsigned(cbs, *out);
77
- }
78
-
79
- static int marshal_integer(CBB *cbb, BIGNUM *bn) {
80
- if (bn == NULL) {
81
- /* An RSA object may be missing some components. */
82
- OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
83
- return 0;
84
- }
85
- return BN_bn2cbb(cbb, bn);
86
- }
87
-
88
- RSA *RSA_parse_public_key(CBS *cbs) {
89
- RSA *ret = RSA_new();
90
- if (ret == NULL) {
91
- return NULL;
92
- }
93
- CBS child;
94
- if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
95
- !parse_integer(&child, &ret->n) ||
96
- !parse_integer(&child, &ret->e) ||
97
- CBS_len(&child) != 0) {
98
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
99
- RSA_free(ret);
100
- return NULL;
101
- }
102
- return ret;
103
- }
104
-
105
- RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
106
- CBS cbs;
107
- CBS_init(&cbs, in, in_len);
108
- RSA *ret = RSA_parse_public_key(&cbs);
109
- if (ret == NULL || CBS_len(&cbs) != 0) {
110
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
111
- RSA_free(ret);
112
- return NULL;
113
- }
114
- return ret;
115
- }
116
-
117
- int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
118
- CBB child;
119
- if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
120
- !marshal_integer(&child, rsa->n) ||
121
- !marshal_integer(&child, rsa->e) ||
122
- !CBB_flush(cbb)) {
123
- OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
124
- return 0;
125
- }
126
- return 1;
127
- }
128
-
129
- int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
130
- const RSA *rsa) {
131
- CBB cbb;
132
- CBB_zero(&cbb);
133
- if (!CBB_init(&cbb, 0) ||
134
- !RSA_marshal_public_key(&cbb, rsa) ||
135
- !CBB_finish(&cbb, out_bytes, out_len)) {
136
- OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
137
- CBB_cleanup(&cbb);
138
- return 0;
139
- }
140
- return 1;
141
- }
142
-
143
- /* kVersionTwoPrime is the supported value of the version
144
- * field of an RSAPrivateKey structure (RFC 3447). */
145
- static const uint64_t kVersionTwoPrime = 0;
146
-
147
- RSA *RSA_parse_private_key(CBS *cbs) {
148
- BN_CTX *ctx = NULL;
149
- RSA *ret = RSA_new();
150
- if (ret == NULL) {
151
- return NULL;
152
- }
153
-
154
- CBS child;
155
- uint64_t version;
156
- if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
157
- !CBS_get_asn1_uint64(&child, &version)) {
158
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
159
- goto err;
160
- }
161
-
162
- if (version != kVersionTwoPrime) {
163
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
164
- goto err;
165
- }
166
-
167
- if (!parse_integer(&child, &ret->n) ||
168
- !parse_integer(&child, &ret->e) ||
169
- !parse_integer(&child, &ret->d) ||
170
- !parse_integer(&child, &ret->p) ||
171
- !parse_integer(&child, &ret->q) ||
172
- !parse_integer(&child, &ret->dmp1) ||
173
- !parse_integer(&child, &ret->dmq1) ||
174
- !parse_integer(&child, &ret->iqmp)) {
175
- goto err;
176
- }
177
-
178
- if (CBS_len(&child) != 0) {
179
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
180
- goto err;
181
- }
182
-
183
- BN_CTX_free(ctx);
184
- return ret;
185
-
186
- err:
187
- BN_CTX_free(ctx);
188
- RSA_free(ret);
189
- return NULL;
190
- }
191
-
192
- RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
193
- CBS cbs;
194
- CBS_init(&cbs, in, in_len);
195
- RSA *ret = RSA_parse_private_key(&cbs);
196
- if (ret == NULL || CBS_len(&cbs) != 0) {
197
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
198
- RSA_free(ret);
199
- return NULL;
200
- }
201
- return ret;
202
- }
203
-
204
- int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
205
- CBB child;
206
- if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
207
- !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||
208
- !marshal_integer(&child, rsa->n) ||
209
- !marshal_integer(&child, rsa->e) ||
