summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/bn/asm/ppc.pl23
-rw-r--r--src/lib/libcrypto/bn/bn_x931p.c282
-rw-r--r--src/lib/libcrypto/doc/OPENSSL_config.pod2
-rw-r--r--src/lib/libcrypto/doc/PKCS7_verify.pod2
-rwxr-xr-xsrc/lib/libcrypto/rc4/asm/rc4-x86_64.pl150
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c261
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c177
7 files changed, 882 insertions, 15 deletions
diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl
index 307c7ccb35..08e0053473 100644
--- a/src/lib/libcrypto/bn/asm/ppc.pl
+++ b/src/lib/libcrypto/bn/asm/ppc.pl
@@ -116,7 +116,7 @@ if ($opf =~ /32\.s/) {
116 $UDIV= "divwu"; # unsigned divide 116 $UDIV= "divwu"; # unsigned divide
117 $UCMPI= "cmplwi"; # unsigned compare with immediate 117 $UCMPI= "cmplwi"; # unsigned compare with immediate
118 $UCMP= "cmplw"; # unsigned compare 118 $UCMP= "cmplw"; # unsigned compare
119 $COUNTZ="cntlzw"; # count leading zeros 119 $CNTLZ= "cntlzw"; # count leading zeros
120 $SHL= "slw"; # shift left 120 $SHL= "slw"; # shift left
121 $SHR= "srw"; # unsigned shift right 121 $SHR= "srw"; # unsigned shift right
122 $SHRI= "srwi"; # unsigned shift right by immediate 122 $SHRI= "srwi"; # unsigned shift right by immediate
@@ -124,6 +124,7 @@ if ($opf =~ /32\.s/) {
124 $CLRU= "clrlwi"; # clear upper bits 124 $CLRU= "clrlwi"; # clear upper bits
125 $INSR= "insrwi"; # insert right 125 $INSR= "insrwi"; # insert right
126 $ROTL= "rotlwi"; # rotate left by immediate 126 $ROTL= "rotlwi"; # rotate left by immediate
127 $TR= "tw"; # conditional trap
127} elsif ($opf =~ /64\.s/) { 128} elsif ($opf =~ /64\.s/) {
128 $BITS= 64; 129 $BITS= 64;
129 $BNSZ= $BITS/8; 130 $BNSZ= $BITS/8;
@@ -139,7 +140,7 @@ if ($opf =~ /32\.s/) {
139 $UDIV= "divdu"; # unsigned divide 140 $UDIV= "divdu"; # unsigned divide
140 $UCMPI= "cmpldi"; # unsigned compare with immediate 141 $UCMPI= "cmpldi"; # unsigned compare with immediate
141 $UCMP= "cmpld"; # unsigned compare 142 $UCMP= "cmpld"; # unsigned compare
142 $COUNTZ="cntlzd"; # count leading zeros 143 $CNTLZ= "cntlzd"; # count leading zeros
143 $SHL= "sld"; # shift left 144 $SHL= "sld"; # shift left
144 $SHR= "srd"; # unsigned shift right 145 $SHR= "srd"; # unsigned shift right
145 $SHRI= "srdi"; # unsigned shift right by immediate 146 $SHRI= "srdi"; # unsigned shift right by immediate
@@ -147,6 +148,7 @@ if ($opf =~ /32\.s/) {
147 $CLRU= "clrldi"; # clear upper bits 148 $CLRU= "clrldi"; # clear upper bits
148 $INSR= "insrdi"; # insert right 149 $INSR= "insrdi"; # insert right
149 $ROTL= "rotldi"; # rotate left by immediate 150 $ROTL= "rotldi"; # rotate left by immediate
151 $TR= "td"; # conditional trap
150} else { die "nonsense $opf"; } 152} else { die "nonsense $opf"; }
151 153
152( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!"; 154( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
@@ -1710,17 +1712,12 @@ Lppcasm_add_adios:
1710 bclr BO_ALWAYS,CR0_LT 1712 bclr BO_ALWAYS,CR0_LT
1711Lppcasm_div1: 1713Lppcasm_div1:
1712 xor r0,r0,r0 #r0=0 1714 xor r0,r0,r0 #r0=0
1713 $COUNTZ r7,r5 #r7 = num leading 0s in d. 1715 li r8,$BITS
1714 subfic r8,r7,$BITS #r8 = BN_num_bits_word(d) 1716 $CNTLZ. r7,r5 #r7 = num leading 0s in d.
