Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/rsa/rsa_sign.c |
Source code | Switch to Preprocessed file |
Line | Source | Count | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | /* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */ | - | ||||||||||||
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | - | ||||||||||||
3 | * All rights reserved. | - | ||||||||||||
4 | * | - | ||||||||||||
5 | * This package is an SSL implementation written | - | ||||||||||||
6 | * by Eric Young (eay@cryptsoft.com). | - | ||||||||||||
7 | * The implementation was written so as to conform with Netscapes SSL. | - | ||||||||||||
8 | * | - | ||||||||||||
9 | * This library is free for commercial and non-commercial use as long as | - | ||||||||||||
10 | * the following conditions are aheared to. The following conditions | - | ||||||||||||
11 | * apply to all code found in this distribution, be it the RC4, RSA, | - | ||||||||||||
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | - | ||||||||||||
13 | * included with this distribution is covered by the same copyright terms | - | ||||||||||||
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | - | ||||||||||||
15 | * | - | ||||||||||||
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | - | ||||||||||||
17 | * the code are not to be removed. | - | ||||||||||||
18 | * If this package is used in a product, Eric Young should be given attribution | - | ||||||||||||
19 | * as the author of the parts of the library used. | - | ||||||||||||
20 | * This can be in the form of a textual message at program startup or | - | ||||||||||||
21 | * in documentation (online or textual) provided with the package. | - | ||||||||||||
22 | * | - | ||||||||||||
23 | * Redistribution and use in source and binary forms, with or without | - | ||||||||||||
24 | * modification, are permitted provided that the following conditions | - | ||||||||||||
25 | * are met: | - | ||||||||||||
26 | * 1. Redistributions of source code must retain the copyright | - | ||||||||||||
27 | * notice, this list of conditions and the following disclaimer. | - | ||||||||||||
28 | * 2. Redistributions in binary form must reproduce the above copyright | - | ||||||||||||
29 | * notice, this list of conditions and the following disclaimer in the | - | ||||||||||||
30 | * documentation and/or other materials provided with the distribution. | - | ||||||||||||
31 | * 3. All advertising materials mentioning features or use of this software | - | ||||||||||||
32 | * must display the following acknowledgement: | - | ||||||||||||
33 | * "This product includes cryptographic software written by | - | ||||||||||||
34 | * Eric Young (eay@cryptsoft.com)" | - | ||||||||||||
35 | * The word 'cryptographic' can be left out if the rouines from the library | - | ||||||||||||
36 | * being used are not cryptographic related :-). | - | ||||||||||||
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | - | ||||||||||||
38 | * the apps directory (application code) you must include an acknowledgement: | - | ||||||||||||
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | - | ||||||||||||
40 | * | - | ||||||||||||
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | - | ||||||||||||
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | - | ||||||||||||
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | - | ||||||||||||
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | - | ||||||||||||
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | - | ||||||||||||
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | - | ||||||||||||
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | - | ||||||||||||
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | - | ||||||||||||
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | - | ||||||||||||
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | - | ||||||||||||
51 | * SUCH DAMAGE. | - | ||||||||||||
52 | * | - | ||||||||||||
53 | * The licence and distribution terms for any publically available version or | - | ||||||||||||
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | - | ||||||||||||
55 | * copied and put under another distribution licence | - | ||||||||||||
56 | * [including the GNU Public Licence.] | - | ||||||||||||
57 | */ | - | ||||||||||||
58 | - | |||||||||||||