210
- !marshal_integer(&child, rsa->d) ||
211
- !marshal_integer(&child, rsa->p) ||
212
- !marshal_integer(&child, rsa->q) ||
213
- !marshal_integer(&child, rsa->dmp1) ||
214
- !marshal_integer(&child, rsa->dmq1) ||
215
- !marshal_integer(&child, rsa->iqmp)) {
216
- OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
217
- return 0;
218
- }
219
-
220
- if (!CBB_flush(cbb)) {
221
- OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
222
- return 0;
223
- }
224
- return 1;
225
- }
226
-
227
- int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
228
- const RSA *rsa) {
229
- CBB cbb;
230
- CBB_zero(&cbb);
231
- if (!CBB_init(&cbb, 0) ||
232
- !RSA_marshal_private_key(&cbb, rsa) ||
233
- !CBB_finish(&cbb, out_bytes, out_len)) {
234
- OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
235
- CBB_cleanup(&cbb);
236
- return 0;
237
- }
238
- return 1;
239
- }
240
-
241
- RSA *RSAPublicKey_dup(const RSA *rsa) {
242
- uint8_t *der;
243
- size_t der_len;
244
- if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
245
- return NULL;
246
- }
247
- RSA *ret = RSA_public_key_from_bytes(der, der_len);
248
- OPENSSL_free(der);
249
- return ret;
250
- }
251
-
252
- RSA *RSAPrivateKey_dup(const RSA *rsa) {
253
- uint8_t *der;
254
- size_t der_len;
255
- if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
256
- return NULL;
257
- }
258
- RSA *ret = RSA_private_key_from_bytes(der, der_len);
259
- OPENSSL_free(der);
260
- return ret;
261
- }
@@ -1,944 +0,0 @@
1
- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
- * All rights reserved.
3
- *
4
- * This package is an SSL implementation written
5
- * by Eric Young (eay@cryptsoft.com).
6
- * The implementation was written so as to conform with Netscapes SSL.
7
- *
8
- * This library is free for commercial and non-commercial use as long as
9
- * the following conditions are aheared to. The following conditions
10
- * apply to all code found in this distribution, be it the RC4, RSA,
11
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12
- * included with this distribution is covered by the same copyright terms
13
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
- *
15
- * Copyright remains Eric Young's, and as such any Copyright notices in
16
- * the code are not to be removed.
17
- * If this package is used in a product, Eric Young should be given attribution
18
- * as the author of the parts of the library used.
19
- * This can be in the form of a textual message at program startup or
20
- * in documentation (online or textual) provided with the package.
21
- *
22
- * Redistribution and use in source and binary forms, with or without
23
- * modification, are permitted provided that the following conditions
24
- * are met:
25
- * 1. Redistributions of source code must retain the copyright
26
- * notice, this list of conditions and the following disclaimer.
27
- * 2. Redistributions in binary form must reproduce the above copyright
28
- * notice, this list of conditions and the following disclaimer in the
29
- * documentation and/or other materials provided with the distribution.
30
- * 3. All advertising materials mentioning features or use of this software
31
- * must display the following acknowledgement:
32
- * "This product includes cryptographic software written by
33
- * Eric Young (eay@cryptsoft.com)"
34
- * The word 'cryptographic' can be left out if the rouines from the library
35
- * being used are not cryptographic related :-).
36
- * 4. If you include any Windows specific code (or a derivative thereof) from
37
- * the apps directory (application code) you must include an acknowledgement:
38
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
- *
40
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
- * SUCH DAMAGE.
