Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1676)

Unified Diff: nss/lib/freebl/rsapkcs.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « nss/lib/freebl/rsa.c ('k') | nss/lib/freebl/secmpi.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: nss/lib/freebl/rsapkcs.c
diff --git a/nss/lib/freebl/rsapkcs.c b/nss/lib/freebl/rsapkcs.c
deleted file mode 100644
index c1e3d54d352ba7dc86b7d2b303e9126263f58ba6..0000000000000000000000000000000000000000
--- a/nss/lib/freebl/rsapkcs.c
+++ /dev/null
@@ -1,1380 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * RSA PKCS#1 v2.1 (RFC 3447) operations
- */
-
-#ifdef FREEBL_NO_DEPEND
-#include "stubs.h"
-#endif
-
-#include "secerr.h"
-
-#include "blapi.h"
-#include "secitem.h"
-#include "blapii.h"
-
-#define RSA_BLOCK_MIN_PAD_LEN 8
-#define RSA_BLOCK_FIRST_OCTET 0x00
-#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
-#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
-
-/*
- * RSA block types
- *
- * The values of RSA_BlockPrivate and RSA_BlockPublic are fixed.
- * The value of RSA_BlockRaw isn't fixed by definition, but we are keeping
- * the value that NSS has been using in the past.
- */
-typedef enum {
- RSA_BlockPrivate = 1, /* pad for a private-key operation */
- RSA_BlockPublic = 2, /* pad for a public-key operation */
- RSA_BlockRaw = 4 /* simply justify the block appropriately */
-} RSA_BlockType;
-
-/* Needed for RSA-PSS functions */
-static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-
-/* Constant time comparison of a single byte.
- * Returns 1 iff a == b, otherwise returns 0.
- * Note: For ranges of bytes, use constantTimeCompare.
- */
-static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
- unsigned char c = ~((a - b) | (b - a));
- c >>= 7;
- return c;
-}
-
-/* Constant time comparison of a range of bytes.
- * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
- * returns 0.
- */
-static unsigned char constantTimeCompare(const unsigned char *a,
- const unsigned char *b,
- unsigned int len) {
- unsigned char tmp = 0;
- unsigned int i;
- for (i = 0; i < len; ++i, ++a, ++b)
- tmp |= *a ^ *b;
- return constantTimeEQ8(0x00, tmp);
-}
-
-/* Constant time conditional.
- * Returns a if c is 1, or b if c is 0. The result is undefined if c is
- * not 0 or 1.
- */
-static unsigned int constantTimeCondition(unsigned int c,
- unsigned int a,
- unsigned int b)
-{
- return (~(c - 1) & a) | ((c - 1) & b);
-}
-
-static unsigned int
-rsa_modulusLen(SECItem * modulus)
-{
- unsigned char byteZero = modulus->data[0];
- unsigned int modLen = modulus->len - !byteZero;
- return modLen;
-}
-
-/*
- * Format one block of data for public/private key encryption using
- * the rules defined in PKCS #1.
- */
-static unsigned char *
-rsa_FormatOneBlock(unsigned modulusLen,
- RSA_BlockType blockType,
- SECItem * data)
-{
- unsigned char *block;
- unsigned char *bp;
- int padLen;
- int i, j;
- SECStatus rv;
-
- block = (unsigned char *) PORT_Alloc(modulusLen);
- if (block == NULL)
- return NULL;
-
- bp = block;
-
- /*
- * All RSA blocks start with two octets:
- * 0x00 || BlockType
- */
- *bp++ = RSA_BLOCK_FIRST_OCTET;
- *bp++ = (unsigned char) blockType;
-
- switch (blockType) {
-
- /*
- * Blocks intended for private-key operation.
- */
- case RSA_BlockPrivate: /* preferred method */
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
- */
- padLen = modulusLen - data->len - 3;
- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- PORT_Free(block);
- return NULL;
- }
- PORT_Memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- PORT_Memcpy(bp, data->data, data->len);
- break;
-
- /*
- * Blocks intended for public-key operation.
- */
- case RSA_BlockPublic:
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is all non-zero random bytes.
- *
- * Build the block left to right.