1715 cmpi 0,0,r8,$BITS # 1717 bc BO_IF,CR0_EQ,Lppcasm_div2 #proceed if no leading zeros
1716 bc BO_IF,CR0_EQ,Lppcasm_div2 #proceed if (r8==$BITS) 1718 subf r8,r7,r8 #r8 = BN_num_bits_word(d)
1717 li r9,1 # r9=1 1719 $SHR. r9,r3,r8 #are there any bits above r8'th?
1718 $SHL r10,r9,r8 # r9<<=r8 1720 $TR 16,r9,r0 #if there're, signal to dump core...
1719 $UCMP 0,r3,r10 #
1720 bc BO_IF,CR0_GT,Lppcasm_div2 #or if (h > (1<<r8))
1721 $UDIV r3,r3,r0 #if not assert(0) divide by 0!
1722 #that's how we signal overflow
1723 bclr BO_ALWAYS,CR0_LT #return. NEVER REACHED.
1724Lppcasm_div2: 1721Lppcasm_div2:
1725 $UCMP 0,r3,r5 #h>=d? 1722 $UCMP 0,r3,r5 #h>=d?
1726 bc BO_IF,CR0_LT,Lppcasm_div3 #goto Lppcasm_div3 if not 1723 bc BO_IF,CR0_LT,Lppcasm_div3 #goto Lppcasm_div3 if not
diff --git a/src/lib/libcrypto/bn/bn_x931p.c b/src/lib/libcrypto/bn/bn_x931p.c
new file mode 100644
index 0000000000..c64410dd3a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_x931p.c
@@ -0,0 +1,282 @@
1/* bn_x931p.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <openssl/bn.h>
61
62#ifdef OPENSSL_FIPS
63
64/* X9.31 routines for prime derivation */
65
66
67/* X9.31 prime derivation. This is used to generate the primes pi
68 * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
69 * integers.
70 */
71
72static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
73 void (*cb)(int, int, void *), void *cb_arg)
74 {
75 int i = 0;
76 if (!BN_copy(pi, Xpi))
77 return 0;
78 if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
79 return 0;
80 for(;;)
81 {
82 i++;
83 if (cb)
84 cb(0, i, cb_arg);
85 /* NB 27 MR is specificed in X9.31 */
86 if (BN_is_prime_fasttest(pi, 27, cb, ctx, cb_arg, 1))
87 break;
88 if (!BN_add_word(pi, 2))
89 return 0;
90 }
91 if (cb)
92 cb(2, i, cb_arg);
93 return 1;
94 }
95
96/* This is the main X9.31 prime derivation function. From parameters
97 * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
98 * not NULL they will be returned too: this is needed for testing.
99 */
100
101int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
102 void (*cb)(int, int, void *), void *cb_arg,
103 const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
104 const BIGNUM *e, BN_CTX *ctx)
105 {
106 int ret = 0;
107
108 BIGNUM *t, *p1p2, *pm1;
109
110 /* Only even e supported */
111 if (!BN_is_odd(e))
112 return 0;
113
114 BN_CTX_start(ctx);
115 if (!p1)
116 p1 = BN_CTX_get(ctx);
117
118 if (!p2)
119 p2 = BN_CTX_get(ctx);
120
121 t = BN_CTX_get(ctx);
122
123 p1p2 = BN_CTX_get(ctx);
124
125 pm1 = BN_CTX_get(ctx);
126
127 if (!bn_x931_derive_pi(p1, Xp1, ctx, cb, cb_arg))
128 goto err;
129
130 if (!bn_x931_derive_pi(p2, Xp2, ctx, cb, cb_arg))
131 goto err;
132
133 if (!BN_mul(p1p2, p1, p2, ctx))
134 goto err;
135
136 /* First set p to value of Rp */
137
138 if (!BN_mod_inverse(p, p2, p1, ctx))
139 goto err;
140
141 if (!BN_mul(p, p, p2, ctx))
142 goto err;
143
144 if (!BN_mod_inverse(t, p1, p2, ctx))
145 goto err;
146
147 if (!BN_mul(t, t, p1, ctx))
148 goto err;
149
150 if (!BN_sub(p, p, t))
151 goto err;
152
153 if (p->neg && !BN_add(p, p, p1p2))
154 goto err;
155
156 /* p now equals Rp */
157
158 if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
159 goto err;
160
161 if (!BN_add(p, p, Xp))
162 goto err;
163
164 /* p now equals Yp0 */
165
166 for (;;)
167 {
168 int i = 1;
169 if (cb)
170 cb(0, i++, cb_arg);
171 if (!BN_copy(pm1, p))
172 goto err;
173 if (!BN_sub_word(pm1, 1))
174 goto err;
175 if (!BN_gcd(t, pm1, e, ctx))
176 goto err;
177 if (BN_is_one(t)
178 /* X9.31 specifies 8 MR and 1 Lucas test or any prime test
179 * offering similar or better guarantees 50 MR is considerably
180 * better.
