openssl/fips/rsa/fips_rsa_sign.c - Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with.

Unified Diff: openssl/fips/rsa/fips_rsa_sign.c

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/

Patch Set: '' Created 8 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: openssl/fips/rsa/fips_rsa_sign.c

===================================================================

--- openssl/fips/rsa/fips_rsa_sign.c (revision 105093)

+++ openssl/fips/rsa/fips_rsa_sign.c (working copy)

@@ -1,554 +0,0 @@

-/* fips_rsa_sign.c */

-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

- * project 2007.

- */

-/* ====================================================================

- *

- * Redistribution and use in source and binary forms, with or without

- * modification, are permitted provided that the following conditions

- * are met:

- *

- * 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

- *

- * 2. Redistributions in binary form must reproduce the above copyright

- * notice, this list of conditions and the following disclaimer in

- * the documentation and/or other materials provided with the

- * distribution.

- *

- * 3. All advertising materials mentioning features or use of this

- * software must display the following acknowledgment:

- * "This product includes software developed by the OpenSSL Project

- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

- *

- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

- * endorse or promote products derived from this software without

- * prior written permission. For written permission, please contact

- * licensing@OpenSSL.org.

- *

- * 5. Products derived from this software may not be called "OpenSSL"

- * nor may "OpenSSL" appear in their names without prior written

- * permission of the OpenSSL Project.

- *

- * 6. Redistributions of any form whatsoever must retain the following

- * acknowledgment:

- * "This product includes software developed by the OpenSSL Project

- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

- *

- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

- * OF THE POSSIBILITY OF SUCH DAMAGE.

- * ====================================================================

- *

- * This product includes cryptographic software written by Eric Young

- * (eay@cryptsoft.com). This product includes software written by Tim

- * Hudson (tjh@cryptsoft.com).

- *

- */

-#include <string.h>

-#include <openssl/evp.h>

-#include <openssl/rsa.h>

-#include <openssl/err.h>

-#include <openssl/sha.h>

-#ifdef OPENSSL_FIPS

-/* FIPS versions of RSA_sign() and RSA_verify().

- * These will only have to deal with SHA* signatures and by including

- * pregenerated encodings all ASN1 dependencies can be avoided

- */

-/* Standard encodings including NULL parameter */

-static const unsigned char sha1_bin[] = {

- 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,

- 0x00, 0x04, 0x14

-};

-static const unsigned char sha224_bin[] = {

- 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c

-};

-static const unsigned char sha256_bin[] = {

- 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20

-};

-static const unsigned char sha384_bin[] = {

- 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30

-};

-static const unsigned char sha512_bin[] = {

- 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40

-};

-/* Alternate encodings with absent parameters. We don't generate signature

- * using this format but do tolerate received signatures of this form.

- */

-static unsigned char sha1_nn_bin[] = {

- 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,

- 0x14

-};

-static unsigned char sha224_nn_bin[] = {

- 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x04, 0x04, 0x1c

-};

-static unsigned char sha256_nn_bin[] = {

- 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x01, 0x04, 0x20

-};

-static unsigned char sha384_nn_bin[] = {

- 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x02, 0x04, 0x30

-};

-static unsigned char sha512_nn_bin[] = {

- 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,

- 0x04, 0x02, 0x03, 0x04, 0x40

-};

-static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)

- {

- switch (nid)

- {

- case NID_sha1:

- *len = sizeof(sha1_bin);

- return sha1_bin;

- case NID_sha224:

- *len = sizeof(sha224_bin);

- return sha224_bin;

- case NID_sha256:

- *len = sizeof(sha256_bin);

- return sha256_bin;

- case NID_sha384:

- *len = sizeof(sha384_bin);

- return sha384_bin;

- case NID_sha512:

- *len = sizeof(sha512_bin);

- return sha512_bin;

- default:

- return NULL;

- }

-static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)

- {

- switch (nid)

- {

- case NID_sha1:

- *len = sizeof(sha1_nn_bin);

- return sha1_nn_bin;

- case NID_sha224:

- *len = sizeof(sha224_nn_bin);

- return sha224_nn_bin;

- case NID_sha256:

- *len = sizeof(sha256_nn_bin);

- return sha256_nn_bin;

- case NID_sha384:

- *len = sizeof(sha384_nn_bin);

- return sha384_nn_bin;

- case NID_sha512:

- *len = sizeof(sha512_nn_bin);

- return sha512_nn_bin;

- default:

- return NULL;

- }

-static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y,

- unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv)

- {

- int i=0,j,ret=0;

- unsigned int dlen;

- const unsigned char *der;

- unsigned int m_len;

