diff nss/lib/freebl/rsapkcs.c @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nss/lib/freebl/rsapkcs.c	Mon Jul 28 10:47:06 2014 +0200
@@ -0,0 +1,1380 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * RSA PKCS#1 v2.1 (RFC 3447) operations
+ */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "secerr.h"
+
+#include "blapi.h"
+#include "secitem.h"
+#include "blapii.h"
+
+#define RSA_BLOCK_MIN_PAD_LEN            8
+#define RSA_BLOCK_FIRST_OCTET            0x00
+#define RSA_BLOCK_PRIVATE_PAD_OCTET      0xff
+#define RSA_BLOCK_AFTER_PAD_OCTET        0x00
+
+/*
+ * RSA block types
+ *
+ * The values of RSA_BlockPrivate and RSA_BlockPublic are fixed.
+ * The value of RSA_BlockRaw isn't fixed by definition, but we are keeping
+ * the value that NSS has been using in the past.
+ */
+typedef enum {
+    RSA_BlockPrivate = 1,   /* pad for a private-key operation */
+    RSA_BlockPublic = 2,    /* pad for a public-key operation */
+    RSA_BlockRaw = 4        /* simply justify the block appropriately */
+} RSA_BlockType;
+
+/* Needed for RSA-PSS functions */
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+/* Constant time comparison of a single byte.
+ * Returns 1 iff a == b, otherwise returns 0.
+ * Note: For ranges of bytes, use constantTimeCompare.
+ */
+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
+    unsigned char c = ~((a - b) | (b - a));
+    c >>= 7;
+    return c;
+}
+
+/* Constant time comparison of a range of bytes.
+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
+ * returns 0.
+ */
+static unsigned char constantTimeCompare(const unsigned char *a,
+                                         const unsigned char *b,
+                                         unsigned int len) {
+    unsigned char tmp = 0;
+    unsigned int i;
+    for (i = 0; i < len; ++i, ++a, ++b)
+        tmp |= *a ^ *b;
+    return constantTimeEQ8(0x00, tmp);
+}
+
+/* Constant time conditional.
+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
+ * not 0 or 1.
+ */
+static unsigned int constantTimeCondition(unsigned int c,
+                                          unsigned int a,
+                                          unsigned int b)
+{
+    return (~(c - 1) & a) | ((c - 1) & b);
+}
+
+static unsigned int
+rsa_modulusLen(SECItem * modulus)
+{
+    unsigned char byteZero = modulus->data[0];
+    unsigned int modLen = modulus->len - !byteZero;
+    return modLen;
+}
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1.
+ */
+static unsigned char *
+rsa_FormatOneBlock(unsigned modulusLen,
+                   RSA_BlockType blockType,
+                   SECItem * data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    int i, j;
+    SECStatus rv;
+
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+        return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = (unsigned char) blockType;
+
+    switch (blockType) {
+
+      /*
+       * Blocks intended for private-key operation.
+       */
+      case RSA_BlockPrivate:	 /* preferred method */
+        /*
+         * 0x00 || BT || Pad || 0x00 || ActualData
+         *   1      1   padLen    1      data->len
+         * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+         */
+        padLen = modulusLen - data->len - 3;
+        PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+        if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+            PORT_Free(block);
+            return NULL;
+        }
+        PORT_Memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
+        bp += padLen;
+        *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+        PORT_Memcpy(bp, data->data, data->len);
+        break;
+
+      /*
+       * Blocks intended for public-key operation.
+       */
+      case RSA_BlockPublic:
+        /*
+         * 0x00 || BT || Pad || 0x00 || ActualData
+         *   1      1   padLen    1      data->len
+         * Pad is all non-zero random bytes.
+         *
+         * Build the block left to right.
+         * Fill the entire block from Pad to the end with random bytes.
+         * Use the bytes after Pad as a supply of extra random bytes from
+         * which to find replacements for the zero bytes in Pad.
+         * If we need more than that, refill the bytes after Pad with
+         * new random bytes as necessary.
