/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * RSA PKCS#1 v2.1 (RFC 3447) operations */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif #include "secerr.h" #include "blapi.h" #include "secitem.h" #include "blapii.h" #define RSA_BLOCK_MIN_PAD_LEN 8 #define RSA_BLOCK_FIRST_OCTET 0x00 #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 /* * RSA block types * * The actual values are important -- they are fixed, *not* arbitrary. * The explicit value assignments are not needed (because C would give * us those same values anyway) but are included as a reminder... */ typedef enum { RSA_BlockUnused = 0, /* unused */ RSA_BlockPrivate = 1, /* pad for a private-key operation */ RSA_BlockPublic = 2, /* pad for a public-key operation */ RSA_BlockRaw = 4, /* simply justify the block appropriately */ RSA_BlockTotal } RSA_BlockType; /* Needed for RSA-PSS functions */ static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; /* Constant time comparison of a single byte. * Returns 1 iff a == b, otherwise returns 0. * Note: For ranges of bytes, use constantTimeCompare. */ static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { unsigned char c = ~((a - b) | (b - a)); c >>= 7; return c; } /* Constant time comparison of a range of bytes. * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise * returns 0. */ static unsigned char constantTimeCompare(const unsigned char *a, const unsigned char *b, unsigned int len) { unsigned char tmp = 0; unsigned int i; for (i = 0; i < len; ++i, ++a, ++b) tmp |= *a ^ *b; return constantTimeEQ8(0x00, tmp); } /* Constant time conditional. * Returns a if c is 1, or b if c is 0. The result is undefined if c is * not 0 or 1. */ static unsigned int constantTimeCondition(unsigned int c, unsigned int a, unsigned int b) { return (~(c - 1) & a) | ((c - 1) & b); } static unsigned int rsa_modulusLen(SECItem * modulus) { unsigned char byteZero = modulus->data[0]; unsigned int modLen = modulus->len - !byteZero; return modLen; } /* * Format one block of data for public/private key encryption using * the rules defined in PKCS #1. */ static unsigned char * rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType, SECItem * data) { unsigned char *block; unsigned char *bp; int padLen; int i, j; SECStatus rv; block = (unsigned char *) PORT_Alloc(modulusLen); if (block == NULL) return NULL; bp = block; /* * All RSA blocks start with two octets: * 0x00 || BlockType */ *bp++ = RSA_BLOCK_FIRST_OCTET; *bp++ = (unsigned char) blockType; switch (blockType) { /* * Blocks intended for private-key operation. */ case RSA_BlockPrivate: /* preferred method */ /* * 0x00 || BT || Pad || 0x00 || ActualData * 1 1 padLen 1 data->len * Pad is either all 0x00 or all 0xff bytes, depending on blockType. */ padLen = modulusLen - data->len - 3; PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); if (padLen < RSA_BLOCK_MIN_PAD_LEN) { PORT_Free(block); return NULL; } PORT_Memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); bp += padLen; *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; PORT_Memcpy(bp, data->data, data->len); break; /* * Blocks intended for public-key operation. */ case RSA_BlockPublic: /* * 0x00 || BT || Pad || 0x00 || ActualData * 1 1 padLen 1 data->len * Pad is all non-zero random bytes. * * Build the block left to right. * Fill the entire block from Pad to the end with random bytes. * Use the bytes after Pad as a supply of extra random bytes from * which to find replacements for the zero bytes in Pad. * If we need more than that, refill the bytes after Pad with * new random bytes as necessary. */ padLen = modulusLen - (data->len + 3); PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); if (padLen < RSA_BLOCK_MIN_PAD_LEN) { PORT_Free(block); return NULL; } j = modulusLen - 2; rv = RNG_GenerateGlobalRandomBytes(bp, j); if (rv == SECSuccess) { for (i = 0; i < padLen; ) { unsigned char repl; /* Pad with non-zero random data. */ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { ++i; continue; } if (j <= padLen) { rv = RNG_GenerateGlobalRandomBytes(bp + padLen, modulusLen - (2 + padLen)); if (rv != SECSuccess) break; j = modulusLen - 2; } do { repl = bp[--j]; } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { bp[i++] = repl; } } } if (rv != SECSuccess) { PORT_Free(block); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return NULL; } bp += padLen; *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; PORT_Memcpy(bp, data->data, data->len); break; default: PORT_Assert(0); PORT_Free(block); return NULL; } return block; } static SECStatus rsa_FormatBlock(SECItem * result, unsigned modulusLen, RSA_BlockType blockType, SECItem * data) { switch (blockType) { case RSA_BlockPrivate: case RSA_BlockPublic: /* * 0x00 || BT || Pad || 0x00 || ActualData * * The "3" below is the first octet + the second octet + the 0x00 * octet that always comes just before the ActualData. */ PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))); result->data = rsa_FormatOneBlock(modulusLen, blockType, data); if (result->data == NULL) { result->len = 0; return SECFailure; } result->len = modulusLen; break; case RSA_BlockRaw: /* * Pad || ActualData * Pad is zeros. The application is responsible for recovering * the actual data. */ if (data->len > modulusLen ) { return SECFailure; } result->data = (unsigned char*)PORT_ZAlloc(modulusLen); result->len = modulusLen; PORT_Memcpy(result->data + (modulusLen - data->len), data->data, data->len); break; default: PORT_Assert(0); result->data = NULL; result->len = 0; return SECFailure; } return SECSuccess; } /* * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447. */ static SECStatus MGF1(HASH_HashType hashAlg, unsigned char * mask, unsigned int maskLen, const unsigned char * mgfSeed, unsigned int mgfSeedLen) { unsigned int digestLen; PRUint32 counter; PRUint32 rounds; unsigned char * tempHash; unsigned char * temp; const SECHashObject * hash; void * hashContext; unsigned char C[4]; hash = HASH_GetRawHashObject(hashAlg); if (hash == NULL) return SECFailure; hashContext = (*hash->create)(); rounds = (maskLen + hash->length - 1) / hash->length; for (counter = 0; counter < rounds; counter++) { C[0] = (unsigned char)((counter >> 24) & 0xff); C[1] = (unsigned char)((counter >> 16) & 0xff); C[2] = (unsigned char)((counter >> 8) & 0xff); C[3] = (unsigned char)(counter & 0xff); /* This could be optimized when the clone functions in * rawhash.c are implemented. */ (*hash->begin)(hashContext); (*hash->update)(hashContext, mgfSeed, mgfSeedLen); (*hash->update)(hashContext, C, sizeof C); tempHash = mask + counter * hash->length; if (counter != (rounds - 1)) { (*hash->end)(hashContext, tempHash, &digestLen, hash->length); } else { /* we're in the last round and need to cut the hash */ temp = (unsigned char *)PORT_Alloc(hash->length); (*hash->end)(hashContext, temp, &digestLen, hash->length); PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length); PORT_Free(temp); } } (*hash->destroy)(hashContext, PR_TRUE); return SECSuccess; } /* XXX Doesn't set error code */ SECStatus RSA_SignRaw(RSAPrivateKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * data, unsigned int dataLen) { SECStatus rv = SECSuccess; unsigned int modulusLen = rsa_modulusLen(&key->modulus); SECItem formatted; SECItem unformatted; if (maxOutputLen < modulusLen) return SECFailure; unformatted.len = dataLen; unformatted.data = (unsigned char*)data; formatted.data = NULL; rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted); if (rv != SECSuccess) goto done; rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data); *outputLen = modulusLen; done: if (formatted.data != NULL) PORT_ZFree(formatted.data, modulusLen); return rv; } /* XXX Doesn't set error code */ SECStatus RSA_CheckSignRaw(RSAPublicKey * key, const unsigned char * sig, unsigned int sigLen, const unsigned char * hash, unsigned int hashLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned char * buffer; if (sigLen != modulusLen) goto failure; if (hashLen > modulusLen) goto failure; buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); if (!buffer) goto failure; rv = RSA_PublicKeyOp(key, buffer, sig); if (rv != SECSuccess) goto loser; /* * make sure we get the same results */ /* XXX(rsleevi): Constant time */ /* NOTE: should we verify the leading zeros? */ if (PORT_Memcmp(buffer + (modulusLen - hashLen), hash, hashLen) != 0) goto loser; PORT_Free(buffer); return SECSuccess; loser: PORT_Free(buffer); failure: return SECFailure; } /* XXX Doesn't set error code */ SECStatus RSA_CheckSignRecoverRaw(RSAPublicKey * key, unsigned char * data, unsigned int * dataLen, unsigned int maxDataLen, const unsigned char * sig, unsigned int sigLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); if (sigLen != modulusLen) goto failure; if (maxDataLen < modulusLen) goto failure; rv = RSA_PublicKeyOp(key, data, sig); if (rv != SECSuccess) goto failure; *dataLen = modulusLen; return SECSuccess; failure: return SECFailure; } /* XXX Doesn't set error code */ SECStatus RSA_EncryptRaw(RSAPublicKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); SECItem formatted; SECItem unformatted; formatted.data = NULL; if (maxOutputLen < modulusLen) goto failure; unformatted.len = inputLen; unformatted.data = (unsigned char*)input; formatted.data = NULL; rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted); if (rv != SECSuccess) goto failure; rv = RSA_PublicKeyOp(key, output, formatted.data); if (rv != SECSuccess) goto failure; PORT_ZFree(formatted.data, modulusLen); *outputLen = modulusLen; return SECSuccess; failure: if (formatted.data != NULL) PORT_ZFree(formatted.data, modulusLen); return SECFailure; } /* XXX Doesn't set error code */ SECStatus RSA_DecryptRaw(RSAPrivateKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); if (modulusLen > maxOutputLen) goto failure; if (inputLen != modulusLen) goto failure; rv = RSA_PrivateKeyOp(key, output, input); if (rv != SECSuccess) goto failure; *outputLen = modulusLen; return SECSuccess; failure: return SECFailure; } /* * Decodes an EME-OAEP encoded block, validating the encoding in constant * time. * Described in RFC 3447, section 7.1.2. * input contains the encoded block, after decryption. * label is the optional value L that was associated with the message. * On success, the original message and message length will be stored in * output and outputLen. */ static SECStatus eme_oaep_decode(unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * label, unsigned int labelLen) { const SECHashObject * hash; void * hashContext; SECStatus rv = SECFailure; unsigned char labelHash[HASH_LENGTH_MAX]; unsigned int i; unsigned int maskLen; unsigned int paddingOffset; unsigned char * mask = NULL; unsigned char * tmpOutput = NULL; unsigned char isGood; unsigned char foundPaddingEnd; hash = HASH_GetRawHashObject(hashAlg); /* 1.c */ if (inputLen < (hash->length * 2) + 2) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } /* Step 3.a - Generate lHash */ hashContext = (*hash->create)(); if (hashContext == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } (*hash->begin)(hashContext); if (labelLen > 0) (*hash->update)(hashContext, label, labelLen); (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash)); (*hash->destroy)(hashContext, PR_TRUE); tmpOutput = (unsigned char*)PORT_Alloc(inputLen); if (tmpOutput == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto done; } maskLen = inputLen - hash->length - 1; mask = (unsigned char*)PORT_Alloc(maskLen); if (mask == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto done; } PORT_Memcpy(tmpOutput, input, inputLen); /* 3.c - Generate seedMask */ MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length], inputLen - hash->length - 1); /* 3.d - Unmask seed */ for (i = 0; i < hash->length; ++i) tmpOutput[1 + i] ^= mask[i]; /* 3.e - Generate dbMask */ MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length); /* 3.f - Unmask DB */ for (i = 0; i < maskLen; ++i) tmpOutput[1 + hash->length + i] ^= mask[i]; /* 3.g - Compare Y, lHash, and PS in constant time * Warning: This code is timing dependent and must not disclose which of * these were invalid. */ paddingOffset = 0; isGood = 1; foundPaddingEnd = 0; /* Compare Y */ isGood &= constantTimeEQ8(0x00, tmpOutput[0]); /* Compare lHash and lHash' */ isGood &= constantTimeCompare(&labelHash[0], &tmpOutput[1 + hash->length], hash->length); /* Compare that the padding is zero or more zero octets, followed by a * 0x01 octet */ for (i = 1 + (hash->length * 2); i < inputLen; ++i) { unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]); unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]); /* non-constant time equivalent: * if (tmpOutput[i] == 0x01 && !foundPaddingEnd) * paddingOffset = i; */ paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i, paddingOffset); /* non-constant time equivalent: * if (tmpOutput[i] == 0x01) * foundPaddingEnd = true; * * Note: This may yield false positives, as it will be set whenever * a 0x01 byte is encountered. If there was bad padding (eg: * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and * paddingOffset will still be set to 2. */ foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd); /* non-constant time equivalent: * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 && * !foundPaddingEnd) { * isGood = false; * } * * Note: This may yield false positives, as a message (and padding) * that is entirely zeros will result in isGood still being true. Thus * it's necessary to check foundPaddingEnd is positive below. */ isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood); } /* While both isGood and foundPaddingEnd may have false positives, they * cannot BOTH have false positives. If both are not true, then an invalid * message was received. Note, this comparison must still be done in constant * time so as not to leak either condition. */ if (!(isGood & foundPaddingEnd)) { PORT_SetError(SEC_ERROR_BAD_DATA); goto done; } /* End timing dependent code */ ++paddingOffset; /* Skip the 0x01 following the end of PS */ *outputLen = inputLen - paddingOffset; if (*outputLen > maxOutputLen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); goto done; } if (*outputLen) PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen); rv = SECSuccess; done: if (mask) PORT_ZFree(mask, maskLen); if (tmpOutput) PORT_ZFree(tmpOutput, inputLen); return rv; } /* * Generate an EME-OAEP encoded block for encryption * Described in RFC 3447, section 7.1.1 * We use input instead of M for the message to be encrypted * label is the optional value L to be associated with the message. */ static SECStatus eme_oaep_encode(unsigned char * em, unsigned int emLen, const unsigned char * input, unsigned int inputLen, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * label, unsigned int labelLen, const unsigned char * seed, unsigned int seedLen) { const SECHashObject * hash; void * hashContext; SECStatus rv; unsigned char * mask; unsigned int reservedLen; unsigned int dbMaskLen; unsigned int i; hash = HASH_GetRawHashObject(hashAlg); PORT_Assert(seed == NULL || seedLen == hash->length); /* Step 1.b */ reservedLen = (2 * hash->length) + 2; if (emLen < reservedLen || inputLen > (emLen - reservedLen)) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } /* * From RFC 3447, Section 7.1 * +----------+---------+-------+ * DB = | lHash | PS | M | * +----------+---------+-------+ * | * +----------+ V * | seed |--> MGF ---> xor * +----------+ | * | | * +--+ V | * |00| xor <----- MGF <-----| * +--+ | | * | | | * V V V * +--+----------+----------------------------+ * EM = |00|maskedSeed| maskedDB | * +--+----------+----------------------------+ * * We use mask to hold the result of the MGF functions, and all other * values are generated in their final resting place. */ *em = 0x00; /* Step 2.a - Generate lHash */ hashContext = (*hash->create)(); if (hashContext == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } (*hash->begin)(hashContext); if (labelLen > 0) (*hash->update)(hashContext, label, labelLen); (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length); (*hash->destroy)(hashContext, PR_TRUE); /* Step 2.b - Generate PS */ if (emLen - reservedLen - inputLen > 0) { PORT_Memset(em + 1 + (hash->length * 2), 0x00, emLen - reservedLen - inputLen); } /* Step 2.c. - Generate DB * DB = lHash || PS || 0x01 || M * Note that PS and lHash have already been placed into em at their * appropriate offsets. This just copies M into place */ em[emLen - inputLen - 1] = 0x01; if (inputLen) PORT_Memcpy(em + emLen - inputLen, input, inputLen); if (seed == NULL) { /* Step 2.d - Generate seed */ rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length); if (rv != SECSuccess) { return rv; } } else { /* For Known Answer Tests, copy the supplied seed. */ PORT_Memcpy(em + 1, seed, seedLen); } /* Step 2.e - Generate dbMask*/ dbMaskLen = emLen - hash->length - 1; mask = (unsigned char*)PORT_Alloc(dbMaskLen); if (mask == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length); /* Step 2.f - Compute maskedDB*/ for (i = 0; i < dbMaskLen; ++i) em[1 + hash->length + i] ^= mask[i]; /* Step 2.g - Generate seedMask */ MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen); /* Step 2.h - Compute maskedSeed */ for (i = 0; i < hash->length; ++i) em[1 + i] ^= mask[i]; PORT_ZFree(mask, dbMaskLen); return SECSuccess; } SECStatus RSA_EncryptOAEP(RSAPublicKey * key, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * label, unsigned int labelLen, const unsigned char * seed, unsigned int seedLen, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv = SECFailure; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned char * oaepEncoded = NULL; if (maxOutputLen < modulusLen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } if ((labelLen == 0 && label != NULL) || (labelLen > 0 && label == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen); if (oaepEncoded == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen, hashAlg, maskHashAlg, label, labelLen, seed, seedLen); if (rv != SECSuccess) goto done; rv = RSA_PublicKeyOp(key, output, oaepEncoded); if (rv != SECSuccess) goto done; *outputLen = modulusLen; done: PORT_Free(oaepEncoded); return rv; } SECStatus RSA_DecryptOAEP(RSAPrivateKey * key, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * label, unsigned int labelLen, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv = SECFailure; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned char * oaepEncoded = NULL; if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } if (inputLen != modulusLen) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } if ((labelLen == 0 && label != NULL) || (labelLen > 0 && label == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen); if (oaepEncoded == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } rv = RSA_PrivateKeyOpDoubleChecked(key, oaepEncoded, input); if (rv != SECSuccess) { goto done; } rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded, modulusLen, hashAlg, maskHashAlg, label, labelLen); done: if (oaepEncoded) PORT_ZFree(oaepEncoded, modulusLen); return rv; } /* XXX Doesn't set error code */ SECStatus RSA_EncryptBlock(RSAPublicKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); SECItem formatted; SECItem unformatted; formatted.data = NULL; if (maxOutputLen < modulusLen) goto failure; unformatted.len = inputLen; unformatted.data = (unsigned char*)input; formatted.data = NULL; rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic, &unformatted); if (rv != SECSuccess) goto failure; rv = RSA_PublicKeyOp(key, output, formatted.data); if (rv != SECSuccess) goto failure; PORT_ZFree(formatted.data, modulusLen); *outputLen = modulusLen; return SECSuccess; failure: if (formatted.data != NULL) PORT_ZFree(formatted.data, modulusLen); return SECFailure; } /* XXX Doesn't set error code */ SECStatus RSA_DecryptBlock(RSAPrivateKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; unsigned char * buffer; if (inputLen != modulusLen) goto failure; buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); if (!buffer) goto failure; rv = RSA_PrivateKeyOp(key, buffer, input); if (rv != SECSuccess) goto loser; /* XXX(rsleevi): Constant time */ if (buffer[0] != RSA_BLOCK_FIRST_OCTET || buffer[1] != (unsigned char)RSA_BlockPublic) { goto loser; } *outputLen = 0; for (i = 2; i < modulusLen; i++) { if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) { *outputLen = modulusLen - i - 1; break; } } if (*outputLen == 0) goto loser; if (*outputLen > maxOutputLen) goto loser; PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen); PORT_Free(buffer); return SECSuccess; loser: PORT_Free(buffer); failure: return SECFailure; } /* * Encode a RSA-PSS signature. * Described in RFC 3447, section 9.1.1. * We use mHash instead of M as input. * emBits from the RFC is