181 */
182 && BN_is_prime_fasttest(p, 50, cb, ctx, cb_arg, 1))
183 break;
184 if (!BN_add(p, p, p1p2))
185 goto err;
186 }
187
188 if (cb)
189 cb(3, 0, cb_arg);
190
191 ret = 1;
192
193 err:
194
195 BN_CTX_end(ctx);
196
197 return ret;
198 }
199
200/* Generate pair of paramters Xp, Xq for X9.31 prime generation.
201 * Note: nbits paramter is sum of number of bits in both.
202 */
203
204int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
205 {
206 BIGNUM *t;
207 int i;
208 /* Number of bits for each prime is of the form
209 * 512+128s for s = 0, 1, ...
210 */
211 if ((nbits < 1024) || (nbits & 0xff))
212 return 0;
213 nbits >>= 1;
214 /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and
215 * 2^nbits - 1. By setting the top two bits we ensure that the lower
216 * bound is exceeded.
217 */
218 if (!BN_rand(Xp, nbits, 1, 0))
219 return 0;
220
221 BN_CTX_start(ctx);
222 t = BN_CTX_get(ctx);
223
224 for (i = 0; i < 1000; i++)
225 {
226 if (!BN_rand(Xq, nbits, 1, 0))
227 return 0;
228 /* Check that |Xp - Xq| > 2^(nbits - 100) */
229 BN_sub(t, Xp, Xq);
230 if (BN_num_bits(t) > (nbits - 100))
231 break;
232 }
233
234 BN_CTX_end(ctx);
235
236 if (i < 1000)
237 return 1;
238
239 return 0;
240
241 }
242
243/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1
244 * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL
245 * the relevant parameter will be stored in it.
246 *
247 * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq
248 * are generated using the previous function and supplied as input.
249 */
250
251int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
252 BIGNUM *Xp1, BIGNUM *Xp2,
253 const BIGNUM *Xp,
254 const BIGNUM *e, BN_CTX *ctx,
255 void (*cb)(int, int, void *), void *cb_arg)
256 {
257 int ret = 0;
258
259 BN_CTX_start(ctx);
260 if (!Xp1)
261 Xp1 = BN_CTX_get(ctx);
262 if (!Xp2)
263 Xp2 = BN_CTX_get(ctx);
264
265 if (!BN_rand(Xp1, 101, 0, 0))
266 goto error;
267 if (!BN_rand(Xp2, 101, 0, 0))
268 goto error;
269 if (!BN_X931_derive_prime(p, p1, p2, cb, cb_arg,
270 Xp, Xp1, Xp2, e, ctx))
271 goto error;
272
273 ret = 1;
274
275 error:
276 BN_CTX_end(ctx);
277
278 return ret;
279
280 }
281
282#endif
diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod
index 16600620cc..e7bba2aaca 100644
--- a/src/lib/libcrypto/doc/OPENSSL_config.pod
+++ b/src/lib/libcrypto/doc/OPENSSL_config.pod
@@ -35,7 +35,7 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the
35preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration 35preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
36can be added without source changes. 36can be added without source changes.
37 37
38The environment variable B<OPENSSL_CONFIG> can be set to specify the location 38The environment variable B<OPENSSL_CONF> can be set to specify the location
39of the configuration file. 39of the configuration file.
