summaryrefslogtreecommitdiff
path: root/engines/e_capi.c
diff options
context:
space:
mode:
authorRichard Levitte <levitte@openssl.org>2018-09-11 11:00:30 +0200
committerMatt Caswell <matt@openssl.org>2018-09-11 10:27:46 +0100
commit37f4928701aa54937ce8eef422a2165afeec5cec (patch)
treeddd83735ad94c27f3af3c6ba2563d252a9ed8a02 /engines/e_capi.c
parent512d811719fc955f574090af4c3586a9aba46fa7 (diff)
downloadopenssl-new-37f4928701aa54937ce8eef422a2165afeec5cec.tar.gz
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became unusable. This change fixes that. Fixes #7131 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7174)
Diffstat (limited to 'engines/e_capi.c')
-rw-r--r--engines/e_capi.c28
1 files changed, 21 insertions, 7 deletions
diff --git a/engines/e_capi.c b/engines/e_capi.c
index a7658922f3..37202b81f3 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *tmpbuf;
CAPI_KEY *capi_key;
CAPI_CTX *ctx;
+ DWORD flags = 0;
DWORD dlen;
if (flen <= 0)
@@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
return -1;
}
- if (padding != RSA_PKCS1_PADDING) {
- char errstr[10];
- BIO_snprintf(errstr, 10, "%d", padding);
- CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
- ERR_add_error_data(2, "padding=", errstr);
- return -1;
+ switch (padding) {
+ case RSA_PKCS1_PADDING:
+ /* Nothing to do */
+ break;
+#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK
+ case RSA_NO_PADDING:
+ flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK;
+ break;
+#endif
+ default:
+ {
+ char errstr[10];
+ BIO_snprintf(errstr, 10, "%d", padding);
+ CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
+ ERR_add_error_data(2, "padding=", errstr);
+ return -1;
+ }
}
/* Create temp reverse order version of input */
@@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
/* Finally decrypt it */
dlen = flen;
- if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &dlen)) {
+ if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, &dlen)) {
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
capi_addlasterror();
+ OPENSSL_cleanse(tmpbuf, dlen);
OPENSSL_free(tmpbuf);
return -1;
} else {
memcpy(to, tmpbuf, (flen = (int)dlen));
}
+ OPENSSL_cleanse(tmpbuf, flen);
OPENSSL_free(tmpbuf);
return flen;