- int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;

- int rsa_pad_mode = 0;

- RSA *rsa = sv->key;

- /* Largest DigestInfo: 19 (max encoding) + max MD */

- unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];

- unsigned char md[EVP_MAX_MD_SIZE + 1];

- EVP_DigestFinal_ex(sv->mctx, md, &m_len);

- if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)

- {

- ret = rsa->meth->rsa_sign(type, md, m_len,

- sigret, siglen, rsa);

- goto done;

- }

- if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)

- {

- int hash_id;

- memcpy(tmpdinfo, md, m_len);

- hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));

- if (hash_id == -1)

- {

- RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);

- return 0;

- }

- tmpdinfo[m_len] = (unsigned char)hash_id;

- i = m_len + 1;

- rsa_pad_mode = RSA_X931_PADDING;

- }

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)

- {

- der = fips_digestinfo_encoding(type, &dlen);

- if (!der)

- {

- RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);

- return 0;

- }

- memcpy(tmpdinfo, der, dlen);

- memcpy(tmpdinfo + dlen, md, m_len);

- i = dlen + m_len;

- rsa_pad_mode = RSA_PKCS1_PADDING;

- }

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)

- {

- unsigned char *sbuf;

- int saltlen;

- i = RSA_size(rsa);

- sbuf = OPENSSL_malloc(RSA_size(rsa));

- saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);

- if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)

- saltlen = -1;

- else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)

- saltlen = -2;

- if (!sbuf)

- {

- RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE);

- goto psserr;

- }

- if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md,

- M_EVP_MD_CTX_md(sv->mctx), saltlen))

- goto psserr;

- j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING);

- if (j > 0)

- {

- ret=1;

- *siglen=j;

- }

- psserr:

- OPENSSL_cleanse(md,m_len);

- OPENSSL_cleanse(sbuf, i);

- OPENSSL_free(sbuf);

- return ret;

- }

- j=RSA_size(rsa);

- if (i > (j-RSA_PKCS1_PADDING_SIZE))

- {

- RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);

- goto done;

- }

- /* NB: call underlying method directly to avoid FIPS blocking */

- j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode);

- if (j > 0)

- {

- ret=1;

- *siglen=j;

- }

- done:

- OPENSSL_cleanse(tmpdinfo,i);

- OPENSSL_cleanse(md,m_len);

- return ret;

- }

-static int fips_rsa_verify(int dtype,

- const unsigned char *x, unsigned int y,

- unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv)

- {

- int i,ret=0;

- unsigned int dlen, diglen;

- int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;

- int rsa_pad_mode = 0;

- unsigned char *s;

- const unsigned char *der;

- unsigned char dig[EVP_MAX_MD_SIZE];

- RSA *rsa = sv->key;

- if (siglen != (unsigned int)RSA_size(sv->key))

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);

- return(0);

- }

- EVP_DigestFinal_ex(sv->mctx, dig, &diglen);

- if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)

- {

- return rsa->meth->rsa_verify(dtype, dig, diglen,

- sigbuf, siglen, rsa);

- }

- s= OPENSSL_malloc((unsigned int)siglen);

- if (s == NULL)

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE);

- goto err;

- }

- if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)

- rsa_pad_mode = RSA_X931_PADDING;

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)

- rsa_pad_mode = RSA_PKCS1_PADDING;

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)

- rsa_pad_mode = RSA_NO_PADDING;

- /* NB: call underlying method directly to avoid FIPS blocking */

- i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_pad_mode);

- if (i <= 0) goto err;

- if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)

- {

- int hash_id;

- if (i != (int)(diglen + 1))

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);

- goto err;

- }

- hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));

- if (hash_id == -1)

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);

- goto err;

- }

- if (s[diglen] != (unsigned char)hash_id)

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);

- goto err;

- }

- if (memcmp(s, dig, diglen))

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);

- goto err;

- }

- ret = 1;

- }

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)

- {

- der = fips_digestinfo_encoding(dtype, &dlen);

- if (!der)

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);

- return(0);

- }

- /* Compare, DigestInfo length, DigestInfo header and finally

- * digest value itself

- */

- /* If length mismatch try alternate encoding */

- if (i != (int)(dlen + diglen))

- der = fips_digestinfo_nn_encoding(dtype, &dlen);

- if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)

- || memcmp(s + dlen, dig, diglen))

- {

- RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);

- goto err;

- }

- ret = 1;

- }

- else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)

- {

- int saltlen;

- saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);

- if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)

- saltlen = -1;

- else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)

- saltlen = -2;

- ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx),

- s, saltlen);

- if (ret < 0)

- ret = 0;