51
- *
52
- * The licence and distribution terms for any publically available version or
53
- * derivative of this code cannot be changed. i.e. this code cannot simply be
54
- * copied and put under another distribution licence
55
- * [including the GNU Public Licence.] */
56
-
57
- #include <openssl/rsa.h>
58
-
59
- #include <string.h>
60
-
61
- #include <openssl/bn.h>
62
- #include <openssl/err.h>
63
- #include <openssl/mem.h>
64
- #include <openssl/thread.h>
65
-
66
- #include "internal.h"
67
- #include "../internal.h"
68
-
69
-
70
- #define OPENSSL_RSA_MAX_MODULUS_BITS 16384
71
- #define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
72
- #define OPENSSL_RSA_MAX_PUBEXP_BITS \
73
- 64 /* exponent limit enforced for "large" modulus only */
74
-
75
- static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
76
- static int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
77
- size_t len);
78
-
79
- unsigned RSA_size(const RSA *rsa) {
80
- return BN_num_bytes(rsa->n);
81
- }
82
-
83
- int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
84
- const uint8_t *in, size_t in_len, int padding) {
85
- const unsigned rsa_size = RSA_size(rsa);
86
- BIGNUM *f, *result;
87
- uint8_t *buf = NULL;
88
- BN_CTX *ctx = NULL;
89
- int i, ret = 0;
90
-
91
- if (rsa_size > OPENSSL_RSA_MAX_MODULUS_BITS) {
92
- OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
93
- return 0;
94
- }
95
-
96
- if (max_out < rsa_size) {
97
- OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
98
- return 0;
99
- }
100
-
101
- if (BN_ucmp(rsa->n, rsa->e) <= 0) {
102
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
103
- return 0;
104
- }
105
-
106
- /* for large moduli, enforce exponent limit */
107
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&
108
- BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
109
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
110
- return 0;
111
- }
112
-
113
- ctx = BN_CTX_new();
114
- if (ctx == NULL) {
115
- goto err;
116
- }
117
-
118
- BN_CTX_start(ctx);
119
- f = BN_CTX_get(ctx);
120
- result = BN_CTX_get(ctx);
121
- buf = OPENSSL_malloc(rsa_size);
122
- if (!f || !result || !buf) {
123
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
124
- goto err;
125
- }
126
-
127
- switch (padding) {
128
- case RSA_PKCS1_PADDING:
129
- i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
130
- break;
131
- case RSA_NO_PADDING:
132
- i = RSA_padding_add_none(buf, rsa_size, in, in_len);
133
- break;
134
- case RSA_PKCS1_OAEP_PADDING:
135
- /* ring: BoringSSL supports |RSA_PKCS1_OAEP_PADDING| here, defaulting
136
- * to SHA-1 for both digest algorithms, and no label. *ring* doesn't
137
- * support this (yet) because it doesn't want have a hard-coded
138
- * dependency on SHA-1. Also, *ring* it doesn't want to depend on the
139
- * |EVP_MD| API, so the calculation of OAEP padding needs to be redone
140
- * using |ring::digest|. */
141
- /* fall through */
142
- default:
143
- OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
144
- goto err;
145
- }
146
-
147
- if (i <= 0) {
148
- goto err;
149
- }
150
-
151
- if (BN_bin2bn(buf, rsa_size, f) == NULL) {
152
- goto err;
153
- }
154
-
155
- if (BN_ucmp(f, rsa->n) >= 0) {
156
- /* usually the padding functions would catch this */
157
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
158
- goto err;
159
- }
160
-
161
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
162
- if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
163
- goto err;
164
- }
165
- }
166
-
167
- if (!BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
168
- goto err;
169
- }
170
-
171
- /* put in leading 0 bytes if the number is less than the length of the
172
- * modulus */
173
- if (!BN_bn2bin_padded(out, rsa_size, result)) {
174
- OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
175
- goto err;
176
- }
177
-
178
- *out_len = rsa_size;
179
- ret = 1;
180
-
181
- err:
182
- if (ctx != NULL) {
183
- BN_CTX_end(ctx);
184
- BN_CTX_free(ctx);
185
- }
186
- if (buf != NULL) {
187
- OPENSSL_cleanse(buf, rsa_size);
188
- OPENSSL_free(buf);
189
- }
190
-
191
- return ret;
192
- }
193
-
194
- /* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
195
- * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
196
- * destroyed as needed. */
197
- #define MAX_BLINDINGS_PER_RSA 1024
198
-
199
- /* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
200
- * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
201
- * none are free, the cache will be extended by a extra element and the new
202
- * BN_BLINDING is returned.