- * Fill the entire block from Pad to the end with random bytes.
- * Use the bytes after Pad as a supply of extra random bytes from
- * which to find replacements for the zero bytes in Pad.
- * If we need more than that, refill the bytes after Pad with
- * new random bytes as necessary.
- */
- padLen = modulusLen - (data->len + 3);
- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- PORT_Free(block);
- return NULL;
- }
- j = modulusLen - 2;
- rv = RNG_GenerateGlobalRandomBytes(bp, j);
- if (rv == SECSuccess) {
- for (i = 0; i < padLen; ) {
- unsigned char repl;
- /* Pad with non-zero random data. */
- if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
- ++i;
- continue;
- }
- if (j <= padLen) {
- rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
- modulusLen - (2 + padLen));
- if (rv != SECSuccess)
- break;
- j = modulusLen - 2;
- }
- do {
- repl = bp[--j];
- } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
- if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
- bp[i++] = repl;
- }
- }
- }
- if (rv != SECSuccess) {
- PORT_Free(block);
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return NULL;
- }
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- PORT_Memcpy(bp, data->data, data->len);
- break;
-
- default:
- PORT_Assert(0);
- PORT_Free(block);
- return NULL;
- }
-
- return block;
-}
-
-static SECStatus
-rsa_FormatBlock(SECItem * result,
- unsigned modulusLen,
- RSA_BlockType blockType,
- SECItem * data)
-{
- switch (blockType) {
- case RSA_BlockPrivate:
- case RSA_BlockPublic:
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- *
- * The "3" below is the first octet + the second octet + the 0x00
- * octet that always comes just before the ActualData.
- */
- PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
-
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
- if (result->data == NULL) {
- result->len = 0;
- return SECFailure;
- }
- result->len = modulusLen;
-
- break;
-
- case RSA_BlockRaw:
- /*
- * Pad || ActualData
- * Pad is zeros. The application is responsible for recovering
- * the actual data.
- */
- if (data->len > modulusLen ) {
- return SECFailure;
- }
- result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
- result->len = modulusLen;
- PORT_Memcpy(result->data + (modulusLen - data->len),
- data->data, data->len);
- break;
-
- default:
- PORT_Assert(0);
- result->data = NULL;
- result->len = 0;
- return SECFailure;
- }
-
- return SECSuccess;
-}
-
-/*
- * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
- */
-static SECStatus
-MGF1(HASH_HashType hashAlg,
- unsigned char * mask,
- unsigned int maskLen,
- const unsigned char * mgfSeed,
- unsigned int mgfSeedLen)
-{
- unsigned int digestLen;
- PRUint32 counter;
- PRUint32 rounds;
- unsigned char * tempHash;
- unsigned char * temp;
- const SECHashObject * hash;
- void * hashContext;
- unsigned char C[4];
-
- hash = HASH_GetRawHashObject(hashAlg);
- if (hash == NULL)
- return SECFailure;
-
- hashContext = (*hash->create)();
- rounds = (maskLen + hash->length - 1) / hash->length;
- for (counter = 0; counter < rounds; counter++) {
- C[0] = (unsigned char)((counter >> 24) & 0xff);
- C[1] = (unsigned char)((counter >> 16) & 0xff);
- C[2] = (unsigned char)((counter >> 8) & 0xff);
- C[3] = (unsigned char)(counter & 0xff);
-
- /* This could be optimized when the clone functions in
- * rawhash.c are implemented. */
- (*hash->begin)(hashContext);
- (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
- (*hash->update)(hashContext, C, sizeof C);
-
- tempHash = mask + counter * hash->length;
- if (counter != (rounds - 1)) {
- (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
- } else { /* we're in the last round and need to cut the hash */
- temp = (unsigned char *)PORT_Alloc(hash->length);
- (*hash->end)(hashContext, temp, &digestLen, hash->length);
- PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
- PORT_Free(temp);
- }
- }
- (*hash->destroy)(hashContext, PR_TRUE);
-
- return SECSuccess;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_SignRaw(RSAPrivateKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * data,
- unsigned int dataLen)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- SECItem formatted;
- SECItem unformatted;
-
- if (maxOutputLen < modulusLen)
- return SECFailure;
-
- unformatted.len = dataLen;
- unformatted.data = (unsigned char*)data;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
- *outputLen = modulusLen;
-
