4 files changed, 191 insertions, 130 deletions
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index fef4ef5..28912b3 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -202,8 +202,6 @@ RSA_METHOD *RSA_PKCS1_SSLeay(void);
 
 RSA_METHOD *RSA_null_method(void);
 
-void	ERR_load_RSA_strings(void );
-
 RSA *	d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
 int	i2d_RSAPublicKey(RSA *a, unsigned char **pp);
 RSA *	d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
@@ -275,6 +273,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_RSA_strings(void);
 
 /* Error codes for the RSA functions. */
 
@@ -316,6 +315,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
 #define RSA_R_DATA_GREATER_THAN_MOD_LEN			 108
 #define RSA_R_DATA_TOO_LARGE				 109
 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 110
+#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS		 132
 #define RSA_R_DATA_TOO_SMALL				 111
 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE		 122
 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY		 112
@@ -342,4 +342,3 @@ void *RSA_get_ex_data(RSA *r, int idx);
 }
 #endif
 #endif
-
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index 3e38320..cafdc41 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -78,8 +78,8 @@ static int RSA_eay_finish(RSA *rsa);
 static RSA_METHOD rsa_pkcs1_eay_meth={
 	"Eric Young's PKCS#1 RSA",
 	RSA_eay_public_encrypt,
-	RSA_eay_public_decrypt,
-	RSA_eay_private_encrypt,
+	RSA_eay_public_decrypt, /* signature verification */
+	RSA_eay_private_encrypt, /* signing */
 	RSA_eay_private_decrypt,
 	RSA_eay_mod_exp,
 	BN_mod_exp_mont,
@@ -136,6 +136,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
 
 	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
 	
+	if (BN_ucmp(&f, rsa->n) >= 0)
+		{	
+		/* usually the padding functions would catch this */
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+		goto err;
+		}
+
 	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
 		{
 		BN_MONT_CTX* bn_mont_ctx;
@@ -183,6 +190,7 @@ err:
 	return(r);
 	}
 
+/* signing */
 static int RSA_eay_private_encrypt(int flen, unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
@@ -218,6 +226,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
 	if (i <= 0) goto err;
 
 	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+	
+	if (BN_ucmp(&f, rsa->n) >= 0)
+		{	
+		/* usually the padding functions would catch this */
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+		goto err;
+		}
 
 	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
 		RSA_blinding_on(rsa,ctx);
@@ -292,6 +307,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
 	/* make data into a big number */
 	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
 
+	if (BN_ucmp(&f, rsa->n) >= 0)
+		{
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+		goto err;
+		}
+
 	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
 		RSA_blinding_on(rsa,ctx);
 	if (rsa->flags & RSA_FLAG_BLINDING)
@@ -352,6 +373,7 @@ err:
 	return(r);
 	}
 
+/* signature verification */
 static int RSA_eay_public_decrypt(int flen, unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
@@ -383,6 +405,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
 		}
 
 	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+
+	if (BN_ucmp(&f, rsa->n) >= 0)
+		{
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+		goto err;
+		}
+
 	/* do the decrypt */
 	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
 		{
diff --git a/crypto/openssl/crypto/rsa/rsa_err.c b/crypto/openssl/crypto/rsa/rsa_err.c
index 1cde7c0..bff7cf5 100644
--- a/crypto/openssl/crypto/rsa/rsa_err.c
+++ b/crypto/openssl/crypto/rsa/rsa_err.c
@@ -106,6 +106,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
 {RSA_R_DATA_TOO_LARGE                    ,"data too large"},
 {RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
+{RSA_R_DATA_TOO_LARGE_FOR_MODULUS        ,"data too large for modulus"},
 {RSA_R_DATA_TOO_SMALL                    ,"data too small"},
 {RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
 {RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
diff --git a/crypto/openssl/crypto/rsa/rsa_oaep.c b/crypto/openssl/crypto/rsa/rsa_oaep.c
index 1849e55..4f0bbab 100644
--- a/crypto/openssl/crypto/rsa/rsa_oaep.c
+++ b/crypto/openssl/crypto/rsa/rsa_oaep.c
@@ -2,7 +2,22 @@
 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
 