+         */
+        padLen = modulusLen - (data->len + 3);
+        PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+        if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+            PORT_Free(block);
+            return NULL;
+        }
+        j = modulusLen - 2;
+        rv = RNG_GenerateGlobalRandomBytes(bp, j);
+        if (rv == SECSuccess) {
+            for (i = 0; i < padLen; ) {
+                unsigned char repl;
+                /* Pad with non-zero random data. */
+                if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+                    ++i;
+                    continue;
+                }
+                if (j <= padLen) {
+                    rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
+                                          modulusLen - (2 + padLen));
+                    if (rv != SECSuccess)
+                        break;
+                    j = modulusLen - 2;
+                }
+                do {
+                    repl = bp[--j];
+                } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
+                if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
+                    bp[i++] = repl;
+                }
+            }
+        }
+        if (rv != SECSuccess) {
+            PORT_Free(block);
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return NULL;
+        }
+        bp += padLen;
+        *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+        PORT_Memcpy(bp, data->data, data->len);
+        break;
+
+      default:
+        PORT_Assert(0);
+        PORT_Free(block);
+        return NULL;
+    }
+
+    return block;
+}
+
+static SECStatus
+rsa_FormatBlock(SECItem * result,
+                unsigned modulusLen,
+                RSA_BlockType blockType,
+                SECItem * data)
+{
+    switch (blockType) {
+      case RSA_BlockPrivate:
+      case RSA_BlockPublic:
+        /*
+         * 0x00 || BT || Pad || 0x00 || ActualData
+         *
+         * The "3" below is the first octet + the second octet + the 0x00
+         * octet that always comes just before the ActualData.
+         */
+        PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+
+        result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+        if (result->data == NULL) {
+            result->len = 0;
+            return SECFailure;
+        }
+        result->len = modulusLen;
+
+        break;
+
+      case RSA_BlockRaw:
+        /*
+         * Pad || ActualData
+         * Pad is zeros. The application is responsible for recovering
+         * the actual data.
+         */
+        if (data->len > modulusLen ) {
+            return SECFailure;
+        }
+        result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+        result->len = modulusLen;
+        PORT_Memcpy(result->data + (modulusLen - data->len),
+                    data->data, data->len);
+        break;
+
+      default:
+        PORT_Assert(0);
+        result->data = NULL;
+        result->len = 0;
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
+ */
+static SECStatus
+MGF1(HASH_HashType hashAlg,
+     unsigned char * mask,
+     unsigned int maskLen,
+     const unsigned char * mgfSeed,
+     unsigned int mgfSeedLen)
+{
+    unsigned int digestLen;
+    PRUint32 counter;
+    PRUint32 rounds;
+    unsigned char * tempHash;
+    unsigned char * temp;
+    const SECHashObject * hash;
+    void * hashContext;
+    unsigned char C[4];
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    if (hash == NULL)
+        return SECFailure;
+
+    hashContext = (*hash->create)();
+    rounds = (maskLen + hash->length - 1) / hash->length;
+    for (counter = 0; counter < rounds; counter++) {
+        C[0] = (unsigned char)((counter >> 24) & 0xff);
+        C[1] = (unsigned char)((counter >> 16) & 0xff);
+        C[2] = (unsigned char)((counter >> 8) & 0xff);
+        C[3] = (unsigned char)(counter & 0xff);
+
+        /* This could be optimized when the clone functions in
+         * rawhash.c are implemented. */
+        (*hash->begin)(hashContext);
+        (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
+        (*hash->update)(hashContext, C, sizeof C);
+
+        tempHash = mask + counter * hash->length;
+        if (counter != (rounds - 1)) {
+            (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
+        } else { /* we're in the last round and need to cut the hash */