203
- *
204
- * On success, the index of the assigned BN_BLINDING is written to
205
- * |*index_used| and must be passed to |rsa_blinding_release| when finished. */
206
- static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
207
- BN_CTX *ctx) {
208
- BN_BLINDING *ret = NULL;
209
- BN_BLINDING **new_blindings;
210
- uint8_t *new_blindings_inuse;
211
- char overflow = 0;
212
-
213
- CRYPTO_MUTEX_lock_write(&rsa->lock);
214
-
215
- unsigned i;
216
- for (i = 0; i < rsa->num_blindings; i++) {
217
- if (rsa->blindings_inuse[i] == 0) {
218
- rsa->blindings_inuse[i] = 1;
219
- ret = rsa->blindings[i];
220
- *index_used = i;
221
- break;
222
- }
223
- }
224
-
225
- if (ret != NULL) {
226
- CRYPTO_MUTEX_unlock(&rsa->lock);
227
- return ret;
228
- }
229
-
230
- overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
231
-
232
- /* We didn't find a free BN_BLINDING to use so increase the length of
233
- * the arrays by one and use the newly created element. */
234
-
235
- CRYPTO_MUTEX_unlock(&rsa->lock);
236
- ret = rsa_setup_blinding(rsa, ctx);
237
- if (ret == NULL) {
238
- return NULL;
239
- }
240
-
241
- if (overflow) {
242
- /* We cannot add any more cached BN_BLINDINGs so we use |ret|
243
- * and mark it for destruction in |rsa_blinding_release|. */
244
- *index_used = MAX_BLINDINGS_PER_RSA;
245
- return ret;
246
- }
247
-
248
- CRYPTO_MUTEX_lock_write(&rsa->lock);
249
-
250
- new_blindings =
251
- OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
252
- if (new_blindings == NULL) {
253
- goto err1;
254
- }
255
- memcpy(new_blindings, rsa->blindings,
256
- sizeof(BN_BLINDING *) * rsa->num_blindings);
257
- new_blindings[rsa->num_blindings] = ret;
258
-
259
- new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
260
- if (new_blindings_inuse == NULL) {
261
- goto err2;
262
- }
263
- memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
264
- new_blindings_inuse[rsa->num_blindings] = 1;
265
- *index_used = rsa->num_blindings;
266
-
267
- OPENSSL_free(rsa->blindings);
268
- rsa->blindings = new_blindings;
269
- OPENSSL_free(rsa->blindings_inuse);
270
- rsa->blindings_inuse = new_blindings_inuse;
271
- rsa->num_blindings++;
272
-
273
- CRYPTO_MUTEX_unlock(&rsa->lock);
274
- return ret;
275
-
276
- err2:
277
- OPENSSL_free(new_blindings);
278
-
279
- err1:
280
- CRYPTO_MUTEX_unlock(&rsa->lock);
281
- BN_BLINDING_free(ret);
282
- return NULL;
283
- }
284
-
285
- /* rsa_blinding_release marks the cached BN_BLINDING at the given index as free
286
- * for other threads to use. */
287
- static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
288
- unsigned blinding_index) {
289
- if (blinding_index == MAX_BLINDINGS_PER_RSA) {
290
- /* This blinding wasn't cached. */
291
- BN_BLINDING_free(blinding);
292
- return;
293
- }
294
-
295
- CRYPTO_MUTEX_lock_write(&rsa->lock);
296
- rsa->blindings_inuse[blinding_index] = 0;
297
- CRYPTO_MUTEX_unlock(&rsa->lock);
298
- }
299
-
300
- /* signing */
301
- int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
302
- const uint8_t *in, size_t in_len, int padding) {
303
- const unsigned rsa_size = RSA_size(rsa);
304
- uint8_t *buf = NULL;
305
- int i, ret = 0;
306
-
307
- if (max_out < rsa_size) {
308
- OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
309
- return 0;
310
- }
311
-
312
- buf = OPENSSL_malloc(rsa_size);
313
- if (buf == NULL) {
314
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
315
- goto err;
316
- }
317
-
318
- switch (padding) {
319
- case RSA_PKCS1_PADDING:
320
- i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
321
- break;
322
- case RSA_NO_PADDING:
323
- i = RSA_padding_add_none(buf, rsa_size, in, in_len);
324
- break;
325
- default:
326
- OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
327
- goto err;
328
- }
329
-
330
- if (i <= 0) {
331
- goto err;
332
- }
333
-
334
- if (!rsa_private_transform(rsa, out, buf, rsa_size)) {
335
- goto err;
336
- }
337
-
338
- *out_len = rsa_size;
339
- ret = 1;
340
-
341
- err:
342
- if (buf != NULL) {
343
- OPENSSL_cleanse(buf, rsa_size);
344
- OPENSSL_free(buf);
345
- }
346
-
347
- return ret;
348
- }
349
-
350
- int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
351
- const uint8_t *in, size_t in_len, int padding) {
352
- const unsigned rsa_size = RSA_size(rsa);
353
- int r = -1;
354
- uint8_t *buf = NULL;
355
- int ret = 0;
356
-
357
- if (max_out < rsa_size) {
358
- OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
359
- return 0;
360
- }
361
-
362
- if (padding == RSA_NO_PADDING) {
363
- buf = out;
364
- } else {
365
- /* Allocate a temporary buffer to hold the padded plaintext. */
366
- buf = OPENSSL_malloc(rsa_size);
367
- if (buf == NULL) {
368
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