-done:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulusLen);
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRaw(RSAPublicKey * key,
- const unsigned char * sig,
- unsigned int sigLen,
- const unsigned char * hash,
- unsigned int hashLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned char * buffer;
-
- if (sigLen != modulusLen)
- goto failure;
- if (hashLen > modulusLen)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, buffer, sig);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * make sure we get the same results
- */
- /* XXX(rsleevi): Constant time */
- /* NOTE: should we verify the leading zeros? */
- if (PORT_Memcmp(buffer + (modulusLen - hashLen), hash, hashLen) != 0)
- goto loser;
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecoverRaw(RSAPublicKey * key,
- unsigned char * data,
- unsigned int * dataLen,
- unsigned int maxDataLen,
- const unsigned char * sig,
- unsigned int sigLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
-
- if (sigLen != modulusLen)
- goto failure;
- if (maxDataLen < modulusLen)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, data, sig);
- if (rv != SECSuccess)
- goto failure;
-
- *dataLen = modulusLen;
- return SECSuccess;
-
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptRaw(RSAPublicKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- SECItem formatted;
- SECItem unformatted;
-
- formatted.data = NULL;
- if (maxOutputLen < modulusLen)
- goto failure;
-
- unformatted.len = inputLen;
- unformatted.data = (unsigned char*)input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
- if (rv != SECSuccess)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, output, formatted.data);
- if (rv != SECSuccess)
- goto failure;
-
- PORT_ZFree(formatted.data, modulusLen);
- *outputLen = modulusLen;
- return SECSuccess;
-
-failure:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulusLen);
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptRaw(RSAPrivateKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
-
- if (modulusLen > maxOutputLen)
- goto failure;
- if (inputLen != modulusLen)
- goto failure;
-
- rv = RSA_PrivateKeyOp(key, output, input);
- if (rv != SECSuccess)
- goto failure;
-
- *outputLen = modulusLen;
- return SECSuccess;
-
-failure:
- return SECFailure;
-}
-
-/*
- * Decodes an EME-OAEP encoded block, validating the encoding in constant
- * time.
- * Described in RFC 3447, section 7.1.2.
- * input contains the encoded block, after decryption.
- * label is the optional value L that was associated with the message.
- * On success, the original message and message length will be stored in
- * output and outputLen.
- */
-static SECStatus
-eme_oaep_decode(unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * label,
- unsigned int labelLen)
-{
- const SECHashObject * hash;
- void * hashContext;
- SECStatus rv = SECFailure;
- unsigned char labelHash[HASH_LENGTH_MAX];
- unsigned int i;
- unsigned int maskLen;
- unsigned int paddingOffset;
- unsigned char * mask = NULL;
- unsigned char * tmpOutput = NULL;
- unsigned char isGood;
- unsigned char foundPaddingEnd;
-
- hash = HASH_GetRawHashObject(hashAlg);
-
- /* 1.c */
- if (inputLen < (hash->length * 2) + 2) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
-
- /* Step 3.a - Generate lHash */
- hashContext = (*hash->create)();
- if (hashContext == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hashContext);
- if (labelLen > 0)
- (*hash->update)(hashContext, label, labelLen);
- (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
- (*hash->destroy)(hashContext, PR_TRUE);
-
- tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
- if (tmpOutput == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto done;
- }
-
- maskLen = inputLen - hash->length - 1;
- mask = (unsigned char*)PORT_Alloc(maskLen);
- if (mask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto done;
- }
-
- PORT_Memcpy(tmpOutput, input, inputLen);
-
- /* 3.c - Generate seedMask */
- MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
- inputLen - hash->length - 1);
- /* 3.d - Unmask seed */
- for (i = 0; i < hash->length; ++i)
- tmpOutput[1 + i] ^= mask[i];
-
- /* 3.e - Generate dbMask */
- MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
- /* 3.f - Unmask DB */
- for (i = 0; i < maskLen; ++i)
- tmpOutput[1 + hash->length + i] ^= mask[i];
-
- /* 3.g - Compare Y, lHash, and PS in constant time
- * Warning: This code is timing dependent and must not disclose which of
- * these were invalid.