+            temp = (unsigned char *)PORT_Alloc(hash->length);
+            (*hash->end)(hashContext, temp, &digestLen, hash->length);
+            PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
+            PORT_Free(temp);
+        }
+    }
+    (*hash->destroy)(hashContext, PR_TRUE);
+
+    return SECSuccess;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_SignRaw(RSAPrivateKey * key,
+            unsigned char * output,
+            unsigned int * outputLen,
+            unsigned int maxOutputLen,
+            const unsigned char * data,
+            unsigned int dataLen)
+{
+    SECStatus rv = SECSuccess;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    SECItem formatted;
+    SECItem unformatted;
+
+    if (maxOutputLen < modulusLen)
+        return SECFailure;
+
+    unformatted.len  = dataLen;
+    unformatted.data = (unsigned char*)data;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess)
+        goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
+    *outputLen = modulusLen;
+
+done:
+    if (formatted.data != NULL)
+        PORT_ZFree(formatted.data, modulusLen);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRaw(RSAPublicKey * key,
+                 const unsigned char * sig,
+                 unsigned int sigLen,
+                 const unsigned char * hash,
+                 unsigned int hashLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned char * buffer;
+
+    if (sigLen != modulusLen)
+        goto failure;
+    if (hashLen > modulusLen)
+        goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+    if (!buffer)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, buffer, sig);
+    if (rv != SECSuccess)
+        goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    /* XXX(rsleevi): Constant time */
+    /* NOTE: should we verify the leading zeros? */
+    if (PORT_Memcmp(buffer + (modulusLen - hashLen), hash, hashLen) != 0)
+        goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecoverRaw(RSAPublicKey * key,
+                        unsigned char * data,
+                        unsigned int * dataLen,
+                        unsigned int maxDataLen,
+                        const unsigned char * sig,
+                        unsigned int sigLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+
+    if (sigLen != modulusLen)
+        goto failure;
+    if (maxDataLen < modulusLen)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, data, sig);
+    if (rv != SECSuccess)
+        goto failure;
+
+    *dataLen = modulusLen;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptRaw(RSAPublicKey * key,
+               unsigned char * output,
+               unsigned int * outputLen,
+               unsigned int maxOutputLen,
+               const unsigned char * input,
+               unsigned int inputLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    SECItem formatted;
+    SECItem unformatted;
+
+    formatted.data = NULL;
+    if (maxOutputLen < modulusLen)
+        goto failure;
+
+    unformatted.len  = inputLen;
+    unformatted.data = (unsigned char*)input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, output, formatted.data);
+    if (rv != SECSuccess)
+        goto failure;
+
+    PORT_ZFree(formatted.data, modulusLen);
+    *outputLen = modulusLen;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL)
+        PORT_ZFree(formatted.data, modulusLen);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptRaw(RSAPrivateKey * key,
+               unsigned char * output,
+               unsigned int * outputLen,
+               unsigned int maxOutputLen,
+               const unsigned char * input,
+               unsigned int inputLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+
+    if (modulusLen > maxOutputLen)
+        goto failure;
+    if (inputLen != modulusLen)
+        goto failure;
+
+    rv = RSA_PrivateKeyOp(key, output, input);
+    if (rv != SECSuccess)
+        goto failure;
+
+    *outputLen = modulusLen;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
+
+/*
+ * Decodes an EME-OAEP encoded block, validating the encoding in constant
+ * time.
+ * Described in RFC 3447, section 7.1.2.
+ * input contains the encoded block, after decryption.
+ * label is the optional value L that was associated with the message.
+ * On success, the original message and message length will be stored in
+ * output and outputLen.