-/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
+ * <URL: http://www.shoup.net/papers/oaep.ps.Z>
+ * for problems with the security proof for the
+ * original OAEP scheme, which EME-OAEP is based on.
+ * 
+ * A new proof can be found in E. Fujisaki, T. Okamoto,
+ * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
+ * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
+ * The new proof has stronger requirements for the
+ * underlying permutation: "partial-one-wayness" instead
+ * of one-wayness.  For the RSA function, this is
+ * an equivalent notion.
+ */
+
 
 #if !defined(NO_SHA) && !defined(NO_SHA1)
 #include <stdio.h>
@@ -12,157 +27,174 @@
 #include <openssl/sha.h>
 #include <openssl/rand.h>
 
-int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+int MGF1(unsigned char *mask, long len,
+	unsigned char *seed, long seedlen);
 
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-	     unsigned char *from, int flen, unsigned char *param, int plen)
-    {
-    int i, emlen = tlen - 1;
-    unsigned char *db, *seed;
-    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
-
-    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+	unsigned char *from, int flen,
+	unsigned char *param, int plen)
 	{
-	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
-	       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-	return (0);
-	}
+	int i, emlen = tlen - 1;
+	unsigned char *db, *seed;
+	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
 
-    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
-	{
-	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
-	return (0);
-	}
-    
-    dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
-    if (dbmask == NULL)
-	{
-	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-	return (0);
-	}
+	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return 0;
+		}
+
+	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+		return 0;
+		}
 
-    to[0] = 0;
-    seed = to + 1;
-    db = to + SHA_DIGEST_LENGTH + 1;
-
-    SHA1(param, plen, db);
-    memset(db + SHA_DIGEST_LENGTH, 0,
-	   emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
-    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
-    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
-    if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
-    	return (0);
+	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
+	if (dbmask == NULL)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+
+	to[0] = 0;
+	seed = to + 1;
+	db = to + SHA_DIGEST_LENGTH + 1;
+
+	SHA1(param, plen, db);
+	memset(db + SHA_DIGEST_LENGTH, 0,
+		emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+		return 0;
 #ifdef PKCS_TESTVECT
-    memcpy(seed,
+	memcpy(seed,
 	   "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
 	   20);
 #endif
 
-    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
-    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
-	db[i] ^= dbmask[i];
+	MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+		db[i] ^= dbmask[i];
 
-    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
-    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
-	seed[i] ^= seedmask[i];
+	MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+		seed[i] ^= seedmask[i];
 
-    OPENSSL_free(dbmask);
-    return (1);
-    }
+	OPENSSL_free(dbmask);
+	return 1;
+	}
 
 int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	     unsigned char *from, int flen, int num, unsigned char *param,
 	     int plen)
-    {
-    int i, dblen, mlen = -1;
-    unsigned char *maskeddb;
-    int lzero;
-    unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
-
-    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-	goto decoding_err;
-
-    lzero = num - flen;
-    if (lzero < 0)
-	goto decoding_err;
-    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
-    
-    dblen = num - SHA_DIGEST_LENGTH;
-    db = OPENSSL_malloc(dblen);
-    if (db == NULL)
 	{
-	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-	return (-1);
-	}
+	int i, dblen, mlen = -1;
+	unsigned char *maskeddb;
+	int lzero;
+	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+	int bad = 0;
+
+	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+		/* 'num' is the length of the modulus, i.e. does not depend on the
+		 * particular ciphertext. */
+		goto decoding_err;
+
+	lzero = num - flen;
+	if (lzero < 0)
+		{
+		/* lzero == -1 */
+
+		/* signalling this error immediately after detection might allow
+		 * for side-channel attacks (e.g. timing if 'plen' is huge
+		 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
+		 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
+		 * so we use a 'bad' flag */
+		bad = 1;
+		lzero = 0;
+		}
+	maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+
+	dblen = num - SHA_DIGEST_LENGTH;
+	db = OPENSSL_malloc(dblen);
+	if (db == NULL)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+		return -1;
+		}
 
