summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <>2006-06-27 05:05:35 +0000
committerdjm <>2006-06-27 05:05:35 +0000
commitd5e315499a1ca7bacd7fc271e246a659969370e5 (patch)
tree790f7fe5d5e072833c88a270fab0e194f415db27
parent6544ec3cf410e36b7bce7c663a9352c03c004292 (diff)
downloadopenbsd-d5e315499a1ca7bacd7fc271e246a659969370e5.tar.gz
openbsd-d5e315499a1ca7bacd7fc271e246a659969370e5.tar.bz2
openbsd-d5e315499a1ca7bacd7fc271e246a659969370e5.zip
import of openssl-0.9.7j
Diffstat
-rw-r--r--src/lib/libssl/src/crypto/bn/bn_x931p.c282
-rwxr-xr-xsrc/lib/libssl/src/crypto/rc4/asm/rc4-x86_64.pl150
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pss.c261
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_x931.c177
4 files changed, 870 insertions, 0 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_x931p.c b/src/lib/libssl/src/crypto/bn/bn_x931p.c
new file mode 100644
index 0000000000..c64410dd3a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_x931p.c
@@ -0,0 +1,282 @@
1/* bn_x931p.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <openssl/bn.h>
61
62#ifdef OPENSSL_FIPS
63
64/* X9.31 routines for prime derivation */
65
66
67/* X9.31 prime derivation. This is used to generate the primes pi
68 * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
69 * integers.
70 */
71
72static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
73 void (*cb)(int, int, void *), void *cb_arg)
74 {
75 int i = 0;
76 if (!BN_copy(pi, Xpi))
77 return 0;
78 if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
79 return 0;
80 for(;;)
81 {
82 i++;
83 if (cb)
84 cb(0, i, cb_arg);
85 /* NB 27 MR is specificed in X9.31 */
86 if (BN_is_prime_fasttest(pi, 27, cb, ctx, cb_arg, 1))
87 break;
88 if (!BN_add_word(pi, 2))
89 return 0;
90 }
91 if (cb)
92 cb(2, i, cb_arg);
93 return 1;
94 }
95
96/* This is the main X9.31 prime derivation function. From parameters
97 * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
98 * not NULL they will be returned too: this is needed for testing.
99 */
100
101int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
102 void (*cb)(int, int, void *), void *cb_arg,
103 const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
104 const BIGNUM *e, BN_CTX *ctx)
105 {
106 int ret = 0;
107
108 BIGNUM *t, *p1p2, *pm1;
109
110 /* Only even e supported */
111 if (!BN_is_odd(e))
112 return 0;
113
114 BN_CTX_start(ctx);
115 if (!p1)
116 p1 = BN_CTX_get(ctx);
117
118 if (!p2)
119 p2 = BN_CTX_get(ctx);
120
121 t = BN_CTX_get(ctx);
122
123 p1p2 = BN_CTX_get(ctx);
124
125 pm1 = BN_CTX_get(ctx);
126
127 if (!bn_x931_derive_pi(p1, Xp1, ctx, cb, cb_arg))
128 goto err;
129
130 if (!bn_x931_derive_pi(p2, Xp2, ctx, cb, cb_arg))
131 goto err;
132
133 if (!BN_mul(p1p2, p1, p2, ctx))
134 goto err;
135
136 /* First set p to value of Rp */
137
138 if (!BN_mod_inverse(p, p2, p1, ctx))
139 goto err;
140
141 if (!BN_mul(p, p, p2, ctx))
142 goto err;
143
144 if (!BN_mod_inverse(t, p1, p2, ctx))
145 goto err;
146
147 if (!BN_mul(t, t, p1, ctx))
148 goto err;
149
150 if (!BN_sub(p, p, t))
151 goto err;
152
153 if (p->neg && !BN_add(p, p, p1p2))
154 goto err;
155
156 /* p now equals Rp */
157
158 if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
159 goto err;
160
161 if (!BN_add(p, p, Xp))
162 goto err;
163
164 /* p now equals Yp0 */
165
166 for (;;)
167 {
168 int i = 1;
169 if (cb)
170 cb(0, i++, cb_arg);
171 if (!BN_copy(pm1, p))
172 goto err;
173 if (!BN_sub_word(pm1, 1))
174 goto err;
175 if (!BN_gcd(t, pm1, e, ctx))
176 goto err;
177 if (BN_is_one(t)
178 /* X9.31 specifies 8 MR and 1 Lucas test or any prime test
179 * offering similar or better guarantees 50 MR is considerably
180 * better.