+ */
+static SECStatus
+eme_oaep_decode(unsigned char * output,
+                unsigned int * outputLen,
+                unsigned int maxOutputLen,
+                const unsigned char * input,
+                unsigned int inputLen,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char * label,
+                unsigned int labelLen)
+{
+    const SECHashObject * hash;
+    void * hashContext;
+    SECStatus rv = SECFailure;
+    unsigned char labelHash[HASH_LENGTH_MAX];
+    unsigned int i;
+    unsigned int maskLen;
+    unsigned int paddingOffset;
+    unsigned char * mask = NULL;
+    unsigned char * tmpOutput = NULL;
+    unsigned char isGood;
+    unsigned char foundPaddingEnd;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+
+    /* 1.c */
+    if (inputLen < (hash->length * 2) + 2) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    /* Step 3.a - Generate lHash */
+    hashContext = (*hash->create)();
+    if (hashContext == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    (*hash->begin)(hashContext);
+    if (labelLen > 0)
+        (*hash->update)(hashContext, label, labelLen);
+    (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
+    (*hash->destroy)(hashContext, PR_TRUE);
+
+    tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
+    if (tmpOutput == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
+
+    maskLen = inputLen - hash->length - 1;
+    mask = (unsigned char*)PORT_Alloc(maskLen);
+    if (mask == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
+
+    PORT_Memcpy(tmpOutput, input, inputLen);
+
+    /* 3.c - Generate seedMask */
+    MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
+         inputLen - hash->length - 1);
+    /* 3.d - Unmask seed */
+    for (i = 0; i < hash->length; ++i)
+        tmpOutput[1 + i] ^= mask[i];
+
+    /* 3.e - Generate dbMask */
+    MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
+    /* 3.f - Unmask DB */
+    for (i = 0; i < maskLen; ++i)
+        tmpOutput[1 + hash->length + i] ^= mask[i];
+
+    /* 3.g - Compare Y, lHash, and PS in constant time
+     * Warning: This code is timing dependent and must not disclose which of
+     * these were invalid.
+     */
+    paddingOffset = 0;
+    isGood = 1;
+    foundPaddingEnd = 0;
+
+    /* Compare Y */
+    isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
+
+    /* Compare lHash and lHash' */
+    isGood &= constantTimeCompare(&labelHash[0],
+                                  &tmpOutput[1 + hash->length],
+                                  hash->length);
+
+    /* Compare that the padding is zero or more zero octets, followed by a
+     * 0x01 octet */
+    for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
+        unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
+        unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
+        /* non-constant time equivalent:
+         * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
+         *     paddingOffset = i;
+         */
+        paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
+                                              paddingOffset);
+        /* non-constant time equivalent:
+         * if (tmpOutput[i] == 0x01)
+         *    foundPaddingEnd = true;
+         *
+         * Note: This may yield false positives, as it will be set whenever
+         * a 0x01 byte is encountered. If there was bad padding (eg:
+         * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
+         * paddingOffset will still be set to 2.
+         */
+        foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
+        /* non-constant time equivalent:
+         * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
+         *     !foundPaddingEnd) {
+         *    isGood = false;
+         * }
+         *
+         * Note: This may yield false positives, as a message (and padding)
+         * that is entirely zeros will result in isGood still being true. Thus
+         * it's necessary to check foundPaddingEnd is positive below.
+         */
+        isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
+    }
+
+    /* While both isGood and foundPaddingEnd may have false positives, they
+     * cannot BOTH have false positives. If both are not true, then an invalid
+     * message was received. Note, this comparison must still be done in constant
+     * time so as not to leak either condition.
+     */
+    if (!(isGood & foundPaddingEnd)) {
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        goto done;
+    }
+
+    /* End timing dependent code */
+
+    ++paddingOffset; /* Skip the 0x01 following the end of PS */
+
+    *outputLen = inputLen - paddingOffset;
+    if (*outputLen > maxOutputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        goto done;
+    }
+
+    if (*outputLen)
+        PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
+    rv = SECSuccess;
+
+done:
+    if (mask)
+        PORT_ZFree(mask, maskLen);
+    if (tmpOutput)
+        PORT_ZFree(tmpOutput, inputLen);
+    return rv;
+}
+
+/*
+ * Generate an EME-OAEP encoded block for encryption
+ * Described in RFC 3447, section 7.1.1
+ * We use input instead of M for the message to be encrypted
+ * label is the optional value L to be associated with the message.
