diff --git a/CHANGES b/CHANGES index 2e03173c5..c8279bf13 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,15 @@ Changes between 0.9.3a and 0.9.4 [xx Jul/Aug/...? 1999] + *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp + method only got called if p,q,dmp1,dmq1,iqmp components were present, + otherwise bn_mod_exp was called. In the case of hardware keys for example + no private key components need be present and it might store extra data + in the RSA structure, which cannot be accessed from bn_mod_exp. By setting + RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key + operations. + [Steve Henson] + *) Added support for SPARC Linux. [Andy Polyakov] diff --git a/STATUS b/STATUS index 4028f3a4b..93a9990fd 100644 --- a/STATUS +++ b/STATUS @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 1999/07/25 12:19:02 $ + ______________ $Date: 1999/07/27 21:58:06 $ DEVELOPMENT STATE @@ -27,8 +27,6 @@ o Steve is currently working on (in no particular order): Proper (or at least usable) certificate chain verification. - Documentation on X509 V3 extension code. - PKCS #8 and PKCS#5 v2.0 support. Private key, certificate and CRL API and implementation. Checking and bugfixing PKCS#7 (S/MIME code). diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 0d0158dc0..9230b2fcc 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -108,7 +108,7 @@ struct rsa_st BIGNUM *dmp1; BIGNUM *dmq1; BIGNUM *iqmp; - /* be carefull using this if the RSA structure is shared */ + /* be careful using this if the RSA structure is shared */ CRYPTO_EX_DATA ex_data; int references; int flags; @@ -133,6 +133,12 @@ struct rsa_st #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 #define RSA_FLAG_THREAD_SAFE 0x10 +/* This flag means the private key operations will be handled by rsa_mod_exp + * and that they do not depend on the private key components being present: + * for example a key stored in external hardware. Without this flag bn_mod_exp + * gets called when private key components are absent. + */ +#define RSA_FLAG_EXT_PKEY 0x20 #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 4525e6676..7f51c42e9 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -205,11 +205,12 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; - if ( (rsa->p != NULL) && + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || + ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && - (rsa->iqmp != NULL)) + (rsa->iqmp != NULL)) ) { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } else { @@ -278,11 +279,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ - if ( (rsa->p != NULL) && + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || + ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && - (rsa->iqmp != NULL)) + (rsa->iqmp != NULL)) ) { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } else {