369
- goto err;
370
- }
371
- }
372
-
373
- if (in_len != rsa_size) {
374
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
375
- goto err;
376
- }
377
-
378
- if (!rsa_private_transform(rsa, buf, in, rsa_size)) {
379
- goto err;
380
- }
381
-
382
- switch (padding) {
383
- case RSA_PKCS1_PADDING:
384
- r = RSA_padding_check_PKCS1_type_2(out, rsa_size, buf, rsa_size);
385
- break;
386
- case RSA_NO_PADDING:
387
- r = rsa_size;
388
- break;
389
- case RSA_PKCS1_OAEP_PADDING:
390
- /* ring: BoringSSL supports |RSA_PKCS1_OAEP_PADDING| here, defaulting
391
- * to SHA-1 for both digest algorithms, and no label. *ring* doesn't
392
- * support this (yet) because it doesn't want have a hard-coded
393
- * dependency on SHA-1. Also, *ring* it doesn't want to depend on the
394
- * |EVP_MD| API, so the calculation of OAEP padding needs to be redone
395
- * using |ring::digest|. */
396
- /* fall through */
397
- default:
398
- OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
399
- goto err;
400
- }
401
-
402
- if (r < 0) {
403
- OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
404
- } else {
405
- *out_len = r;
406
- ret = 1;
407
- }
408
-
409
- err:
410
- if (padding != RSA_NO_PADDING && buf != NULL) {
411
- OPENSSL_cleanse(buf, rsa_size);
412
- OPENSSL_free(buf);
413
- }
414
-
415
- return ret;
416
- }
417
-
418
- int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
419
- const uint8_t *in, size_t in_len, int padding) {
420
- const unsigned rsa_size = RSA_size(rsa);
421
- BIGNUM *f, *result;
422
- int ret = 0;
423
- int r = -1;
424
- uint8_t *buf = NULL;
425
- BN_CTX *ctx = NULL;
426
-
427
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
428
- OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
429
- return 0;
430
- }
431
-
432
- if (BN_ucmp(rsa->n, rsa->e) <= 0) {
433
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
434
- return 0;
435
- }
436
-
437
- if (max_out < rsa_size) {
438
- OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
439
- return 0;
440
- }
441
-
442
- /* for large moduli, enforce exponent limit */
443
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&
444
- BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
445
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
446
- return 0;
447
- }
448
-
449
- ctx = BN_CTX_new();
450
- if (ctx == NULL) {
451
- goto err;
452
- }
453
-
454
- BN_CTX_start(ctx);
455
- f = BN_CTX_get(ctx);
456
- result = BN_CTX_get(ctx);
457
- if (padding == RSA_NO_PADDING) {
458
- buf = out;
459
- } else {
460
- /* Allocate a temporary buffer to hold the padded plaintext. */
461
- buf = OPENSSL_malloc(rsa_size);
462
- if (buf == NULL) {
463
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
464
- goto err;
465
- }
466
- }
467
- if (!f || !result) {
468
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
469
- goto err;
470
- }
471
-
472
- if (in_len != rsa_size) {
473
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
474
- goto err;
475
- }
476
-
477
- if (BN_bin2bn(in, in_len, f) == NULL) {
478
- goto err;
479
- }
480
-
481
- if (BN_ucmp(f, rsa->n) >= 0) {
482
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
483
- goto err;
484
- }
485
-
486
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
487
- if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
488
- goto err;
489
- }
490
- }
491
-
492
- if (!BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
493
- goto err;
494
- }
495
-
496
- if (!BN_bn2bin_padded(buf, rsa_size, result)) {
497
- OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
498
- goto err;
499
- }
500
-
501
- switch (padding) {
502
- case RSA_PKCS1_PADDING:
503
- r = RSA_padding_check_PKCS1_type_1(out, rsa_size, buf, rsa_size);
504
- break;
505
- case RSA_NO_PADDING:
506
- r = rsa_size;
507
- break;
508
- default:
509
- OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
510
- goto err;
511
- }
512
-
513
- if (r < 0) {
514
- OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
515
- } else {
516
- *out_len = r;
517
- ret = 1;
518
- }
519
-
520
- err:
521
- if (ctx != NULL) {
522
- BN_CTX_end(ctx);
523
- BN_CTX_free(ctx);
524
- }
525
- if (padding != RSA_NO_PADDING && buf != NULL) {
526
- OPENSSL_cleanse(buf, rsa_size);
527
- OPENSSL_free(buf);
528
- }
529
- return ret;
530
- }
531
-
532
- /* rsa_private_transform takes a big-endian integer from |in|, calculates the
533
- * d'th power of it, modulo the RSA modulus and writes the result as a
534
- * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
535
- * |len| is always equal to |RSA_size(rsa)|. If the result of the transform can
536
- * be represented in fewer than |len| bytes, then |out| must be zero padded on
537
- * the left.