59 | #include <stdio.h> | - | ||||||||||||
60 | #include <string.h> | - | ||||||||||||
61 | - | |||||||||||||
62 | #include <openssl/bn.h> | - | ||||||||||||
63 | #include <openssl/err.h> | - | ||||||||||||
64 | #include <openssl/objects.h> | - | ||||||||||||
65 | #include <openssl/rsa.h> | - | ||||||||||||
66 | #include <openssl/x509.h> | - | ||||||||||||
67 | - | |||||||||||||
68 | #include "rsa_locl.h" | - | ||||||||||||
69 | - | |||||||||||||
70 | /* Size of an SSL signature: MD5+SHA1 */ | - | ||||||||||||
71 | #define SSL_SIG_LENGTH 36 | - | ||||||||||||
72 | - | |||||||||||||
73 | static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *, | - | ||||||||||||
74 | unsigned int); | - | ||||||||||||
75 | - | |||||||||||||
76 | /* | - | ||||||||||||
77 | * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as | - | ||||||||||||
78 | * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This | - | ||||||||||||
79 | * encodes the DigestInfo (T and tLen) but does not add the padding. | - | ||||||||||||
80 | * | - | ||||||||||||
81 | * On success, it returns one and sets `*out' to a newly allocated buffer | - | ||||||||||||
82 | * containing the result and `*out_len' to its length. Freeing `*out' is | - | ||||||||||||
83 | * the caller's responsibility. Failure is indicated by zero. | - | ||||||||||||
84 | */ | - | ||||||||||||
85 | static int | - | ||||||||||||
86 | encode_pkcs1(unsigned char **out, int *out_len, int type, | - | ||||||||||||
87 | const unsigned char *m, unsigned int m_len) | - | ||||||||||||
88 | { | - | ||||||||||||
89 | X509_SIG sig; | - | ||||||||||||
90 | X509_ALGOR algor; | - | ||||||||||||
91 | ASN1_TYPE parameter; | - | ||||||||||||
92 | ASN1_OCTET_STRING digest; | - | ||||||||||||
93 | uint8_t *der = NULL; | - | ||||||||||||
94 | int len; | - | ||||||||||||
95 | - | |||||||||||||
96 | sig.algor = &algor; | - | ||||||||||||
97 | if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) {
| 0-142 | ||||||||||||
98 | RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); | - | ||||||||||||
99 | return 0; never executed: return 0; | 0 | ||||||||||||
100 | } | - | ||||||||||||
101 | if (sig.algor->algorithm->length == 0) {
| 0-142 | ||||||||||||
102 | RSAerror( | - | ||||||||||||
103 | RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); | - | ||||||||||||
104 | return 0; never executed: return 0; | 0 | ||||||||||||
105 | } | - | ||||||||||||
106 | parameter.type = V_ASN1_NULL; | - | ||||||||||||
107 | parameter.value.ptr = NULL; | - | ||||||||||||
108 | sig.algor->parameter = ¶meter; | - | ||||||||||||
109 | - | |||||||||||||
110 | sig.digest = &digest; | - | ||||||||||||
111 | sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */ | - | ||||||||||||
112 | sig.digest->length = m_len; | - | ||||||||||||
113 | - | |||||||||||||
114 | if ((len = i2d_X509_SIG(&sig, &der)) < 0)
| 0-142 | ||||||||||||
115 | return 0; never executed: return 0; | 0 | ||||||||||||
116 | - | |||||||||||||
117 | *out = der; | - | ||||||||||||
118 | *out_len = len; | - | ||||||||||||
119 | - | |||||||||||||
120 | return 1; executed 142 times by 5 tests: return 1; Executed by:
| 142 | ||||||||||||
121 | } | - | ||||||||||||
122 | - | |||||||||||||
123 | int | - | ||||||||||||
124 | RSA_sign(int type, const unsigned char *m, unsigned int m_len, | - | ||||||||||||
125 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) | - | ||||||||||||
126 | { | - | ||||||||||||
127 | const unsigned char *encoded = NULL; | - | ||||||||||||
128 | unsigned char *tmps = NULL; | - | ||||||||||||
129 | int encrypt_len, encoded_len = 0, ret = 0; | - | ||||||||||||
130 | - | |||||||||||||
131 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign != NULL)
| 0-51 | ||||||||||||
132 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); never executed: return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); | 0 | ||||||||||||
133 | - | |||||||||||||
134 | /* Compute the encoded digest. */ | - | ||||||||||||
135 | if (type == NID_md5_sha1) {
| 15-36 | ||||||||||||
136 | /* | - | ||||||||||||
137 | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in | - | ||||||||||||
138 | * TLS 1.1 and earlier. It has no DigestInfo wrapper but | - | ||||||||||||
139 | * otherwise is RSASSA-PKCS-v1.5. | - | ||||||||||||
140 | */ | - | ||||||||||||
141 | if (m_len != SSL_SIG_LENGTH) {