181 */
182 && BN_is_prime_fasttest(p, 50, cb, ctx, cb_arg, 1))
183 break;
184 if (!BN_add(p, p, p1p2))
185 goto err;
186 }
187
188 if (cb)
189 cb(3, 0, cb_arg);
190
191 ret = 1;
192
193 err:
194
195 BN_CTX_end(ctx);
196
197 return ret;
198 }
199
200/* Generate pair of paramters Xp, Xq for X9.31 prime generation.
201 * Note: nbits paramter is sum of number of bits in both.
202 */
203
204int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
205 {
206 BIGNUM *t;
207 int i;
208 /* Number of bits for each prime is of the form
209 * 512+128s for s = 0, 1, ...
210 */
211 if ((nbits < 1024) || (nbits & 0xff))
212 return 0;
213 nbits >>= 1;
214 /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and
215 * 2^nbits - 1. By setting the top two bits we ensure that the lower
216 * bound is exceeded.
217 */
218 if (!BN_rand(Xp, nbits, 1, 0))
219 return 0;
220
221 BN_CTX_start(ctx);
222 t = BN_CTX_get(ctx);
223
224 for (i = 0; i < 1000; i++)
225 {
226 if (!BN_rand(Xq, nbits, 1, 0))
227 return 0;
228 /* Check that |Xp - Xq| > 2^(nbits - 100) */
229 BN_sub(t, Xp, Xq);
230 if (BN_num_bits(t) > (nbits - 100))
231 break;
232 }
233
234 BN_CTX_end(ctx);
235
236 if (i < 1000)
237 return 1;
238
239 return 0;
240
241 }
242
243/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1
244 * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL
245 * the relevant parameter will be stored in it.
246 *
247 * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq
248 * are generated using the previous function and supplied as input.
249 */
250
251int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
252 BIGNUM *Xp1, BIGNUM *Xp2,
253 const BIGNUM *Xp,
254 const BIGNUM *e, BN_CTX *ctx,
255 void (*cb)(int, int, void *), void *cb_arg)
256 {
257 int ret = 0;
258
259 BN_CTX_start(ctx);
260 if (!Xp1)
261 Xp1 = BN_CTX_get(ctx);
262 if (!Xp2)
263 Xp2 = BN_CTX_get(ctx);
264
265 if (!BN_rand(Xp1, 101, 0, 0))
266 goto error;
267 if (!BN_rand(Xp2, 101, 0, 0))
268 goto error;
269 if (!BN_X931_derive_prime(p, p1, p2, cb, cb_arg,
270 Xp, Xp1, Xp2, e, ctx))
271 goto error;
272
273 ret = 1;
274
275 error:
276 BN_CTX_end(ctx);
277
278 return ret;
279
280 }
281
282#endif
diff --git a/src/lib/libssl/src/crypto/rc4/asm/rc4-x86_64.pl b/src/lib/libssl/src/crypto/rc4/asm/rc4-x86_64.pl
new file mode 100755
index 0000000000..b628daca70
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rc4/asm/rc4-x86_64.pl
@@ -0,0 +1,150 @@
1#!/usr/bin/env perl
2#
3# ====================================================================
4# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5# project. Rights for redistribution and usage in source and binary
6# forms are granted according to the OpenSSL license.
