[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Tue Sep 11 09:38:50 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via f6c6c7c95caedb6046e751a3e24d1923a6554fa7 (commit)
from 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 (commit)
- Log -----------------------------------------------------------------
commit f6c6c7c95caedb6046e751a3e24d1923a6554fa7
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Sep 11 11:00:30 2018 +0200
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7174)
(cherry picked from commit 37f4928701aa54937ce8eef422a2165afeec5cec)
-----------------------------------------------------------------------
Summary of changes:
engines/e_capi.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/engines/e_capi.c b/engines/e_capi.c
index 4660f1a..9d5e850 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *tmpbuf;
CAPI_KEY *capi_key;
CAPI_CTX *ctx;
+ DWORD flags = 0;
DWORD dlen;
if (flen <= 0)
@@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
return -1;
}
- if (padding != RSA_PKCS1_PADDING) {
- char errstr[10];
- BIO_snprintf(errstr, 10, "%d", padding);
- CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
- ERR_add_error_data(2, "padding=", errstr);
- return -1;
+ switch (padding) {
+ case RSA_PKCS1_PADDING:
+ /* Nothing to do */
+ break;
+#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK
+ case RSA_NO_PADDING:
+ flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK;
+ break;
+#endif
+ default:
+ {
+ char errstr[10];
+ BIO_snprintf(errstr, 10, "%d", padding);
+ CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
+ ERR_add_error_data(2, "padding=", errstr);
+ return -1;
+ }
}
/* Create temp reverse order version of input */
@@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
/* Finally decrypt it */
dlen = flen;
- if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &dlen)) {
+ if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, &dlen)) {
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
capi_addlasterror();
+ OPENSSL_cleanse(tmpbuf, dlen);
OPENSSL_free(tmpbuf);
return -1;
} else {
memcpy(to, tmpbuf, (flen = (int)dlen));
}
+ OPENSSL_cleanse(tmpbuf, flen);
OPENSSL_free(tmpbuf);
return flen;
More information about the openssl-commits
mailing list