1 files changed, 36 insertions, 13 deletions
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 1756315b9..9b14f9a9a 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -35,6 +35,8 @@
 #include "digest.h"
 #include "log.h"
+#include "openbsd-compat/openssl-compat.h"
 static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
 static const char *
@@ -104,38 +106,55 @@ rsa_hash_alg_nid(int type)
 }
 int
-ssh_rsa_generate_additional_parameters(struct sshkey *key)
+ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
 {
-        BIGNUM *aux = NULL;
+        const BIGNUM *rsa_p, *rsa_q, *rsa_d;
+        BIGNUM *aux = NULL, *d_consttime = NULL;
+        BIGNUM *rsa_dmq1 = NULL, *rsa_dmp1 = NULL, *rsa_iqmp = NULL;
        BN_CTX *ctx = NULL;
-        BIGNUM d;
        int r;
        if (key == NULL || key->rsa == NULL ||
            sshkey_type_plain(key->type) != KEY_RSA)
                return SSH_ERR_INVALID_ARGUMENT;
+        RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
+        RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
        if ((ctx = BN_CTX_new()) == NULL)
                return SSH_ERR_ALLOC_FAIL;
-        if ((aux = BN_new()) == NULL) {
+        if ((aux = BN_new()) == NULL ||
+            (rsa_dmq1 = BN_new()) == NULL ||
+            (rsa_dmp1 = BN_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((d_consttime = BN_dup(rsa_d)) == NULL ||
+            (rsa_iqmp = BN_dup(iqmp)) == NULL) {
                r = SSH_ERR_ALLOC_FAIL;
                goto out;
        }
        BN_set_flags(aux, BN_FLG_CONSTTIME);
+        BN_set_flags(d_consttime, BN_FLG_CONSTTIME);
-        BN_init(&d);
+        if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) ||
-        BN_with_flags(&d, key->rsa->d, BN_FLG_CONSTTIME);
+            (BN_mod(rsa_dmq1, d_consttime, aux, ctx) == 0) ||
+            (BN_sub(aux, rsa_p, BN_value_one()) == 0) ||
-        if ((BN_sub(aux, key->rsa->q, BN_value_one()) == 0) ||
+            (BN_mod(rsa_dmp1, d_consttime, aux, ctx) == 0)) {
-            (BN_mod(key->rsa->dmq1, &d, aux, ctx) == 0) ||
+                r = SSH_ERR_LIBCRYPTO_ERROR;
-            (BN_sub(aux, key->rsa->p, BN_value_one()) == 0) ||
+                goto out;
-            (BN_mod(key->rsa->dmp1, &d, aux, ctx) == 0)) {
+        }
+        if (!RSA_set0_crt_params(key->rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {
                r = SSH_ERR_LIBCRYPTO_ERROR;
                goto out;
        }
+        rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL; /* transferred */
+        /* success */
        r = 0;
 out:
        BN_clear_free(aux);
+        BN_clear_free(d_consttime);
+        BN_clear_free(rsa_dmp1);
+        BN_clear_free(rsa_dmq1);
+        BN_clear_free(rsa_iqmp);
        BN_CTX_free(ctx);
        return r;
 }
@@ -145,6 +164,7 @@ int
 ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen, const char *alg_ident)
 {
+        const BIGNUM *rsa_n;
        u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
        size_t slen = 0;
        u_int dlen, len;
@@ -163,7 +183,8 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
        if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
            sshkey_type_plain(key->type) != KEY_RSA)
                return SSH_ERR_INVALID_ARGUMENT;
-        if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+        RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