40 40
41Currently ASN1 OBJECTs and ENGINE configuration can be performed future 41Currently ASN1 OBJECTs and ENGINE configuration can be performed future
diff --git a/src/lib/libcrypto/doc/PKCS7_verify.pod b/src/lib/libcrypto/doc/PKCS7_verify.pod
index 07c9fdad40..3490b5dc82 100644
--- a/src/lib/libcrypto/doc/PKCS7_verify.pod
+++ b/src/lib/libcrypto/doc/PKCS7_verify.pod
@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
8 8
9int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); 9int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
10 10
11int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); 11STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
12 12
13=head1 DESCRIPTION 13=head1 DESCRIPTION
14 14
diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
new file mode 100755
index 0000000000..b628daca70
--- /dev/null
+++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
@@ -0,0 +1,150 @@
1#!/usr/bin/env perl
2#
3# ====================================================================
4# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5# project. Rights for redistribution and usage in source and binary
6# forms are granted according to the OpenSSL license.
7# ====================================================================
8#
9# Unlike 0.9.7f this code expects RC4_CHAR back in config line! See
10# commentary section in corresponding script in development branch
11# for background information about this option carousel. For those
12# who don't have energy to figure out these gory details, here is
13# basis in form of performance matrix relative to the original
14# 0.9.7e C code-base:
15#
16# 0.9.7e 0.9.7f this
17# AMD64 1x 3.3x 2.4x
18# EM64T 1x 0.8x 1.5x
19#
20# In other words idea is to trade -25% AMD64 performance to compensate
21# for deterioration and gain +90% on EM64T core. Development branch
22# maintains best performance for either target, i.e. 3.3x for AMD64
23# and 1.5x for EM64T.
24
25$output=shift;
26
27open STDOUT,">$output" || die "can't open $output: $!";
28
29$dat="%rdi"; # arg1
30$len="%rsi"; # arg2
31$inp="%rdx"; # arg3
32$out="%rcx"; # arg4
33
34@XX=("%r8","%r10");
35@TX=("%r9","%r11");
36$YY="%r12";
37$TY="%r13";
38
39$code=<<___;;
40.text
41
42.globl RC4
43.type RC4,\@function
44.align 16
45RC4: or $len,$len
46 jne .Lentry
47 repret
48.Lentry:
49 push %r12
50 push %r13
51
52 add \$2,$dat
53 movzb -2($dat),$XX[0]#d
54 movzb -1($dat),$YY#d
55
56 add \$1,$XX[0]#b
57 movzb ($dat,$XX[0]),$TX[0]#d
58 test \$-8,$len
59 jz .Lcloop1
60 push %rbx
61.align 16 # incidentally aligned already
62.Lcloop8:
63 mov ($inp),%eax
64 mov 4($inp),%ebx
65___
66# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
67for ($i=0;$i<4;$i++) {
68$code.=<<___;
69 add $TX[0]#b,$YY#b
70 lea 1($XX[0]),$XX[1]
71 movzb ($dat,$YY),$TY#d
72 movzb $XX[1]#b,$XX[1]#d
73 movzb ($dat,$XX[1]),$TX[1]#d
74 movb $TX[0]#b,($dat,$YY)
75 cmp $XX[1],$YY
76 movb $TY#b,($dat,$XX[0])
77 jne .Lcmov$i # Intel cmov is sloooow...
78 mov $TX[0],$TX[1]
79.Lcmov$i:
80 add $TX[0]#b,$TY#b
81 xor ($dat,$TY),%al
82 ror \$8,%eax
83___
84push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
85}
86for ($i=4;$i<8;$i++) {
87$code.=<<___;
88 add $TX[0]#b,$YY#b
89 lea 1($XX[0]),$XX[1]
90 movzb ($dat,$YY),$TY#d
91 movzb $XX[1]#b,$XX[1]#d
92 movzb ($dat,$XX[1]),$TX[1]#d
93 movb $TX[0]#b,($dat,$YY)
94 cmp $XX[1],$YY
95 movb $TY#b,($dat,$XX[0])
96 jne .Lcmov$i # Intel cmov is sloooow...