+ */
+static SECStatus
+eme_oaep_encode(unsigned char * em,
+                unsigned int emLen,
+                const unsigned char * input,
+                unsigned int inputLen,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char * label,
+                unsigned int labelLen,
+                const unsigned char * seed,
+                unsigned int seedLen)
+{
+    const SECHashObject * hash;
+    void * hashContext;
+    SECStatus rv;
+    unsigned char * mask;
+    unsigned int reservedLen;
+    unsigned int dbMaskLen;
+    unsigned int i;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    PORT_Assert(seed == NULL || seedLen == hash->length);
+
+    /* Step 1.b */
+    reservedLen = (2 * hash->length) + 2;
+    if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    /*
+     * From RFC 3447, Section 7.1
+     *                      +----------+---------+-------+
+     *                 DB = |  lHash   |    PS   |   M   |
+     *                      +----------+---------+-------+
+     *                                     |
+     *           +----------+              V
+     *           |   seed   |--> MGF ---> xor
+     *           +----------+              |
+     *                 |                   |
+     *        +--+     V                   |
+     *        |00|    xor <----- MGF <-----|
+     *        +--+     |                   |
+     *          |      |                   |
+     *          V      V                   V
+     *        +--+----------+----------------------------+
+     *  EM =  |00|maskedSeed|          maskedDB          |
+     *        +--+----------+----------------------------+
+     *
+     * We use mask to hold the result of the MGF functions, and all other
+     * values are generated in their final resting place.
+     */
+    *em = 0x00;
+
+    /* Step 2.a - Generate lHash */
+    hashContext = (*hash->create)();
+    if (hashContext == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    (*hash->begin)(hashContext);
+    if (labelLen > 0)
+        (*hash->update)(hashContext, label, labelLen);
+    (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
+    (*hash->destroy)(hashContext, PR_TRUE);
+
+    /* Step 2.b - Generate PS */
+    if (emLen - reservedLen - inputLen > 0) {
+        PORT_Memset(em + 1 + (hash->length * 2), 0x00,
+                    emLen - reservedLen - inputLen);
+    }
+
+    /* Step 2.c. - Generate DB
+     * DB = lHash || PS || 0x01 || M
+     * Note that PS and lHash have already been placed into em at their
+     * appropriate offsets. This just copies M into place
+     */
+    em[emLen - inputLen - 1] = 0x01;
+    if (inputLen)
+        PORT_Memcpy(em + emLen - inputLen, input, inputLen);
+
+    if (seed == NULL) {
+        /* Step 2.d - Generate seed */
+        rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+    } else {
+        /* For Known Answer Tests, copy the supplied seed. */
+        PORT_Memcpy(em + 1, seed, seedLen);
+    }
+
+    /* Step 2.e - Generate dbMask*/
+    dbMaskLen = emLen - hash->length - 1;
+    mask = (unsigned char*)PORT_Alloc(dbMaskLen);
+    if (mask == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
+    /* Step 2.f - Compute maskedDB*/
+    for (i = 0; i < dbMaskLen; ++i)
+        em[1 + hash->length + i] ^= mask[i];
+
+    /* Step 2.g - Generate seedMask */
+    MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
+    /* Step 2.h - Compute maskedSeed */
+    for (i = 0; i < hash->length; ++i)
+        em[1 + i] ^= mask[i];
+
+    PORT_ZFree(mask, dbMaskLen);
+    return SECSuccess;
+}
+
+SECStatus
+RSA_EncryptOAEP(RSAPublicKey * key,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char * label,
+                unsigned int labelLen,
+                const unsigned char * seed,
+                unsigned int seedLen,
+                unsigned char * output,
+                unsigned int * outputLen,
+                unsigned int maxOutputLen,
+                const unsigned char * input,
+                unsigned int inputLen)
+{
+    SECStatus rv = SECFailure;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned char * oaepEncoded = NULL;
+
+    if (maxOutputLen < modulusLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    if ((labelLen == 0 && label != NULL) ||
+        (labelLen > 0 && label == NULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+    if (oaepEncoded == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
+                         hashAlg, maskHashAlg, label, labelLen, seed, seedLen);