7# ====================================================================
8#
9# Unlike 0.9.7f this code expects RC4_CHAR back in config line! See
10# commentary section in corresponding script in development branch
11# for background information about this option carousel. For those
12# who don't have energy to figure out these gory details, here is
13# basis in form of performance matrix relative to the original
14# 0.9.7e C code-base:
15#
16# 0.9.7e 0.9.7f this
17# AMD64 1x 3.3x 2.4x
18# EM64T 1x 0.8x 1.5x
19#
20# In other words idea is to trade -25% AMD64 performance to compensate
21# for deterioration and gain +90% on EM64T core. Development branch
22# maintains best performance for either target, i.e. 3.3x for AMD64
23# and 1.5x for EM64T.
24
25$output=shift;
26
27open STDOUT,">$output" || die "can't open $output: $!";
28
29$dat="%rdi"; # arg1
30$len="%rsi"; # arg2
31$inp="%rdx"; # arg3
32$out="%rcx"; # arg4
33
34@XX=("%r8","%r10");
35@TX=("%r9","%r11");
36$YY="%r12";
37$TY="%r13";
38
39$code=<<___;;
40.text
41
42.globl RC4
43.type RC4,\@function
44.align 16
45RC4: or $len,$len
46 jne .Lentry
47 repret
48.Lentry:
49 push %r12
50 push %r13
51
52 add \$2,$dat
53 movzb -2($dat),$XX[0]#d
54 movzb -1($dat),$YY#d
55
56 add \$1,$XX[0]#b
57 movzb ($dat,$XX[0]),$TX[0]#d
58 test \$-8,$len
59 jz .Lcloop1
60 push %rbx
61.align 16 # incidentally aligned already
62.Lcloop8:
63 mov ($inp),%eax
64 mov 4($inp),%ebx
65___
66# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
67for ($i=0;$i<4;$i++) {
68$code.=<<___;
69 add $TX[0]#b,$YY#b
70 lea 1($XX[0]),$XX[1]
71 movzb ($dat,$YY),$TY#d
72 movzb $XX[1]#b,$XX[1]#d
73 movzb ($dat,$XX[1]),$TX[1]#d
74 movb $TX[0]#b,($dat,$YY)
75 cmp $XX[1],$YY
76 movb $TY#b,($dat,$XX[0])
77 jne .Lcmov$i # Intel cmov is sloooow...
78 mov $TX[0],$TX[1]
79.Lcmov$i:
80 add $TX[0]#b,$TY#b
81 xor ($dat,$TY),%al
82 ror \$8,%eax
83___
84push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
85}
86for ($i=4;$i<8;$i++) {
87$code.=<<___;
88 add $TX[0]#b,$YY#b
89 lea 1($XX[0]),$XX[1]
90 movzb ($dat,$YY),$TY#d
91 movzb $XX[1]#b,$XX[1]#d
92 movzb ($dat,$XX[1]),$TX[1]#d
93 movb $TX[0]#b,($dat,$YY)
94 cmp $XX[1],$YY
95 movb $TY#b,($dat,$XX[0])
96 jne .Lcmov$i # Intel cmov is sloooow...