- */
- paddingOffset = 0;
- isGood = 1;
- foundPaddingEnd = 0;
-
- /* Compare Y */
- isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
-
- /* Compare lHash and lHash' */
- isGood &= constantTimeCompare(&labelHash[0],
- &tmpOutput[1 + hash->length],
- hash->length);
-
- /* Compare that the padding is zero or more zero octets, followed by a
- * 0x01 octet */
- for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
- unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
- unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
- /* non-constant time equivalent:
- * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
- * paddingOffset = i;
- */
- paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
- paddingOffset);
- /* non-constant time equivalent:
- * if (tmpOutput[i] == 0x01)
- * foundPaddingEnd = true;
- *
- * Note: This may yield false positives, as it will be set whenever
- * a 0x01 byte is encountered. If there was bad padding (eg:
- * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
- * paddingOffset will still be set to 2.
- */
- foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
- /* non-constant time equivalent:
- * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
- * !foundPaddingEnd) {
- * isGood = false;
- * }
- *
- * Note: This may yield false positives, as a message (and padding)
- * that is entirely zeros will result in isGood still being true. Thus
- * it's necessary to check foundPaddingEnd is positive below.
- */
- isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
- }
-
- /* While both isGood and foundPaddingEnd may have false positives, they
- * cannot BOTH have false positives. If both are not true, then an invalid
- * message was received. Note, this comparison must still be done in constant
- * time so as not to leak either condition.
- */
- if (!(isGood & foundPaddingEnd)) {
- PORT_SetError(SEC_ERROR_BAD_DATA);
- goto done;
- }
-
- /* End timing dependent code */
-
- ++paddingOffset; /* Skip the 0x01 following the end of PS */
-
- *outputLen = inputLen - paddingOffset;
- if (*outputLen > maxOutputLen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- goto done;
- }
-
- if (*outputLen)
- PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
- rv = SECSuccess;
-
-done:
- if (mask)
- PORT_ZFree(mask, maskLen);
- if (tmpOutput)
- PORT_ZFree(tmpOutput, inputLen);
- return rv;
-}
-
-/*
- * Generate an EME-OAEP encoded block for encryption
- * Described in RFC 3447, section 7.1.1
- * We use input instead of M for the message to be encrypted
- * label is the optional value L to be associated with the message.
- */
-static SECStatus
-eme_oaep_encode(unsigned char * em,
- unsigned int emLen,
- const unsigned char * input,
- unsigned int inputLen,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * label,
- unsigned int labelLen,
- const unsigned char * seed,
- unsigned int seedLen)
-{
- const SECHashObject * hash;
- void * hashContext;
- SECStatus rv;
- unsigned char * mask;
- unsigned int reservedLen;
- unsigned int dbMaskLen;
- unsigned int i;
-
- hash = HASH_GetRawHashObject(hashAlg);
- PORT_Assert(seed == NULL || seedLen == hash->length);
-
- /* Step 1.b */
- reservedLen = (2 * hash->length) + 2;
- if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
-
- /*
- * From RFC 3447, Section 7.1
- * +----------+---------+-------+
- * DB = | lHash | PS | M |
- * +----------+---------+-------+
- * |
- * +----------+ V
- * | seed |--> MGF ---> xor
- * +----------+ |
- * | |
- * +--+ V |
- * |00| xor <----- MGF <-----|
- * +--+ | |
- * | | |
- * V V V
- * +--+----------+----------------------------+
- * EM = |00|maskedSeed| maskedDB |
- * +--+----------+----------------------------+
- *
- * We use mask to hold the result of the MGF functions, and all other
- * values are generated in their final resting place.
