diff options
| author | Richard Levitte <levitte@openssl.org> | 2018-09-11 11:00:30 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-09-11 10:27:46 +0100 |
| commit | 37f4928701aa54937ce8eef422a2165afeec5cec (patch) | |
| tree | ddd83735ad94c27f3af3c6ba2563d252a9ed8a02 /engines/e_capi.c | |
| parent | 512d811719fc955f574090af4c3586a9aba46fa7 (diff) | |
| download | openssl-new-37f4928701aa54937ce8eef422a2165afeec5cec.tar.gz | |
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7174)
Diffstat (limited to 'engines/e_capi.c')
| -rw-r--r-- | engines/e_capi.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/engines/e_capi.c b/engines/e_capi.c index a7658922f3..37202b81f3 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *tmpbuf; CAPI_KEY *capi_key; CAPI_CTX *ctx; + DWORD flags = 0; DWORD dlen; if (flen <= 0) @@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, return -1; } - if (padding != RSA_PKCS1_PADDING) { - char errstr[10]; - BIO_snprintf(errstr, 10, "%d", padding); - CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); - ERR_add_error_data(2, "padding=", errstr); - return -1; + switch (padding) { + case RSA_PKCS1_PADDING: + /* Nothing to do */ + break; +#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK + case RSA_NO_PADDING: + flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK; + break; +#endif + default: + { + char errstr[10]; + BIO_snprintf(errstr, 10, "%d", padding); + CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); + ERR_add_error_data(2, "padding=", errstr); + return -1; + } } /* Create temp reverse order version of input */ @@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, /* Finally decrypt it */ dlen = flen; - if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &dlen)) { + if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, &dlen)) { CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); capi_addlasterror(); + OPENSSL_cleanse(tmpbuf, dlen); OPENSSL_free(tmpbuf); return -1; } else { memcpy(to, tmpbuf, (flen = (int)dlen)); } + OPENSSL_cleanse(tmpbuf, flen); OPENSSL_free(tmpbuf); return flen; |