MercurialSymaptic / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw | help
os/ossrv/ssl/libcrypto/src/crypto/rsa/rsa_pss.c
author sl@SLION-WIN7.fritz.box
Fri, 15 Jun 2012 03:10:57 +0200
changeset 0 bde4ae8d615e
permissions -rw-r--r--
First public contribution. 
     1 /* rsa_pss.c */

     2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

     3  * project 2005.

     4  */

     5 /* ====================================================================

     6  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

     7  *

     8  * Redistribution and use in source and binary forms, with or without

     9  * modification, are permitted provided that the following conditions

    10  * are met:

    11  *

    12  * 1. Redistributions of source code must retain the above copyright

    13  *    notice, this list of conditions and the following disclaimer. 

    14  *

    15  * 2. Redistributions in binary form must reproduce the above copyright

    16  *    notice, this list of conditions and the following disclaimer in

    17  *    the documentation and/or other materials provided with the

    18  *    distribution.

    19  *

    20  * 3. All advertising materials mentioning features or use of this

    21  *    software must display the following acknowledgment:

    22  *    "This product includes software developed by the OpenSSL Project

    23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

    24  *

    25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

    26  *    endorse or promote products derived from this software without

    27  *    prior written permission. For written permission, please contact

    28  *    licensing@OpenSSL.org.

    29  *

    30  * 5. Products derived from this software may not be called "OpenSSL"

    31  *    nor may "OpenSSL" appear in their names without prior written

    32  *    permission of the OpenSSL Project.

    33  *

    34  * 6. Redistributions of any form whatsoever must retain the following

    35  *    acknowledgment:

    36  *    "This product includes software developed by the OpenSSL Project

    37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

    38  *

    39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

    40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

    41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

    42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

    43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

    44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

    45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

    46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

    47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

    48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

    50  * OF THE POSSIBILITY OF SUCH DAMAGE.

    51  * ====================================================================

    52  *

    53  * This product includes cryptographic software written by Eric Young

    54  * (eay@cryptsoft.com).  This product includes software written by Tim

    55  * Hudson (tjh@cryptsoft.com).

    56  *

    57  */

    58 

    59 #include <stdio.h>

    60 #include "cryptlib.h"

    61 #include <openssl/bn.h>

    62 #include <openssl/rsa.h>

    63 #include <openssl/evp.h>

    64 #include <openssl/rand.h>

    65 #include <openssl/sha.h>

    66 

    67 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

    68 

    69 #if defined(_MSC_VER) && defined(_ARM_)

    70 #pragma optimize("g", off)

    71 #endif

    72 

    73 EXPORT_C int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,

    74 			const EVP_MD *Hash, const unsigned char *EM, int sLen)

    75 	{

    76 	int i;

    77 	int ret = 0;

    78 	int hLen, maskedDBLen, MSBits, emLen;

    79 	const unsigned char *H;

    80 	unsigned char *DB = NULL;

    81 	EVP_MD_CTX ctx;

    82 	unsigned char H_[EVP_MAX_MD_SIZE];

    83 

    84 	hLen = EVP_MD_size(Hash);

    85 	/*

    86 	 * Negative sLen has special meanings:

    87 	 *	-1	sLen == hLen

    88 	 *	-2	salt length is autorecovered from signature

    89 	 *	-N	reserved

    90 	 */

    91 	if      (sLen == -1)	sLen = hLen;

    92 	else if (sLen == -2)	sLen = -2;

    93 	else if (sLen < -2)

    94 		{

    95 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);

    96 		goto err;

    97 		}

    98 

    99 	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

   100 	emLen = RSA_size(rsa);

   101 	if (EM[0] & (0xFF << MSBits))

   102 		{

   103 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);

   104 		goto err;

   105 		}

   106 	if (MSBits == 0)

   107 		{

   108 		EM++;

   109 		emLen--;

   110 		}

   111 	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */

   112 		{

   113 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);

   114 		goto err;

   115 		}

   116 	if (EM[emLen - 1] != 0xbc)

   117 		{

   118 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);

   119 		goto err;

   120 		}

   121 	maskedDBLen = emLen - hLen - 1;

   122 	H = EM + maskedDBLen;

   123 	DB = OPENSSL_malloc(maskedDBLen);

   124 	if (!DB)

   125 		{

   126 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);

   127 		goto err;

   128 		}

   129 	PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);

   130 	for (i = 0; i < maskedDBLen; i++)

   131 		DB[i] ^= EM[i];

   132 	if (MSBits)