- */
- *em = 0x00;
-
- /* Step 2.a - Generate lHash */
- hashContext = (*hash->create)();
- if (hashContext == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hashContext);
- if (labelLen > 0)
- (*hash->update)(hashContext, label, labelLen);
- (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
- (*hash->destroy)(hashContext, PR_TRUE);
-
- /* Step 2.b - Generate PS */
- if (emLen - reservedLen - inputLen > 0) {
- PORT_Memset(em + 1 + (hash->length * 2), 0x00,
- emLen - reservedLen - inputLen);
- }
-
- /* Step 2.c. - Generate DB
- * DB = lHash || PS || 0x01 || M
- * Note that PS and lHash have already been placed into em at their
- * appropriate offsets. This just copies M into place
- */
- em[emLen - inputLen - 1] = 0x01;
- if (inputLen)
- PORT_Memcpy(em + emLen - inputLen, input, inputLen);
-
- if (seed == NULL) {
- /* Step 2.d - Generate seed */
- rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
- if (rv != SECSuccess) {
- return rv;
- }
- } else {
- /* For Known Answer Tests, copy the supplied seed. */
- PORT_Memcpy(em + 1, seed, seedLen);
- }
-
- /* Step 2.e - Generate dbMask*/
- dbMaskLen = emLen - hash->length - 1;
- mask = (unsigned char*)PORT_Alloc(dbMaskLen);
- if (mask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
- /* Step 2.f - Compute maskedDB*/
- for (i = 0; i < dbMaskLen; ++i)
- em[1 + hash->length + i] ^= mask[i];
-
- /* Step 2.g - Generate seedMask */
- MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
- /* Step 2.h - Compute maskedSeed */
- for (i = 0; i < hash->length; ++i)
- em[1 + i] ^= mask[i];
-
- PORT_ZFree(mask, dbMaskLen);
- return SECSuccess;
-}
-
-SECStatus
-RSA_EncryptOAEP(RSAPublicKey * key,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * label,
- unsigned int labelLen,
- const unsigned char * seed,
- unsigned int seedLen,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv = SECFailure;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned char * oaepEncoded = NULL;
-
- if (maxOutputLen < modulusLen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
-
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- if ((labelLen == 0 && label != NULL) ||
- (labelLen > 0 && label == NULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
- if (oaepEncoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
- hashAlg, maskHashAlg, label, labelLen, seed, seedLen);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PublicKeyOp(key, output, oaepEncoded);
- if (rv != SECSuccess)
- goto done;
- *outputLen = modulusLen;
-
-done:
- PORT_Free(oaepEncoded);
- return rv;
-}
-
-SECStatus
-RSA_DecryptOAEP(RSAPrivateKey * key,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * label,
- unsigned int labelLen,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv = SECFailure;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned char * oaepEncoded = NULL;
-
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- if (inputLen != modulusLen) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
-
- if ((labelLen == 0 && label != NULL) ||
- (labelLen > 0 && label == NULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
- if (oaepEncoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-
- rv = RSA_PrivateKeyOpDoubleChecked(key, oaepEncoded, input);
- if (rv != SECSuccess) {
- goto done;
- }
- rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
- modulusLen, hashAlg, maskHashAlg, label,
- labelLen);
-
-done:
- if (oaepEncoded)
- PORT_ZFree(oaepEncoded, modulusLen);
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptBlock(RSAPublicKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- SECItem formatted;
- SECItem unformatted;
-
- formatted.data = NULL;
- if (maxOutputLen < modulusLen)
- goto failure;
-
- unformatted.len = inputLen;
- unformatted.data = (unsigned char*)input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic,
- &unformatted);
- if (rv != SECSuccess)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, output, formatted.data);
- if (rv != SECSuccess)
- goto failure;
-
- PORT_ZFree(formatted.data, modulusLen);
- *outputLen = modulusLen;
- return SECSuccess;
-
-failure:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulusLen);
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptBlock(RSAPrivateKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned int i;
- unsigned char * buffer;
-
- if (inputLen != modulusLen)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PrivateKeyOp(key, buffer, input);
- if (rv != SECSuccess)
- goto loser;
-
- /* XXX(rsleevi): Constant time */
- if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
- buffer[1] != (unsigned char)RSA_BlockPublic) {
- goto loser;
- }
- *outputLen = 0;
- for (i = 2; i < modulusLen; i++) {
- if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
- *outputLen = modulusLen - i - 1;
- break;
- }
- }
- if (*outputLen == 0)
- goto loser;
- if (*outputLen > maxOutputLen)
- goto loser;
-
- PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/*
- * Encode a RSA-PSS signature.