97 mov $TX[0],$TX[1]
98.Lcmov$i:
99 add $TX[0]#b,$TY#b
100 xor ($dat,$TY),%bl
101 ror \$8,%ebx
102___
103push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
104}
105$code.=<<___;
106 lea -8($len),$len
107 mov %eax,($out)
108 lea 8($inp),$inp
109 mov %ebx,4($out)
110 lea 8($out),$out
111
112 test \$-8,$len
113 jnz .Lcloop8
114 pop %rbx
115 cmp \$0,$len
116 jne .Lcloop1
117.Lexit:
118 sub \$1,$XX[0]#b
119 movb $XX[0]#b,-2($dat)
120 movb $YY#b,-1($dat)
121
122 pop %r13
123 pop %r12
124 repret
125
126.align 16
127.Lcloop1:
128 add $TX[0]#b,$YY#b
129 movzb ($dat,$YY),$TY#d
130 movb $TX[0]#b,($dat,$YY)
131 movb $TY#b,($dat,$XX[0])
132 add $TX[0]#b,$TY#b
133 add \$1,$XX[0]#b
134 movzb ($dat,$TY),$TY#d
135 movzb ($dat,$XX[0]),$TX[0]#d
136 xorb ($inp),$TY#b
137 lea 1($inp),$inp
138 movb $TY#b,($out)
139 lea 1($out),$out
140 sub \$1,$len
141 jnz .Lcloop1
142 jmp .Lexit
143.size RC4,.-RC4
144___
145
146$code =~ s/#([bwd])/$1/gm;
147
148$code =~ s/repret/.byte\t0xF3,0xC3/gm;
149
150print $code;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pss.c b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
new file mode 100644
index 0000000000..2815628f5f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
@@ -0,0 +1,261 @@
1/* rsa_pss.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/evp.h>
64#include <openssl/rand.h>
65#include <openssl/sha.h>
66
67const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
70 const EVP_MD *Hash, const unsigned char *EM, int sLen)
71 {
72 int i;
73 int ret = 0;
74 int hLen, maskedDBLen, MSBits, emLen;
75 const unsigned char *H;
76 unsigned char *DB = NULL;
77 EVP_MD_CTX ctx;
78 unsigned char H_[EVP_MAX_MD_SIZE];
79
80 hLen = EVP_MD_size(Hash);
81 /*
82 * Negative sLen has special meanings:
83 * -1 sLen == hLen
84 * -2 salt length is autorecovered from signature
85 * -N reserved
86 */
87 if (sLen == -1) sLen = hLen;
88 else if (sLen == -2) sLen = -2;
89 else if (sLen < -2)
90 {
91 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
92 goto err;
93 }
94
95 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
96 emLen = RSA_size(rsa);
97 if (EM[0] & (0xFF << MSBits))
98 {
99 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
100 goto err;
101 }
102 if (MSBits == 0)
103 {
104 EM++;
105 emLen--;
106 }
107 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
108 {
109 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
110 goto err;
111 }
112 if (EM[emLen - 1] != 0xbc)
113 {
114 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
115 goto err;
116 }
117 maskedDBLen = emLen - hLen - 1;
118 H = EM + maskedDBLen;
119 DB = OPENSSL_malloc(maskedDBLen);
120 if (!DB)
121 {
122 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
123 goto err;
124 }
125 PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
126 for (i = 0; i < maskedDBLen; i++)
127 DB[i] ^= EM[i];
128 if (MSBits)
129 DB[0] &= 0xFF >> (8 - MSBits);
130 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
131 if (DB[i++] != 0x1)
132 {
133 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
134 goto err;
135 }
136 if (sLen >= 0 && (maskedDBLen - i) != sLen)
137 {
138 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
139 goto err;
140 }
141 EVP_MD_CTX_init(&ctx);
142 EVP_DigestInit_ex(&ctx, Hash, NULL);
143 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
144 EVP_DigestUpdate(&ctx, mHash, hLen);
145 if (maskedDBLen - i)
146 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
147 EVP_DigestFinal(&ctx, H_, NULL);
148 EVP_MD_CTX_cleanup(&ctx);
149 if (memcmp(H_, H, hLen))
150 {
151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
152 ret = 0;
153 }
154 else
155 ret = 1;
156
157 err:
158 if (DB)
159 OPENSSL_free(DB);
160
161 return ret;
162
163 }
164
165int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
166 const unsigned char *mHash,
167 const EVP_MD *Hash, int sLen)
168 {
169 int i;
170 int ret = 0;
171 int hLen, maskedDBLen, MSBits, emLen;
172 unsigned char *H, *salt = NULL, *p;
173 EVP_MD_CTX ctx;
