Symaptic: os/ossrv/ssl/libcrypto/src/crypto/rsa/rsa

sl@0	1	/* rsa_pss.c */
sl@0	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
sl@0	3	* project 2005.
sl@0	4	*/
sl@0	5	/* ====================================================================
sl@0	6	* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
sl@0	7	*
sl@0	8	* Redistribution and use in source and binary forms, with or without
sl@0	9	* modification, are permitted provided that the following conditions
sl@0	10	* are met:
sl@0	11	*
sl@0	12	* 1. Redistributions of source code must retain the above copyright
sl@0	13	* notice, this list of conditions and the following disclaimer.
sl@0	14	*
sl@0	15	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	16	* notice, this list of conditions and the following disclaimer in
sl@0	17	* the documentation and/or other materials provided with the
sl@0	18	* distribution.
sl@0	19	*
sl@0	20	* 3. All advertising materials mentioning features or use of this
sl@0	21	* software must display the following acknowledgment:
sl@0	22	* "This product includes software developed by the OpenSSL Project
sl@0	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0	24	*
sl@0	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	26	* endorse or promote products derived from this software without
sl@0	27	* prior written permission. For written permission, please contact
sl@0	28	* licensing@OpenSSL.org.
sl@0	29	*
sl@0	30	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	31	* nor may "OpenSSL" appear in their names without prior written
sl@0	32	* permission of the OpenSSL Project.
sl@0	33	*
sl@0	34	* 6. Redistributions of any form whatsoever must retain the following
sl@0	35	* acknowledgment:
sl@0	36	* "This product includes software developed by the OpenSSL Project
sl@0	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0	38	*
sl@0	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	51	* ====================================================================
sl@0	52	*
sl@0	53	* This product includes cryptographic software written by Eric Young
sl@0	54	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	55	* Hudson (tjh@cryptsoft.com).
sl@0	56	*
sl@0	57	*/
sl@0	58
sl@0	59	#include <stdio.h>
sl@0	60	#include "cryptlib.h"
sl@0	61	#include <openssl/bn.h>
sl@0	62	#include <openssl/rsa.h>
sl@0	63	#include <openssl/evp.h>
sl@0	64	#include <openssl/rand.h>
sl@0	65	#include <openssl/sha.h>
sl@0	66
sl@0	67	static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
sl@0	68
sl@0	69	#if defined(_MSC_VER) && defined(_ARM_)
sl@0	70	#pragma optimize("g", off)
sl@0	71	#endif
sl@0	72
sl@0	73	EXPORT_C int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
sl@0	74	const EVP_MD Hash, const unsigned char EM, int sLen)
sl@0	75	{
sl@0	76	int i;
sl@0	77	int ret = 0;
sl@0	78	int hLen, maskedDBLen, MSBits, emLen;
sl@0	79	const unsigned char *H;
sl@0	80	unsigned char *DB = NULL;
sl@0	81	EVP_MD_CTX ctx;
sl@0	82	unsigned char H_[EVP_MAX_MD_SIZE];
sl@0	83
sl@0	84	hLen = EVP_MD_size(Hash);
sl@0	85	/*
sl@0	86	* Negative sLen has special meanings:
sl@0	87	* -1 sLen == hLen
sl@0	88	* -2 salt length is autorecovered from signature
sl@0	89	* -N reserved
sl@0	90	*/
sl@0	91	if (sLen == -1) sLen = hLen;
sl@0	92	else if (sLen == -2) sLen = -2;
sl@0	93	else if (sLen < -2)
sl@0	94	{
sl@0	95	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
sl@0	96	goto err;
sl@0	97	}
sl@0	98
sl@0	99	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
sl@0	100	emLen = RSA_size(rsa);
sl@0	101	if (EM[0] & (0xFF << MSBits))
sl@0	102	{
sl@0	103	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
sl@0	104	goto err;
sl@0	105	}
sl@0	106	if (MSBits == 0)
sl@0	107	{
sl@0	108	EM++;
sl@0	109	emLen--;
sl@0	110	}
sl@0	111	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
sl@0	112	{
sl@0	113	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
sl@0	114	goto err;
sl@0	115	}
sl@0	116	if (EM[emLen - 1] != 0xbc)
sl@0	117	{
sl@0	118	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
sl@0	119	goto err;
sl@0	120	}
sl@0	121	maskedDBLen = emLen - hLen - 1;
sl@0	122	H = EM + maskedDBLen;
sl@0	123	DB = OPENSSL_malloc(maskedDBLen);
sl@0	124	if (!DB)
sl@0	125	{