- }

-err:

- if (s != NULL)

- {

- OPENSSL_cleanse(s, siglen);

- OPENSSL_free(s);

- }

- return(ret);

- }

-#define EVP_PKEY_RSA_fips_method \

- (evp_sign_method *)fips_rsa_sign, \

- (evp_verify_method *)fips_rsa_verify, \

- {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}

-static int init(EVP_MD_CTX *ctx)

- { return SHA1_Init(ctx->md_data); }

-static int update(EVP_MD_CTX *ctx,const void *data,size_t count)

- { return SHA1_Update(ctx->md_data,data,count); }

-static int final(EVP_MD_CTX *ctx,unsigned char *md)

- { return SHA1_Final(md,ctx->md_data); }

-static const EVP_MD sha1_md=

- {

- NID_sha1,

- NID_sha1WithRSAEncryption,

- SHA_DIGEST_LENGTH,

- EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,

- init,

- update,

- final,

- NULL,

- EVP_PKEY_RSA_fips_method,

- SHA_CBLOCK,

- sizeof(EVP_MD *)+sizeof(SHA_CTX),

- };

-const EVP_MD *EVP_sha1(void)

- {

- return(&sha1_md);

- }

-static int init224(EVP_MD_CTX *ctx)

- { return SHA224_Init(ctx->md_data); }

-static int init256(EVP_MD_CTX *ctx)

- { return SHA256_Init(ctx->md_data); }

-/*

- * Even though there're separate SHA224_[Update|Final], we call

- * SHA256 functions even in SHA224 context. This is what happens

- * there anyway, so we can spare few CPU cycles:-)

- */

-static int update256(EVP_MD_CTX *ctx,const void *data,size_t count)

- { return SHA256_Update(ctx->md_data,data,count); }

-static int final256(EVP_MD_CTX *ctx,unsigned char *md)

- { return SHA256_Final(md,ctx->md_data); }

-static const EVP_MD sha224_md=

- {

- NID_sha224,

- NID_sha224WithRSAEncryption,

- SHA224_DIGEST_LENGTH,

- EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,

- init224,

- update256,

- final256,

- NULL,

- EVP_PKEY_RSA_fips_method,

- SHA256_CBLOCK,

- sizeof(EVP_MD *)+sizeof(SHA256_CTX),

- };

-const EVP_MD *EVP_sha224(void)

- { return(&sha224_md); }

-static const EVP_MD sha256_md=

- {

- NID_sha256,

- NID_sha256WithRSAEncryption,

- SHA256_DIGEST_LENGTH,

- EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,

- init256,

- update256,

- final256,

- NULL,

- EVP_PKEY_RSA_fips_method,

- SHA256_CBLOCK,

- sizeof(EVP_MD *)+sizeof(SHA256_CTX),

- };

-const EVP_MD *EVP_sha256(void)

- { return(&sha256_md); }

-static int init384(EVP_MD_CTX *ctx)

- { return SHA384_Init(ctx->md_data); }

-static int init512(EVP_MD_CTX *ctx)

- { return SHA512_Init(ctx->md_data); }

-/* See comment in SHA224/256 section */

-static int update512(EVP_MD_CTX *ctx,const void *data,size_t count)

- { return SHA512_Update(ctx->md_data,data,count); }

-static int final512(EVP_MD_CTX *ctx,unsigned char *md)

- { return SHA512_Final(md,ctx->md_data); }

-static const EVP_MD sha384_md=

- {

- NID_sha384,

- NID_sha384WithRSAEncryption,

- SHA384_DIGEST_LENGTH,

- EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,

- init384,

- update512,

- final512,

- NULL,

- EVP_PKEY_RSA_fips_method,

- SHA512_CBLOCK,

- sizeof(EVP_MD *)+sizeof(SHA512_CTX),

- };

-const EVP_MD *EVP_sha384(void)

- { return(&sha384_md); }

-static const EVP_MD sha512_md=

- {

- NID_sha512,

- NID_sha512WithRSAEncryption,

- SHA512_DIGEST_LENGTH,

- EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,

- init512,

- update512,

- final512,

- NULL,

- EVP_PKEY_RSA_fips_method,

- SHA512_CBLOCK,

- sizeof(EVP_MD *)+sizeof(SHA512_CTX),

- };

-const EVP_MD *EVP_sha512(void)

- { return(&sha512_md); }

-#endif

« openssl.gyp ('K') | « openssl/fips/rsa/fips_rsa_selftest.c ('k') | openssl/fips/rsa/fips_rsa_x931g.c » ('j') | patches/x509_hash_name_algorithm_change.patch » ('J')