+        if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
                return SSH_ERR_KEY_LENGTH;
        slen = RSA_size(key->rsa);
        if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
@@ -225,6 +246,7 @@ ssh_rsa_verify(const struct sshkey *key,
    const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
    const char *alg)
 {
+        const BIGNUM *rsa_n;
        char *sigtype = NULL;
        int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
        size_t len = 0, diff, modlen, dlen;
@@ -235,7 +257,8 @@ ssh_rsa_verify(const struct sshkey *key,
            sshkey_type_plain(key->type) != KEY_RSA ||
            sig == NULL || siglen == 0)
                return SSH_ERR_INVALID_ARGUMENT;
-        if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+        RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
+        if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
                return SSH_ERR_KEY_LENGTH;
        if ((b = sshbuf_from(sig, siglen)) == NULL)

diff --git a/ssh-rsa.c b/ssh-rsa.c index 1756315b9..9b14f9a9a 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c
@@ -35,6 +35,8 @@
35	#include "digest.h"	35	#include "digest.h"
36	#include "log.h"	36	#include "log.h"
37		37
		38	#include "openbsd-compat/openssl-compat.h"
		39
38	static int openssh_RSA_verify(int, u_char , size_t, u_char , size_t, RSA *);	40	static int openssh_RSA_verify(int, u_char , size_t, u_char , size_t, RSA *);
39		41
40	static const char *	42	static const char *
@@ -104,38 +106,55 @@ rsa_hash_alg_nid(int type)
104	}	106	}
105		107
106	int	108	int
107	ssh_rsa_generate_additional_parameters(struct sshkey *key)	109	ssh_rsa_complete_crt_parameters(struct sshkey key, const BIGNUM iqmp)
108	{	110	{
109	BIGNUM *aux = NULL;	111	const BIGNUM rsa_p, rsa_q, *rsa_d;
		112	BIGNUM aux = NULL, d_consttime = NULL;
		113	BIGNUM rsa_dmq1 = NULL, rsa_dmp1 = NULL, *rsa_iqmp = NULL;
110	BN_CTX *ctx = NULL;	114	BN_CTX *ctx = NULL;
111	BIGNUM d;
112	int r;	115	int r;
113		116
114	if (key == NULL \|\| key->rsa == NULL \|\|	117	if (key == NULL \|\| key->rsa == NULL \|\|
115	sshkey_type_plain(key->type) != KEY_RSA)	118	sshkey_type_plain(key->type) != KEY_RSA)
116	return SSH_ERR_INVALID_ARGUMENT;	119	return SSH_ERR_INVALID_ARGUMENT;
117		120
		121	RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
		122	RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
		123
118	if ((ctx = BN_CTX_new()) == NULL)	124	if ((ctx = BN_CTX_new()) == NULL)
119	return SSH_ERR_ALLOC_FAIL;	125	return SSH_ERR_ALLOC_FAIL;
120	if ((aux = BN_new()) == NULL) {	126	if ((aux = BN_new()) == NULL \|\|
		127	(rsa_dmq1 = BN_new()) == NULL \|\|
		128	(rsa_dmp1 = BN_new()) == NULL)
		129	return SSH_ERR_ALLOC_FAIL;
		130	if ((d_consttime = BN_dup(rsa_d)) == NULL \|\|
		131	(rsa_iqmp = BN_dup(iqmp)) == NULL) {
121	r = SSH_ERR_ALLOC_FAIL;	132	r = SSH_ERR_ALLOC_FAIL;
122	goto out;	133	goto out;
123	}	134	}
124	BN_set_flags(aux, BN_FLG_CONSTTIME);	135	BN_set_flags(aux, BN_FLG_CONSTTIME);
		136	BN_set_flags(d_consttime, BN_FLG_CONSTTIME);
125		137
126	BN_init(&d);	138	if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) \|\|
127	BN_with_flags(&d, key->rsa->d, BN_FLG_CONSTTIME);	139	(BN_mod(rsa_dmq1, d_consttime, aux, ctx) == 0) \|\|
128		140	(BN_sub(aux, rsa_p, BN_value_one()) == 0) \|\|