538
- *
539
- * It returns one on success and zero otherwise.
540
- */
541
- static int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
542
- size_t len) {
543
- BIGNUM *f, *result;
544
- BN_CTX *ctx = NULL;
545
- unsigned blinding_index = 0;
546
- BN_BLINDING *blinding = NULL;
547
- int ret = 0;
548
-
549
- ctx = BN_CTX_new();
550
- if (ctx == NULL) {
551
- goto err;
552
- }
553
- BN_CTX_start(ctx);
554
- f = BN_CTX_get(ctx);
555
- result = BN_CTX_get(ctx);
556
-
557
- if (f == NULL || result == NULL) {
558
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
559
- goto err;
560
- }
561
-
562
- if (BN_bin2bn(in, len, f) == NULL) {
563
- goto err;
564
- }
565
-
566
- if (BN_ucmp(f, rsa->n) >= 0) {
567
- /* Usually the padding functions would catch this. */
568
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
569
- goto err;
570
- }
571
-
572
- if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
573
- blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
574
- if (blinding == NULL) {
575
- OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
576
- goto err;
577
- }
578
- if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {
579
- goto err;
580
- }
581
- }
582
-
583
- if ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&
584
- (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) {
585
- if (!mod_exp(result, f, rsa, ctx)) {
586
- goto err;
587
- }
588
- } else {
589
- BIGNUM local_d;
590
- BIGNUM *d = NULL;
591
-
592
- BN_init(&local_d);
593
- d = &local_d;
594
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
595
-
596
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
597
- if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
598
- goto err;
599
- }
600
- }
601
-
602
- if (!BN_mod_exp_mont(result, f, d, rsa->n, ctx, rsa->mont_n)) {
603
- goto err;
604
- }
605
- }
606
-
607
- if (blinding) {
608
- if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {
609
- goto err;
610
- }
611
- }
612
-
613
- if (!BN_bn2bin_padded(out, len, result)) {
614
- OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
615
- goto err;
616
- }
617
-
618
- ret = 1;
619
-
620
- err:
621
- if (ctx != NULL) {
622
- BN_CTX_end(ctx);
623
- BN_CTX_free(ctx);
624
- }
625
- if (blinding != NULL) {
626
- rsa_blinding_release(rsa, blinding, blinding_index);
627
- }
628
-
629
- return ret;
630
- }
631
-
632
- static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
633
- BIGNUM *r1, *m1, *vrfy;
634
- BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
635
- BIGNUM *dmp1, *dmq1, *c, *pr1;
636
- int ret = 0;
637
-
638
- BN_CTX_start(ctx);
639
- r1 = BN_CTX_get(ctx);
640
- m1 = BN_CTX_get(ctx);
641
- vrfy = BN_CTX_get(ctx);
642
-
643
- {
644
- BIGNUM local_p, local_q;
645
- BIGNUM *p = NULL, *q = NULL;
646
-
647
- /* Make sure BN_mod_inverse in Montgomery intialization uses the
648
- * BN_FLG_CONSTTIME flag. */
649
- BN_init(&local_p);
650
- p = &local_p;
651
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
652
-
653
- BN_init(&local_q);
654
- q = &local_q;
655
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
656
-
657
- if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
658
- if (BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, p, ctx) == NULL) {
659
- goto err;
660
- }
661
- if (BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, q, ctx) == NULL) {
662
- goto err;
663
- }
664
- }
665
- }
666
-
667
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
668
- if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
669
- goto err;
670
- }
671
- }
672
-
673
- /* compute I mod q */
674
- c = &local_c;
675
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