+    if (rv != SECSuccess)
+        goto done;
+
+    rv = RSA_PublicKeyOp(key, output, oaepEncoded);
+    if (rv != SECSuccess)
+        goto done;
+    *outputLen = modulusLen;
+
+done:
+    PORT_Free(oaepEncoded);
+    return rv;
+}
+
+SECStatus
+RSA_DecryptOAEP(RSAPrivateKey * key,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char * label,
+                unsigned int labelLen,
+                unsigned char * output,
+                unsigned int * outputLen,
+                unsigned int maxOutputLen,
+                const unsigned char * input,
+                unsigned int inputLen)
+{
+    SECStatus rv = SECFailure;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned char * oaepEncoded = NULL;
+
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    if (inputLen != modulusLen) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    if ((labelLen == 0 && label != NULL) ||
+        (labelLen > 0 && label == NULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+    if (oaepEncoded == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+
+    rv = RSA_PrivateKeyOpDoubleChecked(key, oaepEncoded, input);
+    if (rv != SECSuccess) {
+        goto done;
+    }
+    rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
+                         modulusLen, hashAlg, maskHashAlg, label,
+                         labelLen);
+
+done:
+    if (oaepEncoded)
+        PORT_ZFree(oaepEncoded, modulusLen);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptBlock(RSAPublicKey * key,
+                 unsigned char * output,
+                 unsigned int * outputLen,
+                 unsigned int maxOutputLen,
+                 const unsigned char * input,
+                 unsigned int inputLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    SECItem formatted;
+    SECItem unformatted;
+
+    formatted.data = NULL;
+    if (maxOutputLen < modulusLen)
+        goto failure;
+
+    unformatted.len  = inputLen;
+    unformatted.data = (unsigned char*)input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic,
+                         &unformatted);
+    if (rv != SECSuccess)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, output, formatted.data);
+    if (rv != SECSuccess)
+        goto failure;
+
+    PORT_ZFree(formatted.data, modulusLen);
+    *outputLen = modulusLen;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL)
+        PORT_ZFree(formatted.data, modulusLen);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptBlock(RSAPrivateKey * key,
+                 unsigned char * output,
+                 unsigned int * outputLen,
+                 unsigned int maxOutputLen,
+                 const unsigned char * input,
+                 unsigned int inputLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned int i;
+    unsigned char * buffer;
+
+    if (inputLen != modulusLen)
+        goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+    if (!buffer)
+        goto failure;
+
+    rv = RSA_PrivateKeyOp(key, buffer, input);
+    if (rv != SECSuccess)
+        goto loser;
+
+    /* XXX(rsleevi): Constant time */
+    if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+        buffer[1] != (unsigned char)RSA_BlockPublic) {
+        goto loser;
+    }
+    *outputLen = 0;
+    for (i = 2; i < modulusLen; i++) {
+        if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+            *outputLen = modulusLen - i - 1;
+            break;
+        }
+    }
+    if (*outputLen == 0)
+        goto loser;
+    if (*outputLen > maxOutputLen)
+        goto loser;
+
+    PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/*
+ * Encode a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.1.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.1.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_encode(unsigned char * em,
+                unsigned int emLen,
+                const unsigned char * mHash,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char * salt,
+                unsigned int saltLen)
+{
+    const SECHashObject * hash;
+    void * hash_context;
+    unsigned char * dbMask;
+    unsigned int dbMaskLen;
+    unsigned int i;
+    SECStatus rv;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    dbMaskLen = emLen - hash->length - 1;
+
+    /* Step 3 */
+    if (emLen < hash->length + saltLen + 2) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    /* Step 4 */
+    if (salt == NULL) {
+        rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - saltLen], saltLen);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+    } else {