129	if ((BN_sub(aux, key->rsa->q, BN_value_one()) == 0) \|\|	141	(BN_mod(rsa_dmp1, d_consttime, aux, ctx) == 0)) {
130	(BN_mod(key->rsa->dmq1, &d, aux, ctx) == 0) \|\|	142	r = SSH_ERR_LIBCRYPTO_ERROR;
131	(BN_sub(aux, key->rsa->p, BN_value_one()) == 0) \|\|	143	goto out;
132	(BN_mod(key->rsa->dmp1, &d, aux, ctx) == 0)) {	144	}
		145	if (!RSA_set0_crt_params(key->rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {
133	r = SSH_ERR_LIBCRYPTO_ERROR;	146	r = SSH_ERR_LIBCRYPTO_ERROR;
134	goto out;	147	goto out;
135	}	148	}
		149	rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL; /* transferred */
		150	/* success */
136	r = 0;	151	r = 0;
137	out:	152	out:
138	BN_clear_free(aux);	153	BN_clear_free(aux);
		154	BN_clear_free(d_consttime);
		155	BN_clear_free(rsa_dmp1);
		156	BN_clear_free(rsa_dmq1);
		157	BN_clear_free(rsa_iqmp);
139	BN_CTX_free(ctx);	158	BN_CTX_free(ctx);
140	return r;	159	return r;
141	}	160	}
@@ -145,6 +164,7 @@ int
145	ssh_rsa_sign(const struct sshkey key, u_char sigp, size_t lenp,	164	ssh_rsa_sign(const struct sshkey key, u_char sigp, size_t lenp,
146	const u_char data, size_t datalen, const char alg_ident)	165	const u_char data, size_t datalen, const char alg_ident)
147	{	166	{
		167	const BIGNUM *rsa_n;
148	u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;	168	u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
149	size_t slen = 0;	169	size_t slen = 0;
150	u_int dlen, len;	170	u_int dlen, len;
@@ -163,7 +183,8 @@ ssh_rsa_sign(const struct sshkey key, u_char sigp, size_t lenp,
163	if (key == NULL \|\| key->rsa == NULL \|\| hash_alg == -1 \|\|	183	if (key == NULL \|\| key->rsa == NULL \|\| hash_alg == -1 \|\|
164	sshkey_type_plain(key->type) != KEY_RSA)	184	sshkey_type_plain(key->type) != KEY_RSA)
165	return SSH_ERR_INVALID_ARGUMENT;	185	return SSH_ERR_INVALID_ARGUMENT;
166	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)	186	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
		187	if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
167	return SSH_ERR_KEY_LENGTH;	188	return SSH_ERR_KEY_LENGTH;
168	slen = RSA_size(key->rsa);	189	slen = RSA_size(key->rsa);
169	if (slen <= 0 \|\| slen > SSHBUF_MAX_BIGNUM)	190	if (slen <= 0 \|\| slen > SSHBUF_MAX_BIGNUM)
@@ -225,6 +246,7 @@ ssh_rsa_verify(const struct sshkey *key,
225	const u_char sig, size_t siglen, const u_char data, size_t datalen,	246	const u_char sig, size_t siglen, const u_char data, size_t datalen,
226	const char *alg)	247	const char *alg)
227	{	248	{
		249	const BIGNUM *rsa_n;
228	char *sigtype = NULL;	250	char *sigtype = NULL;
229	int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;	251	int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
230	size_t len = 0, diff, modlen, dlen;	252	size_t len = 0, diff, modlen, dlen;
@@ -235,7 +257,8 @@ ssh_rsa_verify(const struct sshkey *key,
235	sshkey_type_plain(key->type) != KEY_RSA \|\|	257	sshkey_type_plain(key->type) != KEY_RSA \|\|
236	sig == NULL \|\| siglen == 0)	258	sig == NULL \|\| siglen == 0)
237	return SSH_ERR_INVALID_ARGUMENT;	259	return SSH_ERR_INVALID_ARGUMENT;
238	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)	260	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
		261	if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
239	return SSH_ERR_KEY_LENGTH;	262	return SSH_ERR_KEY_LENGTH;
240		263
241	if ((b = sshbuf_from(sig, siglen)) == NULL)	264	if ((b = sshbuf_from(sig, siglen)) == NULL)