sl@0	126	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
sl@0	127	goto err;
sl@0	128	}
sl@0	129	PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
sl@0	130	for (i = 0; i < maskedDBLen; i++)
sl@0	131	DB[i] ^= EM[i];
sl@0	132	if (MSBits)
sl@0	133	DB[0] &= 0xFF >> (8 - MSBits);
sl@0	134	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
sl@0	135	if (DB[i++] != 0x1)
sl@0	136	{
sl@0	137	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
sl@0	138	goto err;
sl@0	139	}
sl@0	140	if (sLen >= 0 && (maskedDBLen - i) != sLen)
sl@0	141	{
sl@0	142	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
sl@0	143	goto err;
sl@0	144	}
sl@0	145	EVP_MD_CTX_init(&ctx);
sl@0	146	EVP_DigestInit_ex(&ctx, Hash, NULL);
sl@0	147	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
sl@0	148	EVP_DigestUpdate(&ctx, mHash, hLen);
sl@0	149	if (maskedDBLen - i)
sl@0	150	EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
sl@0	151	EVP_DigestFinal(&ctx, H_, NULL);
sl@0	152	EVP_MD_CTX_cleanup(&ctx);
sl@0	153	if (memcmp(H_, H, hLen))
sl@0	154	{
sl@0	155	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
sl@0	156	ret = 0;
sl@0	157	}
sl@0	158	else
sl@0	159	ret = 1;
sl@0	160
sl@0	161	err:
sl@0	162	if (DB)
sl@0	163	OPENSSL_free(DB);
sl@0	164
sl@0	165	return ret;
sl@0	166
sl@0	167	}
sl@0	168
sl@0	169	EXPORT_C int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
sl@0	170	const unsigned char *mHash,
sl@0	171	const EVP_MD *Hash, int sLen)
sl@0	172	{
sl@0	173	int i;
sl@0	174	int ret = 0;
sl@0	175	int hLen, maskedDBLen, MSBits, emLen;
sl@0	176	unsigned char H, salt = NULL, *p;
sl@0	177	EVP_MD_CTX ctx;
sl@0	178
sl@0	179	hLen = EVP_MD_size(Hash);
sl@0	180	/*
sl@0	181	* Negative sLen has special meanings:
sl@0	182	* -1 sLen == hLen
sl@0	183	* -2 salt length is maximized
sl@0	184	* -N reserved
sl@0	185	*/
sl@0	186	if (sLen == -1) sLen = hLen;
sl@0	187	else if (sLen == -2) sLen = -2;
sl@0	188	else if (sLen < -2)
sl@0	189	{
sl@0	190	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
sl@0	191	goto err;
sl@0	192	}
sl@0	193
sl@0	194	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
sl@0	195	emLen = RSA_size(rsa);
sl@0	196	if (MSBits == 0)
sl@0	197	{
sl@0	198	*EM++ = 0;
sl@0	199	emLen--;
sl@0	200	}
sl@0	201	if (sLen == -2)
sl@0	202	{
sl@0	203	sLen = emLen - hLen - 2;
sl@0	204	}
sl@0	205	else if (emLen < (hLen + sLen + 2))
sl@0	206	{
sl@0	207	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
sl@0	208	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
sl@0	209	goto err;
sl@0	210	}
sl@0	211	if (sLen > 0)
sl@0	212	{
sl@0	213	salt = OPENSSL_malloc(sLen);
sl@0	214	if (!salt)
sl@0	215	{
sl@0	216	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
sl@0	217	ERR_R_MALLOC_FAILURE);
sl@0	218	goto err;
sl@0	219	}
sl@0	220	if (!RAND_bytes(salt, sLen))
sl@0	221	goto err;
sl@0	222	}
sl@0	223	maskedDBLen = emLen - hLen - 1;
sl@0	224	H = EM + maskedDBLen;
sl@0	225	EVP_MD_CTX_init(&ctx);
sl@0	226	EVP_DigestInit_ex(&ctx, Hash, NULL);
sl@0	227	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
sl@0	228	EVP_DigestUpdate(&ctx, mHash, hLen);
sl@0	229	if (sLen)
sl@0	230	EVP_DigestUpdate(&ctx, salt, sLen);
sl@0	231	EVP_DigestFinal(&ctx, H, NULL);
sl@0	232	EVP_MD_CTX_cleanup(&ctx);
sl@0	233
sl@0	234	/* Generate dbMask in place then perform XOR on it */
sl@0	235	PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
sl@0	236
sl@0	237	p = EM;
sl@0	238
sl@0	239	/* Initial PS XORs with all zeroes which is a NOP so just update
sl@0	240	* pointer. Note from a test above this value is guaranteed to
sl@0	241	* be non-negative.
sl@0	242	*/
sl@0	243	p += emLen - sLen - hLen - 2;
sl@0	244	*p++ ^= 0x1;
sl@0	245	if (sLen > 0)
sl@0	246	{
sl@0	247	for (i = 0; i < sLen; i++)
sl@0	248	*p++ ^= salt[i];
sl@0	249	}
sl@0	250	if (MSBits)
sl@0	251	EM[0] &= 0xFF >> (8 - MSBits);
sl@0	252
sl@0	253	/* H is already in place so just set final 0xbc */
sl@0	254
sl@0	255	EM[emLen - 1] = 0xbc;
sl@0	256
sl@0	257	ret = 1;
sl@0	258
sl@0	259	err:
sl@0	260	if (salt)
sl@0	261	OPENSSL_free(salt);
sl@0	262
sl@0	263	return ret;
sl@0	264
sl@0	265	}
sl@0	266
sl@0	267	#if defined(_MSC_VER)
sl@0	268	#pragma optimize("",on)
sl@0	269	#endif

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--