174
175 hLen = EVP_MD_size(Hash);
176 /*
177 * Negative sLen has special meanings:
178 * -1 sLen == hLen
179 * -2 salt length is maximized
180 * -N reserved
181 */
182 if (sLen == -1) sLen = hLen;
183 else if (sLen == -2) sLen = -2;
184 else if (sLen < -2)
185 {
186 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
187 goto err;
188 }
189
190 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
191 emLen = RSA_size(rsa);
192 if (MSBits == 0)
193 {
194 *EM++ = 0;
195 emLen--;
196 }
197 if (sLen == -2)
198 {
199 sLen = emLen - hLen - 2;
200 }
201 else if (emLen < (hLen + sLen + 2))
202 {
203 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
204 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
205 goto err;
206 }
207 if (sLen > 0)
208 {
209 salt = OPENSSL_malloc(sLen);
210 if (!salt)
211 {
212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
213 ERR_R_MALLOC_FAILURE);
214 goto err;
215 }
216 if (!RAND_bytes(salt, sLen))
217 goto err;
218 }
219 maskedDBLen = emLen - hLen - 1;
220 H = EM + maskedDBLen;
221 EVP_MD_CTX_init(&ctx);
222 EVP_DigestInit_ex(&ctx, Hash, NULL);
223 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
224 EVP_DigestUpdate(&ctx, mHash, hLen);
225 if (sLen)
226 EVP_DigestUpdate(&ctx, salt, sLen);
227 EVP_DigestFinal(&ctx, H, NULL);
228 EVP_MD_CTX_cleanup(&ctx);
229
230 /* Generate dbMask in place then perform XOR on it */
231 PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
232
233 p = EM;
234
235 /* Initial PS XORs with all zeroes which is a NOP so just update
236 * pointer. Note from a test above this value is guaranteed to
237 * be non-negative.
238 */
239 p += emLen - sLen - hLen - 2;
240 *p++ ^= 0x1;
241 if (sLen > 0)
242 {
243 for (i = 0; i < sLen; i++)
244 *p++ ^= salt[i];
245 }
246 if (MSBits)
247 EM[0] &= 0xFF >> (8 - MSBits);
248
249 /* H is already in place so just set final 0xbc */
250
251 EM[emLen - 1] = 0xbc;
252
253 ret = 1;
254
255 err:
256 if (salt)
257 OPENSSL_free(salt);
258
259 return ret;
260
261 }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_x931.c b/src/lib/libssl/src/crypto/rsa/rsa_x931.c
new file mode 100644
index 0000000000..df3c45f802
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_x931.c
@@ -0,0 +1,177 @@
1/* rsa_x931.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64#include <openssl/objects.h>
65
66int RSA_padding_add_X931(unsigned char *to, int tlen,
67 const unsigned char *from, int flen)
68 {
69 int j;
70 unsigned char *p;
71
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */
75
76 j = tlen - flen - 2;
77
78 if (j < 0)
79 {
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1;
82 }
83
84 p=(unsigned char *)to;
85
86 /* If no padding start and end nibbles are in one byte */
87 if (j == 0)
88 *p++ = 0x6A;
89 else
90 {
91 *p++ = 0x6B;
92 if (j > 1)
93 {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p,from,(unsigned int)flen);
100 p += flen;
101 *p = 0xCC;
102 return(1);
103 }
104
105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i,j;
109 const unsigned char *p;
110
111 p=from;
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1;
116 }
117
118 if (*p++ == 0x6B)
119 {
120 j=flen-3;
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++;
124 if (c == 0xBA)
125 break;
126 if (c != 0xBB)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING);
130 return -1;
131 }
132 }
133
134 j -= i;
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1;
140 }
141
142 }
143 else j = flen - 2;
144
145 if (p[j] != 0xCC)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1;
149 }
150
151 memcpy(to,p,(unsigned int)j);
152
153 return(j);
154 }
155
156/* Translate between X931 hash ids and NIDs */
157
158int RSA_X931_hash_id(int nid)
159 {
160 switch (nid)
161 {
162 case NID_sha1:
163 return 0x33;
164
165 case NID_sha256:
166 return 0x34;
167
168 case NID_sha384:
169 return 0x36;
170
171 case NID_sha512:
172 return 0x35;
173
174 }
175 return -1;
176 }
177
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 14:58:44 +0000