+        PORT_Memcpy(&em[dbMaskLen - saltLen], salt, saltLen);
+    }
+
+    /* Step 5 + 6 */
+    /* Compute H and store it at its final location &em[dbMaskLen]. */
+    hash_context = (*hash->create)();
+    if (hash_context == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    (*hash->begin)(hash_context);
+    (*hash->update)(hash_context, eightZeros, 8);
+    (*hash->update)(hash_context, mHash, hash->length);
+    (*hash->update)(hash_context, &em[dbMaskLen - saltLen], saltLen);
+    (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
+    (*hash->destroy)(hash_context, PR_TRUE);
+
+    /* Step 7 + 8 */
+    PORT_Memset(em, 0, dbMaskLen - saltLen - 1);
+    em[dbMaskLen - saltLen - 1] = 0x01;
+
+    /* Step 9 */
+    dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
+    if (dbMask == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
+
+    /* Step 10 */
+    for (i = 0; i < dbMaskLen; i++)
+        em[i] ^= dbMask[i];
+    PORT_Free(dbMask);
+
+    /* Step 11 */
+    em[0] &= 0x7f;
+
+    /* Step 12 */
+    em[emLen - 1] = 0xbc;
+
+    return SECSuccess;
+}
+
+/*
+ * Verify a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.2.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.2.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_verify(const unsigned char * mHash,
+                const unsigned char * em,
+                unsigned int emLen,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                unsigned int saltLen)
+{
+    const SECHashObject * hash;
+    void * hash_context;
+    unsigned char * db;
+    unsigned char * H_;  /* H' from the RFC */
+    unsigned int i;
+    unsigned int dbMaskLen;
+    SECStatus rv;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    dbMaskLen = emLen - hash->length - 1;
+
+    /* Step 3 + 4 + 6 */
+    if ((emLen < (hash->length + saltLen + 2)) ||
+        (em[emLen - 1] != 0xbc) ||
+        ((em[0] & 0x80) != 0)) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        return SECFailure;
+    }
+
+    /* Step 7 */
+    db = (unsigned char *)PORT_Alloc(dbMaskLen);
+    if (db == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    /* &em[dbMaskLen] points to H, used as mgfSeed */
+    MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
+
+    /* Step 8 */
+    for (i = 0; i < dbMaskLen; i++) {
+        db[i] ^= em[i];
+    }
+
+    /* Step 9 */
+    db[0] &= 0x7f;
+
+    /* Step 10 */
+    for (i = 0; i < (dbMaskLen - saltLen - 1); i++) {
+        if (db[i] != 0) {
+            PORT_Free(db);
+            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+            return SECFailure;
+        }
+    }
+    if (db[dbMaskLen - saltLen - 1] != 0x01) {
+        PORT_Free(db);
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        return SECFailure;
+    }
+
+    /* Step 12 + 13 */
+    H_ = (unsigned char *)PORT_Alloc(hash->length);
+    if (H_ == NULL) {
+        PORT_Free(db);
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    hash_context = (*hash->create)();
+    if (hash_context == NULL) {
+        PORT_Free(db);
+        PORT_Free(H_);
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    (*hash->begin)(hash_context);
+    (*hash->update)(hash_context, eightZeros, 8);
+    (*hash->update)(hash_context, mHash, hash->length);
+    (*hash->update)(hash_context, &db[dbMaskLen - saltLen], saltLen);
+    (*hash->end)(hash_context, H_, &i, hash->length);
+    (*hash->destroy)(hash_context, PR_TRUE);
+
+    PORT_Free(db);
+
+    /* Step 14 */
+    if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        rv = SECFailure;
+    } else {
+        rv = SECSuccess;
+    }
+
+    PORT_Free(H_);
+    return rv;
+}
+
+SECStatus
+RSA_SignPSS(RSAPrivateKey * key,
+            HASH_HashType hashAlg,
+            HASH_HashType maskHashAlg,
+            const unsigned char * salt,
+            unsigned int saltLength,
+            unsigned char * output,
+            unsigned int * outputLen,
+            unsigned int maxOutputLen,
+            const unsigned char * input,
+            unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned char *pssEncoded = NULL;
+
+    if (maxOutputLen < modulusLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    pssEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+    if (pssEncoded == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg,
+                         maskHashAlg, salt, saltLength);
+    if (rv != SECSuccess)
+        goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded);