- * Described in RFC 3447, section 9.1.1.
- * We use mHash instead of M as input.
- * emBits from the RFC is just modBits - 1, see section 8.1.1.
- * We only support MGF1 as the MGF.
- *
- * NOTE: this code assumes modBits is a multiple of 8.
- */
-static SECStatus
-emsa_pss_encode(unsigned char * em,
- unsigned int emLen,
- const unsigned char * mHash,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * salt,
- unsigned int saltLen)
-{
- const SECHashObject * hash;
- void * hash_context;
- unsigned char * dbMask;
- unsigned int dbMaskLen;
- unsigned int i;
- SECStatus rv;
-
- hash = HASH_GetRawHashObject(hashAlg);
- dbMaskLen = emLen - hash->length - 1;
-
- /* Step 3 */
- if (emLen < hash->length + saltLen + 2) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
-
- /* Step 4 */
- if (salt == NULL) {
- rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - saltLen], saltLen);
- if (rv != SECSuccess) {
- return rv;
- }
- } else {
- PORT_Memcpy(&em[dbMaskLen - saltLen], salt, saltLen);
- }
-
- /* Step 5 + 6 */
- /* Compute H and store it at its final location &em[dbMaskLen]. */
- hash_context = (*hash->create)();
- if (hash_context == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hash_context);
- (*hash->update)(hash_context, eightZeros, 8);
- (*hash->update)(hash_context, mHash, hash->length);
- (*hash->update)(hash_context, &em[dbMaskLen - saltLen], saltLen);
- (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
- (*hash->destroy)(hash_context, PR_TRUE);
-
- /* Step 7 + 8 */
- PORT_Memset(em, 0, dbMaskLen - saltLen - 1);
- em[dbMaskLen - saltLen - 1] = 0x01;
-
- /* Step 9 */
- dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
- if (dbMask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
-
- /* Step 10 */
- for (i = 0; i < dbMaskLen; i++)
- em[i] ^= dbMask[i];
- PORT_Free(dbMask);
-
- /* Step 11 */
- em[0] &= 0x7f;
-
- /* Step 12 */
- em[emLen - 1] = 0xbc;
-
- return SECSuccess;
-}
-
-/*
- * Verify a RSA-PSS signature.
- * Described in RFC 3447, section 9.1.2.
- * We use mHash instead of M as input.
- * emBits from the RFC is just modBits - 1, see section 8.1.2.
- * We only support MGF1 as the MGF.
- *
- * NOTE: this code assumes modBits is a multiple of 8.
- */
-static SECStatus
-emsa_pss_verify(const unsigned char * mHash,
- const unsigned char * em,
- unsigned int emLen,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- unsigned int saltLen)
-{
- const SECHashObject * hash;
- void * hash_context;
- unsigned char * db;
- unsigned char * H_; /* H' from the RFC */
- unsigned int i;
- unsigned int dbMaskLen;
- SECStatus rv;
-
- hash = HASH_GetRawHashObject(hashAlg);
- dbMaskLen = emLen - hash->length - 1;
-
- /* Step 3 + 4 + 6 */
- if ((emLen < (hash->length + saltLen + 2)) ||
- (em[emLen - 1] != 0xbc) ||
- ((em[0] & 0x80) != 0)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- /* Step 7 */
- db = (unsigned char *)PORT_Alloc(dbMaskLen);
- if (db == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- /* &em[dbMaskLen] points to H, used as mgfSeed */
- MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
-
- /* Step 8 */
- for (i = 0; i < dbMaskLen; i++) {
- db[i] ^= em[i];
- }
-
- /* Step 9 */
- db[0] &= 0x7f;
-
- /* Step 10 */
- for (i = 0; i < (dbMaskLen - saltLen - 1); i++) {
- if (db[i] != 0) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- }
- if (db[dbMaskLen - saltLen - 1] != 0x01) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- /* Step 12 + 13 */
- H_ = (unsigned char *)PORT_Alloc(hash->length);
- if (H_ == NULL) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- hash_context = (*hash->create)();
- if (hash_context == NULL) {
- PORT_Free(db);
- PORT_Free(H_);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hash_context);
- (*hash->update)(hash_context, eightZeros, 8);
- (*hash->update)(hash_context, mHash, hash->length);
- (*hash->update)(hash_context, &db[dbMaskLen - saltLen], saltLen);
- (*hash->end)(hash_context, H_, &i, hash->length);
- (*hash->destroy)(hash_context, PR_TRUE);
-
- PORT_Free(db);
-
- /* Step 14 */
- if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- rv = SECFailure;
- } else {
- rv = SECSuccess;
- }
-
- PORT_Free(H_);
- return rv;
-}
-
-SECStatus