97 mov $TX[0],$TX[1]
98.Lcmov$i:
99 add $TX[0]#b,$TY#b
100 xor ($dat,$TY),%bl
101 ror \$8,%ebx
102___
103push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
104}
105$code.=<<___;
106 lea -8($len),$len
107 mov %eax,($out)
108 lea 8($inp),$inp
109 mov %ebx,4($out)
110 lea 8($out),$out
111
112 test \$-8,$len
113 jnz .Lcloop8
114 pop %rbx
115 cmp \$0,$len
116 jne .Lcloop1
117.Lexit:
118 sub \$1,$XX[0]#b
119 movb $XX[0]#b,-2($dat)
120 movb $YY#b,-1($dat)
121
122 pop %r13
123 pop %r12
124 repret
125
126.align 16
127.Lcloop1:
128 add $TX[0]#b,$YY#b
129 movzb ($dat,$YY),$TY#d
130 movb $TX[0]#b,($dat,$YY)
131 movb $TY#b,($dat,$XX[0])
132 add $TX[0]#b,$TY#b
133 add \$1,$XX[0]#b
134 movzb ($dat,$TY),$TY#d
135 movzb ($dat,$XX[0]),$TX[0]#d
136 xorb ($inp),$TY#b
137 lea 1($inp),$inp
138 movb $TY#b,($out)
139 lea 1($out),$out
140 sub \$1,$len
141 jnz .Lcloop1
142 jmp .Lexit
143.size RC4,.-RC4
144___
145
146$code =~ s/#([bwd])/$1/gm;
147
148$code =~ s/repret/.byte\t0xF3,0xC3/gm;
149
150print $code;
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
new file mode 100644
index 0000000000..2815628f5f
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -0,0 +1,261 @@
1/* rsa_pss.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/evp.h>
64#include <openssl/rand.h>
65#include <openssl/sha.h>
66
67const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
70 const EVP_MD *Hash, const unsigned char *EM, int sLen)
71 {
72 int i;
73 int ret = 0;
74 int hLen, maskedDBLen, MSBits, emLen;
75 const unsigned char *H;
76 unsigned char *DB = NULL;
77 EVP_MD_CTX ctx;
78 unsigned char H_[EVP_MAX_MD_SIZE];
79
80 hLen = EVP_MD_size(Hash);
81 /*
82 * Negative sLen has special meanings:
83 * -1 sLen == hLen
84 * -2 salt length is autorecovered from signature
85 * -N reserved
86 */
87 if (sLen == -1) sLen = hLen;
88 else if (sLen == -2) sLen = -2;
89 else if (sLen < -2)
90 {
91 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
92 goto err;
93 }
94
95 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
96 emLen = RSA_size(rsa);
97 if (EM[0] & (0xFF << MSBits))
98 {
99 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
100 goto err;
101 }
102 if (MSBits == 0)
103 {
104 EM++;
105 emLen--;
106 }
107 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
108 {
109 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
110 goto err;
111 }
112 if (EM[emLen - 1] != 0xbc)
113 {
114 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
115 goto err;
116 }
117 maskedDBLen = emLen - hLen - 1;
118 H = EM + maskedDBLen;
119 DB = OPENSSL_malloc(maskedDBLen);
120 if (!DB)
121 {
122 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
123 goto err;
124 }
125 PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
126 for (i = 0; i < maskedDBLen; i++)
127 DB[i] ^= EM[i];
128 if (MSBits)
129 DB[0] &= 0xFF >> (8 - MSBits);
130 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
131 if (DB[i++] != 0x1)
132 {
133 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
134 goto err;
135 }
136 if (sLen >= 0 && (maskedDBLen - i) != sLen)
137 {
138 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
139 goto err;
140 }
141 EVP_MD_CTX_init(&ctx);
142 EVP_DigestInit_ex(&ctx, Hash, NULL);
143 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
144 EVP_DigestUpdate(&ctx, mHash, hLen);
145 if (maskedDBLen - i)
146 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
147 EVP_DigestFinal(&ctx, H_, NULL);
148 EVP_MD_CTX_cleanup(&ctx);
149 if (memcmp(H_, H, hLen))
150 {
151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
152 ret = 0;
153 }
154 else
155 ret = 1;
156
157 err:
158 if (DB)
159 OPENSSL_free(DB);
160
161 return ret;
162
163 }
164
165int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
166 const unsigned char *mHash,
167 const EVP_MD *Hash, int sLen)
168 {
169 int i;
170 int ret = 0;
171 int hLen, maskedDBLen, MSBits, emLen;
172 unsigned char *H, *salt = NULL, *p;
173 EVP_MD_CTX ctx;