676
- if (!BN_mod(r1, c, rsa->q, ctx)) {
677
- goto err;
678
- }
679
-
680
- /* compute r1^dmq1 mod q */
681
- dmq1 = &local_dmq1;
682
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
683
- if (!BN_mod_exp_mont(m1, r1, dmq1, rsa->q, ctx, rsa->mont_q)) {
684
- goto err;
685
- }
686
-
687
- /* compute I mod p */
688
- c = &local_c;
689
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
690
- if (!BN_mod(r1, c, rsa->p, ctx)) {
691
- goto err;
692
- }
693
-
694
- /* compute r1^dmp1 mod p */
695
- dmp1 = &local_dmp1;
696
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
697
- if (!BN_mod_exp_mont(r0, r1, dmp1, rsa->p, ctx, rsa->mont_p)) {
698
- goto err;
699
- }
700
-
701
- if (!BN_sub(r0, r0, m1)) {
702
- goto err;
703
- }
704
- /* This will help stop the size of r0 increasing, which does
705
- * affect the multiply if it optimised for a power of 2 size */
706
- if (BN_is_negative(r0)) {
707
- if (!BN_add(r0, r0, rsa->p)) {
708
- goto err;
709
- }
710
- }
711
-
712
- if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
713
- goto err;
714
- }
715
-
716
- /* Turn BN_FLG_CONSTTIME flag on before division operation */
717
- pr1 = &local_r1;
718
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
719
-
720
- if (!BN_mod(r0, pr1, rsa->p, ctx)) {
721
- goto err;
722
- }
723
-
724
- /* If p < q it is occasionally possible for the correction of
725
- * adding 'p' if r0 is negative above to leave the result still
726
- * negative. This can break the private key operations: the following
727
- * second correction should *always* correct this rare occurrence.
728
- * This will *never* happen with OpenSSL generated keys because
729
- * they ensure p > q [steve] */
730
- if (BN_is_negative(r0)) {
731
- if (!BN_add(r0, r0, rsa->p)) {
732
- goto err;
733
- }
734
- }
735
- if (!BN_mul(r1, r0, rsa->q, ctx)) {
736
- goto err;
737
- }
738
- if (!BN_add(r0, r1, m1)) {
739
- goto err;
740
- }
741
-
742
- if (rsa->e && rsa->n) {
743
- if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, rsa->mont_n)) {
744
- goto err;
745
- }
746
- /* If 'I' was greater than (or equal to) rsa->n, the operation
747
- * will be equivalent to using 'I mod n'. However, the result of
748
- * the verify will *always* be less than 'n' so we don't check
749
- * for absolute equality, just congruency. */
750
- if (!BN_sub(vrfy, vrfy, I)) {
751
- goto err;
752
- }
753
- if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) {
754
- goto err;
755
- }
756
- if (BN_is_negative(vrfy)) {
757
- if (!BN_add(vrfy, vrfy, rsa->n)) {
758
- goto err;
759
- }
760
- }
761
- if (!BN_is_zero(vrfy)) {
762
- /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
763
- * miscalculated CRT output, just do a raw (slower)
764
- * mod_exp and return that instead. */
765
-
766
- BIGNUM local_d;
767
- BIGNUM *d = NULL;
768
-
769
- d = &local_d;
770
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
771
- if (!BN_mod_exp_mont(r0, I, d, rsa->n, ctx, rsa->mont_n)) {
772
- goto err;
773
- }
774
- }
775
- }
776
- ret = 1;
777
-
778
- err:
779
- BN_CTX_end(ctx);
780
- return ret;
781
- }
782
-
783
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
784
- BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
785
- BIGNUM local_r0, local_d, local_p;
786
- BIGNUM *pr0, *d, *p;
787
- int bitsp, bitsq, ok = -1, n = 0;
788
- BN_CTX *ctx = NULL;
789
-
790
- ctx = BN_CTX_new();
791
- if (ctx == NULL) {
792
- goto err;
793
- }
794
- BN_CTX_start(ctx);
795
- r0 = BN_CTX_get(ctx);
796
- r1 = BN_CTX_get(ctx);
797
- r2 = BN_CTX_get(ctx);
798
- r3 = BN_CTX_get(ctx);
799
- if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) {
800
- goto err;
801
- }