   133 		DB[0] &= 0xFF >> (8 - MSBits);

   134 	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;

   135 	if (DB[i++] != 0x1)

   136 		{

   137 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);

   138 		goto err;

   139 		}

   140 	if (sLen >= 0 && (maskedDBLen - i) != sLen)

   141 		{

   142 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);

   143 		goto err;

   144 		}

   145 	EVP_MD_CTX_init(&ctx);

   146 	EVP_DigestInit_ex(&ctx, Hash, NULL);

   147 	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);

   148 	EVP_DigestUpdate(&ctx, mHash, hLen);

   149 	if (maskedDBLen - i)

   150 		EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);

   151 	EVP_DigestFinal(&ctx, H_, NULL);

   152 	EVP_MD_CTX_cleanup(&ctx);

   153 	if (memcmp(H_, H, hLen))

   154 		{

   155 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);

   156 		ret = 0;

   157 		}

   158 	else 

   159 		ret = 1;

   160 

   161 	err:

   162 	if (DB)

   163 		OPENSSL_free(DB);

   164 

   165 	return ret;

   166 

   167 	}

   168 

   169 EXPORT_C int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,

   170 			const unsigned char *mHash,

   171 			const EVP_MD *Hash, int sLen)

   172 	{

   173 	int i;

   174 	int ret = 0;

   175 	int hLen, maskedDBLen, MSBits, emLen;

   176 	unsigned char *H, *salt = NULL, *p;

   177 	EVP_MD_CTX ctx;

   178 

   179 	hLen = EVP_MD_size(Hash);

   180 	/*

   181 	 * Negative sLen has special meanings:

   182 	 *	-1	sLen == hLen

   183 	 *	-2	salt length is maximized

   184 	 *	-N	reserved

   185 	 */

   186 	if      (sLen == -1)	sLen = hLen;

   187 	else if (sLen == -2)	sLen = -2;

   188 	else if (sLen < -2)

   189 		{

   190 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);

   191 		goto err;

   192 		}

   193 

   194 	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

   195 	emLen = RSA_size(rsa);

   196 	if (MSBits == 0)

   197 		{

   198 		*EM++ = 0;

   199 		emLen--;

   200 		}

   201 	if (sLen == -2)

   202 		{

   203 		sLen = emLen - hLen - 2;

   204 		}

   205 	else if (emLen < (hLen + sLen + 2))

   206 		{

   207 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,

   208 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

   209 		goto err;

   210 		}

   211 	if (sLen > 0)

   212 		{

   213 		salt = OPENSSL_malloc(sLen);

   214 		if (!salt)

   215 			{

   216 			RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,

   217 		   		ERR_R_MALLOC_FAILURE);

   218 			goto err;

   219 			}

   220 		if (!RAND_bytes(salt, sLen))

   221 			goto err;

   222 		}

   223 	maskedDBLen = emLen - hLen - 1;

   224 	H = EM + maskedDBLen;

   225 	EVP_MD_CTX_init(&ctx);

   226 	EVP_DigestInit_ex(&ctx, Hash, NULL);

   227 	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);

   228 	EVP_DigestUpdate(&ctx, mHash, hLen);

   229 	if (sLen)

   230 		EVP_DigestUpdate(&ctx, salt, sLen);

   231 	EVP_DigestFinal(&ctx, H, NULL);

   232 	EVP_MD_CTX_cleanup(&ctx);

   233 

   234 	/* Generate dbMask in place then perform XOR on it */

   235 	PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);

   236 

   237 	p = EM;

   238 

   239 	/* Initial PS XORs with all zeroes which is a NOP so just update

   240 	 * pointer. Note from a test above this value is guaranteed to

   241 	 * be non-negative.

   242 	 */

   243 	p += emLen - sLen - hLen - 2;

   244 	*p++ ^= 0x1;

   245 	if (sLen > 0)

   246 		{

   247 		for (i = 0; i < sLen; i++)

   248 			*p++ ^= salt[i];

   249 		}

   250 	if (MSBits)

   251 		EM[0] &= 0xFF >> (8 - MSBits);

   252 

   253 	/* H is already in place so just set final 0xbc */

   254 

   255 	EM[emLen - 1] = 0xbc;

   256 

   257 	ret = 1;

   258 

   259 	err:

   260 	if (salt)

   261 		OPENSSL_free(salt);

   262 

   263 	return ret;

   264 

   265 	}

   266 

   267 #if defined(_MSC_VER)

   268 #pragma optimize("",on)

   269 #endif
Symaptic