+    *outputLen = modulusLen;
+
+done:
+    PORT_Free(pssEncoded);
+    return rv;
+}
+
+SECStatus
+RSA_CheckSignPSS(RSAPublicKey * key,
+                 HASH_HashType hashAlg,
+                 HASH_HashType maskHashAlg,
+                 unsigned int saltLength,
+                 const unsigned char * sig,
+                 unsigned int sigLen,
+                 const unsigned char * hash,
+                 unsigned int hashLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned char * buffer;
+
+    if (sigLen != modulusLen) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        return SECFailure;
+    }
+
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
+    }
+
+    buffer = (unsigned char *)PORT_Alloc(modulusLen);
+    if (!buffer) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+
+    rv = RSA_PublicKeyOp(key, buffer, sig);
+    if (rv != SECSuccess) {
+        PORT_Free(buffer);
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        return SECFailure;
+    }
+
+    rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg,
+                         maskHashAlg, saltLength);
+    PORT_Free(buffer);
+
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_Sign(RSAPrivateKey * key,
+         unsigned char * output,
+         unsigned int * outputLen,
+         unsigned int maxOutputLen,
+         const unsigned char * input,
+         unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    SECItem formatted;
+    SECItem unformatted;
+
+    if (maxOutputLen < modulusLen)
+        return SECFailure;
+
+    unformatted.len  = inputLen;
+    unformatted.data = (unsigned char*)input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate,
+                         &unformatted);
+    if (rv != SECSuccess)
+        goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
+    *outputLen = modulusLen;
+
+    goto done;
+
+done:
+    if (formatted.data != NULL)
+        PORT_ZFree(formatted.data, modulusLen);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSign(RSAPublicKey * key,
+              const unsigned char * sig,
+              unsigned int sigLen,
+              const unsigned char * data,
+              unsigned int dataLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned int i;
+    unsigned char * buffer;
+
+    if (sigLen != modulusLen)
+        goto failure;
+    /*
+     * 0x00 || BT || Pad || 0x00 || ActualData
+     *
+     * The "3" below is the first octet + the second octet + the 0x00
+     * octet that always comes just before the ActualData.
+     */
+    if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))
+        goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+    if (!buffer)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, buffer, sig);
+    if (rv != SECSuccess)
+        goto loser;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+        buffer[1] != (unsigned char)RSA_BlockPrivate) {
+        goto loser;
+    }
+    for (i = 2; i < modulusLen - dataLen - 1; i++) {
+        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
+            goto loser;
+    }
+    if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET)
+        goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0)
+        goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecover(RSAPublicKey * key,
+                     unsigned char * output,
+                     unsigned int * outputLen,
+                     unsigned int maxOutputLen,
+                     const unsigned char * sig,
+                     unsigned int sigLen)
+{
+    SECStatus rv;
+    unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+    unsigned int i;
+    unsigned char * buffer;
+
+    if (sigLen != modulusLen)
+        goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+    if (!buffer)
+        goto failure;
+
+    rv = RSA_PublicKeyOp(key, buffer, sig);
+    if (rv != SECSuccess)
+        goto loser;
+    *outputLen = 0;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+        buffer[1] != (unsigned char)RSA_BlockPrivate) {
+        goto loser;
+    }
+    for (i = 2; i < modulusLen; i++) {
+        if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+            *outputLen = modulusLen - i - 1;
+            break;
+        }
+        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
+            goto loser;
+    }
+    if (*outputLen == 0)
+        goto loser;
+    if (*outputLen > maxOutputLen)
+        goto loser;
+
+    PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)