just modBits - 1, see section 8.1.1. * We only support MGF1 as the MGF. * * NOTE: this code assumes modBits is a multiple of 8. */ static SECStatus emsa_pss_encode(unsigned char * em, unsigned int emLen, const unsigned char * mHash, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * salt, unsigned int saltLen) { const SECHashObject * hash; void * hash_context; unsigned char * dbMask; unsigned int dbMaskLen; unsigned int i; SECStatus rv; hash = HASH_GetRawHashObject(hashAlg); dbMaskLen = emLen - hash->length - 1; /* Step 3 */ if (emLen < hash->length + saltLen + 2) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } /* Step 4 */ if (salt == NULL) { rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - saltLen], saltLen); if (rv != SECSuccess) { return rv; } } else { PORT_Memcpy(&em[dbMaskLen - saltLen], salt, saltLen); } /* Step 5 + 6 */ /* Compute H and store it at its final location &em[dbMaskLen]. */ hash_context = (*hash->create)(); if (hash_context == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } (*hash->begin)(hash_context); (*hash->update)(hash_context, eightZeros, 8); (*hash->update)(hash_context, mHash, hash->length); (*hash->update)(hash_context, &em[dbMaskLen - saltLen], saltLen); (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length); (*hash->destroy)(hash_context, PR_TRUE); /* Step 7 + 8 */ PORT_Memset(em, 0, dbMaskLen - saltLen - 1); em[dbMaskLen - saltLen - 1] = 0x01; /* Step 9 */ dbMask = (unsigned char *)PORT_Alloc(dbMaskLen); if (dbMask == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length); /* Step 10 */ for (i = 0; i < dbMaskLen; i++) em[i] ^= dbMask[i]; PORT_Free(dbMask); /* Step 11 */ em[0] &= 0x7f; /* Step 12 */ em[emLen - 1] = 0xbc; return SECSuccess; } /* * Verify a RSA-PSS signature. * Described in RFC 3447, section 9.1.2. * We use mHash instead of M as input. * emBits from the RFC is just modBits - 1, see section 8.1.2. * We only support MGF1 as the MGF. * * NOTE: this code assumes modBits is a multiple of 8. */ static SECStatus emsa_pss_verify(const unsigned char * mHash, const unsigned char * em, unsigned int emLen, HASH_HashType hashAlg, HASH_HashType maskHashAlg, unsigned int saltLen) { const SECHashObject * hash; void * hash_context; unsigned char * db; unsigned char * H_; /* H' from the RFC */ unsigned int i; unsigned int dbMaskLen; SECStatus rv; hash = HASH_GetRawHashObject(hashAlg); dbMaskLen = emLen - hash->length - 1; /* Step 3 + 4 + 6 */ if ((emLen < (hash->length + saltLen + 2)) || (em[emLen - 1] != 0xbc) || ((em[0] & 0x80) != 0)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } /* Step 7 */ db = (unsigned char *)PORT_Alloc(dbMaskLen); if (db == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } /* &em[dbMaskLen] points to H, used as mgfSeed */ MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length); /* Step 8 */ for (i = 0; i < dbMaskLen; i++) { db[i] ^= em[i]; } /* Step 9 */ db[0] &= 0x7f; /* Step 10 */ for (i = 0; i < (dbMaskLen - saltLen - 1); i++) { if (db[i] != 0) { PORT_Free(db); PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } } if (db[dbMaskLen - saltLen - 1] != 0x01) { PORT_Free(db); PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } /* Step 12 + 13 */ H_ = (unsigned char *)PORT_Alloc(hash->length); if (H_ == NULL) { PORT_Free(db); PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } hash_context = (*hash->create)(); if (hash_context == NULL) { PORT_Free(db); PORT_Free(H_); PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } (*hash->begin)(hash_context); (*hash->update)(hash_context, eightZeros, 8); (*hash->update)(hash_context, mHash, hash->length); (*hash->update)(hash_context, &db[dbMaskLen - saltLen], saltLen); (*hash->end)(hash_context, H_, &i, hash->length); (*hash->destroy)(hash_context, PR_TRUE); PORT_Free(db); /* Step 14 */ if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; } else { rv = SECSuccess; } PORT_Free(H_); return rv; } SECStatus RSA_SignPSS(RSAPrivateKey * key, HASH_HashType hashAlg, HASH_HashType maskHashAlg, const unsigned char * salt, unsigned int saltLength, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv = SECSuccess; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned char *pssEncoded = NULL; if (maxOutputLen < modulusLen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } pssEncoded = (unsigned char *)PORT_Alloc(modulusLen); if (pssEncoded == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg, maskHashAlg, salt, saltLength); if (rv != SECSuccess) goto done; rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded); *outputLen = modulusLen; done: PORT_Free(pssEncoded); return rv; } SECStatus RSA_CheckSignPSS(RSAPublicKey * key, HASH_HashType hashAlg, HASH_HashType maskHashAlg, unsigned int saltLength, const unsigned char * sig, unsigned int sigLen, const unsigned char * hash, unsigned int hashLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned char * buffer; if (sigLen != modulusLen) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } buffer = (unsigned char *)PORT_Alloc(modulusLen); if (!buffer) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } rv = RSA_PublicKeyOp(key, buffer, sig); if (rv != SECSuccess) { PORT_Free(buffer); PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg, maskHashAlg, saltLength); PORT_Free(buffer); return rv; } /* XXX Doesn't set error code */ SECStatus RSA_Sign(RSAPrivateKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * input, unsigned int inputLen) { SECStatus rv = SECSuccess; unsigned int modulusLen = rsa_modulusLen(&key->modulus); SECItem formatted; SECItem unformatted; if (maxOutputLen < modulusLen) return SECFailure; unformatted.len = inputLen; unformatted.data = (unsigned char*)input; formatted.data = NULL; rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate, &unformatted); if (rv != SECSuccess) goto done; rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data); *outputLen = modulusLen; goto done; done: if (formatted.data != NULL) PORT_ZFree(formatted.data, modulusLen); return rv; } /* XXX Doesn't set error code */ SECStatus RSA_CheckSign(RSAPublicKey * key, const unsigned char * sig, unsigned int sigLen, const unsigned char * data, unsigned int dataLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; unsigned char * buffer; if (sigLen != modulusLen) goto failure; /* * 0x00 || BT || Pad || 0x00 || ActualData * * The "3" below is the first octet + the second octet + the 0x00 * octet that always comes just before the ActualData. */ if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) goto failure; buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); if (!buffer) goto failure; rv = RSA_PublicKeyOp(key, buffer, sig); if (rv != SECSuccess) goto loser; /* * check the padding that was used */ if (buffer[0] != RSA_BLOCK_FIRST_OCTET || buffer[1] != (unsigned char)RSA_BlockPrivate) { goto loser; } for (i = 2; i < modulusLen - dataLen - 1; i++) { if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) goto loser; } if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET) goto loser; /* * make sure we get the same results */ if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0) goto loser; PORT_Free(buffer); return SECSuccess; loser: PORT_Free(buffer); failure: return SECFailure; } /* XXX Doesn't set error code */ SECStatus RSA_CheckSignRecover(RSAPublicKey * key, unsigned char * output, unsigned int * outputLen, unsigned int maxOutputLen, const unsigned char * sig, unsigned int sigLen) { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; unsigned char * buffer; if (sigLen != modulusLen) goto failure; buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); if (!buffer) goto failure; rv = RSA_PublicKeyOp(key, buffer, sig); if (rv != SECSuccess) goto loser; *outputLen = 0; /* * check the padding that was used */ if (buffer[0] != RSA_BLOCK_FIRST_OCTET || buffer[1] != (unsigned char)RSA_BlockPrivate) { goto loser; } for (i = 2; i < modulusLen; i++) { if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) { *outputLen = modulusLen - i - 1; break; } if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) goto loser; } if (*outputLen == 0) goto loser; if (*outputLen > maxOutputLen) goto loser; PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen); PORT_Free(buffer); return SECSuccess; loser: PORT_Free(buffer); failure: return SECFailure; }