-    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
-    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
-	seed[i] ^= from[i - lzero];
-  
-    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
-    for (i = 0; i < dblen; i++)
-	db[i] ^= maskeddb[i];
+	MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+	for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+		seed[i] ^= from[i - lzero];
 
-    SHA1(param, plen, phash);
+	MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+	for (i = 0; i < dblen; i++)
+		db[i] ^= maskeddb[i];
 
-    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
-	goto decoding_err;
-    else
-	{
-	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
-	    if (db[i] != 0x00)
-		break;
-	if (db[i] != 0x01 || i++ >= dblen)
-	  goto decoding_err;
+	SHA1(param, plen, phash);
+
+	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+		goto decoding_err;
 	else
-	    {
-	    mlen = dblen - i;
-	    if (tlen < mlen)
 		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
-		mlen = -1;
+		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+			if (db[i] != 0x00)
+				break;
+		if (db[i] != 0x01 || i++ >= dblen)
+			goto decoding_err;
+		else
+			{
+			/* everything looks OK */
+
+			mlen = dblen - i;
+			if (tlen < mlen)
+				{
+				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+				mlen = -1;
+				}
+			else
+				memcpy(to, db + i, mlen);
+			}
 		}
-	    else
-		memcpy(to, db + i, mlen);
-	    }
-	}
-    OPENSSL_free(db);
-    return (mlen);
+	OPENSSL_free(db);
+	return mlen;
 
 decoding_err:
-    /* to avoid chosen ciphertext attacks, the error message should not reveal
-     * which kind of decoding error happened */
-    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-    if (db != NULL) OPENSSL_free(db);
-    return -1;
-    }
+	/* to avoid chosen ciphertext attacks, the error message should not reveal
+	 * which kind of decoding error happened */
+	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+	if (db != NULL) OPENSSL_free(db);
+	return -1;
+	}
 
 int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
-    {
-    long i, outlen = 0;
-    unsigned char cnt[4];
-    SHA_CTX c;
-    unsigned char md[SHA_DIGEST_LENGTH];
-
-    for (i = 0; outlen < len; i++)
 	{
-	cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
-	  cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
-	SHA1_Init(&c);
-	SHA1_Update(&c, seed, seedlen);
-	SHA1_Update(&c, cnt, 4);
-	if (outlen + SHA_DIGEST_LENGTH <= len)
-	    {
-	    SHA1_Final(mask + outlen, &c);
-	    outlen += SHA_DIGEST_LENGTH;
-	    }
-	else
-	    {
-	    SHA1_Final(md, &c);
-	    memcpy(mask + outlen, md, len - outlen);
-	    outlen = len;
-	    }
+	long i, outlen = 0;
+	unsigned char cnt[4];
+	SHA_CTX c;
+	unsigned char md[SHA_DIGEST_LENGTH];
+
+	for (i = 0; outlen < len; i++)
+		{
+		cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
+			cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
+		SHA1_Init(&c);
+		SHA1_Update(&c, seed, seedlen);
+		SHA1_Update(&c, cnt, 4);
+		if (outlen + SHA_DIGEST_LENGTH <= len)
+			{
+			SHA1_Final(mask + outlen, &c);
+			outlen += SHA_DIGEST_LENGTH;
+			}
+		else
+			{
+			SHA1_Final(md, &c);
+			memcpy(mask + outlen, md, len - outlen);
+			outlen = len;
+			}
+		}
+	return 0;
 	}
-    return (0);
-    }
 #endif