Add X9.31 signature support, mainly for FIPS140. Add new option to rsautl and

include options to use X9.31 in tests.

crypto/rsa/rsa_eay.c

@@ -285,7 +285,7 @@ err:
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	BIGNUM f,ret;
+	BIGNUM f,ret, *res;
 	int i,j,k,num=0,r= -1;
 	unsigned char *buf=NULL;
 	BN_CTX *ctx=NULL;
@@ -389,10 +389,21 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	if (blinding)
 		if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
+	if (padding == RSA_X931_PADDING)
+		{
+		BN_sub(&f, rsa->n, &ret);
+		if (BN_cmp(&ret, &f))
+			res = &f;
+		else
+			res = &ret;
+		}
+	else
+		res = &ret;
+
 	/* put in leading 0 bytes if the number is less than the
 	 * length of the modulus */
-	j=BN_num_bytes(&ret);
-	i=BN_bn2bin(&ret,&(to[num-j]));
+	j=BN_num_bytes(res);
+	i=BN_bn2bin(res,&(to[num-j]));
 	for (k=0; k<(num-i); k++)
 		to[k]=0;
 
@@ -606,6 +617,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;
 
+	if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
+		BN_sub(&ret, rsa->n, &ret);
+
 	p=buf;
 	i=BN_bn2bin(&ret,p);