174
175 hLen = EVP_MD_size(Hash);
176 /*
177 * Negative sLen has special meanings:
178 * -1 sLen == hLen
179 * -2 salt length is maximized
180 * -N reserved
181 */
182 if (sLen == -1) sLen = hLen;
183 else if (sLen == -2) sLen = -2;
184 else if (sLen < -2)
185 {
186 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
187 goto err;
188 }
189
190 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
191 emLen = RSA_size(rsa);
192 if (MSBits == 0)
193 {
194 *EM++ = 0;
195 emLen--;
196 }
197 if (sLen == -2)
198 {
199 sLen = emLen - hLen - 2;
200 }
201 else if (emLen < (hLen + sLen + 2))
202 {
203 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
204 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
205 goto err;
206 }
207 if (sLen > 0)
208 {
209 salt = OPENSSL_malloc(sLen);
210 if (!salt)
211 {
212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
213 ERR_R_MALLOC_FAILURE);
214 goto err;
215 }
216 if (!RAND_bytes(salt, sLen))
217 goto err;
218 }
219 maskedDBLen = emLen - hLen - 1;
220 H = EM + maskedDBLen;
221 EVP_MD_CTX_init(&ctx);
222 EVP_DigestInit_ex(&ctx, Hash, NULL);
223 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
224 EVP_DigestUpdate(&ctx, mHash, hLen);
225 if (sLen)
226 EVP_DigestUpdate(&ctx, salt, sLen);
227 EVP_DigestFinal(&ctx, H, NULL);
228 EVP_MD_CTX_cleanup(&ctx);
229
230 /* Generate dbMask in place then perform XOR on it */
231 PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
232
233 p = EM;
234
235 /* Initial PS XORs with all zeroes which is a NOP so just update
236 * pointer. Note from a test above this value is guaranteed to
237 * be non-negative.
238 */
239 p += emLen - sLen - hLen - 2;
240 *p++ ^= 0x1;
241 if (sLen > 0)
242 {
243 for (i = 0; i < sLen; i++)
244 *p++ ^= salt[i];
245 }
246 if (MSBits)
247 EM[0] &= 0xFF >> (8 - MSBits);
248
249 /* H is already in place so just set final 0xbc */
250
251 EM[emLen - 1] = 0xbc;
252
253 ret = 1;
254
255 err:
256 if (salt)
257 OPENSSL_free(salt);
258
259 return ret;
260
261 }
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
new file mode 100644
index 0000000000..df3c45f802
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -0,0 +1,177 @@
1/* rsa_x931.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64#include <openssl/objects.h>
65
66int RSA_padding_add_X931(unsigned char *to, int tlen,
67 const unsigned char *from, int flen)
68 {
69 int j;
70 unsigned char *p;
71
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */
75
76 j = tlen - flen - 2;
77
78 if (j < 0)
79 {
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1;
82 }
83
84 p=(unsigned char *)to;
85
86 /* If no padding start and end nibbles are in one byte */
87 if (j == 0)
88 *p++ = 0x6A;
89 else
90 {
91 *p++ = 0x6B;
92 if (j > 1)
93 {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p,from,(unsigned int)flen);
100 p += flen;
101 *p = 0xCC;
102 return(1);
103 }
104
105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i,j;
109 const unsigned char *p;
110
111 p=from;
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1;
116 }
117
118 if (*p++ == 0x6B)
119 {
120 j=flen-3;
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++;
124 if (c == 0xBA)
125 break;
126 if (c != 0xBB)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING);
130 return -1;
131 }
132 }
133
134 j -= i;
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1;
140 }
141
142 }
143 else j = flen - 2;
144
145 if (p[j] != 0xCC)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1;
149 }
150
151 memcpy(to,p,(unsigned int)j);
152
153 return(j);
154 }
155
156/* Translate between X931 hash ids and NIDs */
157
158int RSA_X931_hash_id(int nid)
159 {
160 switch (nid)
161 {
162 case NID_sha1:
163 return 0x33;
164
165 case NID_sha256:
166 return 0x34;
167
168 case NID_sha384:
169 return 0x36;
170
171 case NID_sha512:
172 return 0x35;
173
174 }
175 return -1;
176 }
177
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 00:38:18 +0000