-RSA_SignPSS(RSAPrivateKey * key,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- const unsigned char * salt,
- unsigned int saltLength,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned char *pssEncoded = NULL;
-
- if (maxOutputLen < modulusLen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
-
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- pssEncoded = (unsigned char *)PORT_Alloc(modulusLen);
- if (pssEncoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg,
- maskHashAlg, salt, saltLength);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded);
- *outputLen = modulusLen;
-
-done:
- PORT_Free(pssEncoded);
- return rv;
-}
-
-SECStatus
-RSA_CheckSignPSS(RSAPublicKey * key,
- HASH_HashType hashAlg,
- HASH_HashType maskHashAlg,
- unsigned int saltLength,
- const unsigned char * sig,
- unsigned int sigLen,
- const unsigned char * hash,
- unsigned int hashLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned char * buffer;
-
- if (sigLen != modulusLen) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- buffer = (unsigned char *)PORT_Alloc(modulusLen);
- if (!buffer) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-
- rv = RSA_PublicKeyOp(key, buffer, sig);
- if (rv != SECSuccess) {
- PORT_Free(buffer);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg,
- maskHashAlg, saltLength);
- PORT_Free(buffer);
-
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_Sign(RSAPrivateKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * input,
- unsigned int inputLen)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- SECItem formatted;
- SECItem unformatted;
-
- if (maxOutputLen < modulusLen)
- return SECFailure;
-
- unformatted.len = inputLen;
- unformatted.data = (unsigned char*)input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate,
- &unformatted);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
- *outputLen = modulusLen;
-
- goto done;
-
-done:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulusLen);
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSign(RSAPublicKey * key,
- const unsigned char * sig,
- unsigned int sigLen,
- const unsigned char * data,
- unsigned int dataLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned int i;
- unsigned char * buffer;
-
- if (sigLen != modulusLen)
- goto failure;
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- *
- * The "3" below is the first octet + the second octet + the 0x00
- * octet that always comes just before the ActualData.
- */
- if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, buffer, sig);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * check the padding that was used
- */
- if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
- buffer[1] != (unsigned char)RSA_BlockPrivate) {
- goto loser;
- }
- for (i = 2; i < modulusLen - dataLen - 1; i++) {
- if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
- goto loser;
- }
- if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET)
- goto loser;
-
- /*
- * make sure we get the same results
- */
- if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0)
- goto loser;
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecover(RSAPublicKey * key,
- unsigned char * output,
- unsigned int * outputLen,
- unsigned int maxOutputLen,
- const unsigned char * sig,
- unsigned int sigLen)
-{
- SECStatus rv;
- unsigned int modulusLen = rsa_modulusLen(&key->modulus);
- unsigned int i;
- unsigned char * buffer;
-
- if (sigLen != modulusLen)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(key, buffer, sig);
- if (rv != SECSuccess)
- goto loser;
- *outputLen = 0;
-
- /*
- * check the padding that was used
- */
- if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
- buffer[1] != (unsigned char)RSA_BlockPrivate) {
- goto loser;
- }
- for (i = 2; i < modulusLen; i++) {
- if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
- *outputLen = modulusLen - i - 1;
- break;
- }
- if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
- goto loser;
- }
- if (*outputLen == 0)
- goto loser;
- if (*outputLen > maxOutputLen)
- goto loser;
-
- PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
« no previous file with comments | « nss/lib/freebl/rsa.c ('k') | nss/lib/freebl/secmpi.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698