802
-
803
- bitsp = (bits + 1) / 2;
804
- bitsq = bits - bitsp;
805
-
806
- /* We need the RSA components non-NULL */
807
- if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {
808
- goto err;
809
- }
810
- if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {
811
- goto err;
812
- }
813
- if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {
814
- goto err;
815
- }
816
- if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {
817
- goto err;
818
- }
819
- if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {
820
- goto err;
821
- }
822
- if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {
823
- goto err;
824
- }
825
- if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {
826
- goto err;
827
- }
828
- if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {
829
- goto err;
830
- }
831
-
832
- if (!BN_copy(rsa->e, e_value)) {
833
- goto err;
834
- }
835
-
836
- /* generate p and q */
837
- for (;;) {
838
- if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb) ||
839
- !BN_sub(r2, rsa->p, BN_value_one()) ||
840
- !BN_gcd(r1, r2, rsa->e, ctx)) {
841
- goto err;
842
- }
843
- if (BN_is_one(r1)) {
844
- break;
845
- }
846
- if (!BN_GENCB_call(cb, 2, n++)) {
847
- goto err;
848
- }
849
- }
850
- if (!BN_GENCB_call(cb, 3, 0)) {
851
- goto err;
852
- }
853
- for (;;) {
854
- /* When generating ridiculously small keys, we can get stuck
855
- * continually regenerating the same prime values. Check for
856
- * this and bail if it happens 3 times. */
857
- unsigned int degenerate = 0;
858
- do {
859
- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) {
860
- goto err;
861
- }
862
- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
863
- if (degenerate == 3) {
864
- ok = 0; /* we set our own err */
865
- OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
866
- goto err;
867
- }
868
- if (!BN_sub(r2, rsa->q, BN_value_one()) ||
869
- !BN_gcd(r1, r2, rsa->e, ctx)) {
870
- goto err;
871
- }
872
- if (BN_is_one(r1)) {
873
- break;
874
- }
875
- if (!BN_GENCB_call(cb, 2, n++)) {
876
- goto err;
877
- }
878
- }
879
- if (!BN_GENCB_call(cb, 3, 1)) {
880
- goto err;
881
- }
882
- if (BN_cmp(rsa->p, rsa->q) < 0) {
883
- tmp = rsa->p;
884
- rsa->p = rsa->q;
885
- rsa->q = tmp;
886
- }
887
-
888
- /* calculate n */
889
- if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {
890
- goto err;
891
- }
892
-
893
- /* calculate d */
894
- if (!BN_sub(r1, rsa->p, BN_value_one())) {
895
- goto err; /* p-1 */
896
- }
897
- if (!BN_sub(r2, rsa->q, BN_value_one())) {
898
- goto err; /* q-1 */
899
- }
900
- if (!BN_mul(r0, r1, r2, ctx)) {
901
- goto err; /* (p-1)(q-1) */
902
- }
903
- pr0 = &local_r0;
904
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
905
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
906
- goto err; /* d */
907
- }
908
-
909
- /* set up d for correct BN_FLG_CONSTTIME flag */
910
- d = &local_d;
911
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
912
-
913
- /* calculate d mod (p-1) */
914
- if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
915
- goto err;
916
- }
917
-
918
- /* calculate d mod (q-1) */
919
- if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
920
- goto err;
921
- }
922
-
923
- /* calculate inverse of q mod p */
924
- p = &local_p;
925
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
926
-
927
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
928
- goto err;
929
- }
930
-
931
- ok = 1;
932
-
933
- err:
934
- if (ok == -1) {
935
- OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
936
- ok = 0;
937
- }
938
- if (ctx != NULL) {
939
- BN_CTX_end(ctx);
940
- BN_CTX_free(ctx);
941
- }
942
-
943
- return ok;
944
- }