From 0f2deef59d13e852a4bde0e853e9b49bab51a108 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 12 Mar 2020 14:41:45 +0000 Subject: [PATCH] Use RAND_bytes_ex in crypto/rsa At various points in crypto/rsa we need to get random numbers. We should ensure that we use the correct libctx when doing so. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11355) --- crypto/rsa/rsa_local.h | 15 +++++++ crypto/rsa/rsa_oaep.c | 39 ++++++++++++------- crypto/rsa/rsa_ossl.c | 10 +++-- crypto/rsa/rsa_pk1.c | 31 +++++++++------ crypto/rsa/rsa_pss.c | 2 +- crypto/rsa/rsa_ssl.c | 19 ++++++--- include/crypto/rsa.h | 7 ++-- .../implementations/asymciphers/rsa_enc.c | 3 +- 8 files changed, 87 insertions(+), 39 deletions(-) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index 06a7daddbd..423492b909 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -169,4 +169,19 @@ int rsa_fips186_4_gen_prob_primes(RSA *rsa, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xq2, int nbits, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); +int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to, + int tlen, const unsigned char *from, + int flen); +int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx, + unsigned char *to, int tlen, + const unsigned char *from, + int flen); +int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx, + unsigned char *to, int tlen, + const unsigned char *from, + int flen, + const unsigned char *param, + int plen, const EVP_MD *md, + const EVP_MD *mgf1md); + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 23fb8f9f2b..ed486acbe6 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -40,8 +40,9 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen) { - return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen, - param, plen, NULL, NULL); + return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from, + flen, param, plen, NULL, + NULL); } /* @@ -51,10 +52,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, * Step numbers are included here but not in the constant time inverse below * to avoid complicating an already difficult enough function. */ -int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - const unsigned char *from, int flen, - const unsigned char *param, int plen, - const EVP_MD *md, const EVP_MD *mgf1md) +int rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(OPENSSL_CTX *libctx, + unsigned char *to, int tlen, + const unsigned char *from, + int flen, + const unsigned char *param, + int plen, const EVP_MD *md, + const EVP_MD *mgf1md) { int rv = 0; int i, emlen = tlen - 1; @@ -67,8 +71,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, if (md == NULL) md = EVP_sha1(); #else - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, - ERR_R_PASSED_NULL_PARAMETER); + RSAerr(0, ERR_R_PASSED_NULL_PARAMETER); return 0; #endif if (mgf1md == NULL) @@ -78,14 +81,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, /* step 2b: check KLen > nLen - 2 HLen - 2 */ if (flen > emlen - 2 * mdlen - 1) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, - RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); return 0; } if (emlen < 2 * mdlen + 1) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, - RSA_R_KEY_SIZE_TOO_SMALL); + RSAerr(0, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } @@ -103,13 +104,13 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, db[emlen - flen - mdlen - 1] = 0x01; memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); /* step 3d: generate random byte string */ - if (RAND_bytes(seed, mdlen) <= 0) + if (RAND_bytes_ex(libctx, seed, mdlen) <= 0) goto err; dbmask_len = emlen - mdlen; dbmask = OPENSSL_malloc(dbmask_len); if (dbmask == NULL) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); + RSAerr(0, ERR_R_MALLOC_FAILURE); goto err; } @@ -134,6 +135,16 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, return rv; } +int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, + const unsigned char *param, int plen, + const EVP_MD *md, const EVP_MD *mgf1md) +{ + return rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(NULL, to, tlen, from, + flen, param, plen, md, + mgf1md); +} + int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *from, int flen, int num, const unsigned char *param, int plen) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 4b54aa86fe..504ad82f17 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -111,14 +111,18 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, switch (padding) { case RSA_PKCS1_PADDING: - i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); + i = rsa_padding_add_PKCS1_type_2_with_libctx(rsa->libctx, buf, num, + from, flen); break; case RSA_PKCS1_OAEP_PADDING: - i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); + i = rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(rsa->libctx, buf, num, + from, flen, NULL, 0, + NULL, NULL); break; #ifndef FIPS_MODE case RSA_SSLV23_PADDING: - i = RSA_padding_add_SSLv23(buf, num, from, flen); + i = rsa_padding_add_SSLv23_with_libctx(rsa->libctx, buf, num, from, + flen); break; #endif case RSA_NO_PADDING: diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 33391c4fcb..b8aa49d701 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -23,6 +23,7 @@ #include #include "internal/cryptlib.h" #include "crypto/rsa.h" +#include "rsa_local.h" int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *from, int flen) @@ -123,15 +124,16 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, return j; } -int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, - const unsigned char *from, int flen) +int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx, + unsigned char *to, int tlen, + const unsigned char *from, + int flen) { int i, j; unsigned char *p; if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2, - RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); return 0; } @@ -143,12 +145,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, /* pad out with non-zero random data */ j = tlen - 3 - flen; - if (RAND_bytes(p, j) <= 0) + if (RAND_bytes_ex(libctx, p, j) <= 0) return 0; for (i = 0; i < j; i++) { if (*p == '\0') do { - if (RAND_bytes(p, 1) <= 0) + if (RAND_bytes_ex(libctx, p, 1) <= 0) return 0; } while (*p == '\0'); p++; @@ -160,6 +162,12 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, return 1; } +int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, + const unsigned char *from, int flen) +{ + return rsa_padding_add_PKCS1_type_2_with_libctx(NULL, to, tlen, from, flen); +} + int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, const unsigned char *from, int flen, int num) @@ -291,9 +299,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * decrypted data will be randomly generated (as per * https://tools.ietf.org/html/rfc5246#section-7.4.7.1). */ -int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen, - const unsigned char *from, size_t flen, - int client_version, int alt_version) +int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *libctx, unsigned char *to, + size_t tlen, const unsigned char *from, + size_t flen, int client_version, + int alt_version) { unsigned int i, good, version_good; unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; @@ -312,8 +321,8 @@ int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen, * Generate a random premaster secret to use in the event that we fail * to decrypt. */ - if (RAND_priv_bytes(rand_premaster_secret, - sizeof(rand_premaster_secret)) <= 0) { + if (RAND_priv_bytes_ex(libctx, rand_premaster_secret, + sizeof(rand_premaster_secret)) <= 0) { ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); return -1; } diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 054fca9fd1..999fc3122f 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -206,7 +206,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, ERR_R_MALLOC_FAILURE); goto err; } - if (RAND_bytes(salt, sLen) <= 0) + if (RAND_bytes_ex(rsa->libctx, salt, sLen) <= 0) goto err; } maskedDBLen = emLen - hLen - 1; diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 48731dfb90..0309665338 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -19,16 +19,17 @@ #include #include #include "internal/constant_time.h" +#include "rsa_local.h" -int RSA_padding_add_SSLv23(unsigned char *to, int tlen, - const unsigned char *from, int flen) +int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to, + int tlen, const unsigned char *from, + int flen) { int i, j; unsigned char *p; if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { - RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23, - RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + RSAerr(0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); return 0; } @@ -40,12 +41,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* pad out with non-zero random data */ j = tlen - 3 - 8 - flen; - if (RAND_bytes(p, j) <= 0) + if (RAND_bytes_ex(libctx, p, j) <= 0) return 0; for (i = 0; i < j; i++) { if (*p == '\0') do { - if (RAND_bytes(p, 1) <= 0) + if (RAND_bytes_ex(libctx, p, 1) <= 0) return 0; } while (*p == '\0'); p++; @@ -59,6 +60,12 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, return 1; } +int RSA_padding_add_SSLv23(unsigned char *to, int tlen, + const unsigned char *from, int flen) +{ + return rsa_padding_add_SSLv23_with_libctx(NULL, to, tlen, from, flen); +} + /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 51ac0148af..09335fafe4 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -21,9 +21,10 @@ int rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, STACK_OF(BIGNUM_const) *exps, STACK_OF(BIGNUM_const) *coeffs); -int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen, - const unsigned char *from, size_t flen, - int client_version, int alt_version); +int rsa_padding_check_PKCS1_type_2_TLS(OPENSSL_CTX *ctx, unsigned char *to, + size_t tlen, const unsigned char *from, + size_t flen, int client_version, + int alt_version); int rsa_validate_public(const RSA *key); int rsa_validate_private(const RSA *key); diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index 5f071a56ca..5f05d1810b 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -225,7 +225,8 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, ERR_raise(ERR_LIB_PROV, PROV_R_BAD_TLS_CLIENT_VERSION); return 0; } - ret = rsa_padding_check_PKCS1_type_2_TLS(out, outsize, + ret = rsa_padding_check_PKCS1_type_2_TLS(prsactx->libctx, out, + outsize, tbuf, len, prsactx->client_version, prsactx->alt_version); -- 2.39.2