| 0-15 | ||||||||||||
142 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); | - | ||||||||||||
143 | return 0; never executed: return 0; | 0 | ||||||||||||
144 | } | - | ||||||||||||
145 | encoded_len = SSL_SIG_LENGTH; | - | ||||||||||||
146 | encoded = m; | - | ||||||||||||
147 | } else { executed 15 times by 2 tests: end of block Executed by:
| 15 | ||||||||||||
148 | if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))
| 0-36 | ||||||||||||
149 | goto err; never executed: goto err; | 0 | ||||||||||||
150 | encoded = tmps; | - | ||||||||||||
151 | } executed 36 times by 5 tests: end of block Executed by:
| 36 | ||||||||||||
152 | if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {
| 0-51 | ||||||||||||
153 | RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); | - | ||||||||||||
154 | goto err; never executed: goto err; | 0 | ||||||||||||
155 | } | - | ||||||||||||
156 | if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret,
| 0-51 | ||||||||||||
157 | rsa, RSA_PKCS1_PADDING)) <= 0)
| 0-51 | ||||||||||||
158 | goto err; never executed: goto err; | 0 | ||||||||||||
159 | - | |||||||||||||
160 | *siglen = encrypt_len; | - | ||||||||||||
161 | ret = 1; | - | ||||||||||||
162 | - | |||||||||||||
163 | err: code before this statement executed 51 times by 5 tests: err: Executed by:
| 51 | ||||||||||||
164 | freezero(tmps, (size_t)encoded_len); | - | ||||||||||||
165 | return (ret); executed 51 times by 5 tests: return (ret); Executed by:
| 51 | ||||||||||||
166 | } | - | ||||||||||||
167 | - | |||||||||||||
168 | /* | - | ||||||||||||
169 | * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be | - | ||||||||||||
170 | * called in two modes. If `rm' is NULL, it verifies the signature for the | - | ||||||||||||
171 | * digest `m'. Otherwise, it recovers the digest from the signature, writing the | - | ||||||||||||
172 | * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest | - | ||||||||||||
173 | * algorithm to use. It returns one on successful verification and zero | - | ||||||||||||
174 | * otherwise. | - | ||||||||||||
175 | */ | - | ||||||||||||
176 | int | - | ||||||||||||
177 | int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, | - | ||||||||||||
178 | unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, | - | ||||||||||||
179 | size_t siglen, RSA *rsa) | - | ||||||||||||
180 | { | - | ||||||||||||
181 | unsigned char *decrypt_buf, *encoded = NULL; | - | ||||||||||||
182 | int decrypt_len, encoded_len = 0, ret = 0; | - | ||||||||||||
183 | - | |||||||||||||
184 | if (siglen != (size_t)RSA_size(rsa)) {
| 0-120 | ||||||||||||
185 | RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH); | - | ||||||||||||
186 | return 0; never executed: return 0; | 0 | ||||||||||||
187 | } | - | ||||||||||||
188 | - | |||||||||||||
189 | /* Recover the encoded digest. */ | - | ||||||||||||
190 | if ((decrypt_buf = malloc(siglen)) == NULL) {
| 0-120 | ||||||||||||
191 | RSAerror(ERR_R_MALLOC_FAILURE); | - | ||||||||||||
192 | goto err; never executed: goto err; | 0 | ||||||||||||
193 | } | - | ||||||||||||
194 | if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
| 0-120 | ||||||||||||
195 | rsa, RSA_PKCS1_PADDING)) <= 0)
| 0-120 | ||||||||||||
196 | goto err; never executed: goto err; | 0 | ||||||||||||
197 | - | |||||||||||||
198 | if (type == NID_md5_sha1) {
| 14-106 | ||||||||||||
199 | /* | - | ||||||||||||
200 | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in | - | ||||||||||||
201 | * TLS 1.1 and earlier. It has no DigestInfo wrapper but | - | ||||||||||||
202 | * otherwise is RSASSA-PKCS1-v1_5. | - | ||||||||||||
203 | */ | - | ||||||||||||
204 | if (decrypt_len != SSL_SIG_LENGTH) {
| 0-14 | ||||||||||||
205 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); | - | ||||||||||||
206 | goto err; never executed: goto err; | 0 | ||||||||||||
207 | } | - | ||||||||||||
208 | - | |||||||||||||
209 | if (rm != NULL) {
| 0-14 | ||||||||||||
210 | memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); | - | ||||||||||||
211 | *prm_len = SSL_SIG_LENGTH; | - | ||||||||||||
212 | } else { never executed: end of block | 0 | ||||||||||||
213 | if (m_len != SSL_SIG_LENGTH) {
| 0-14 | ||||||||||||
214 | RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); | - | ||||||||||||
215 | goto err; never executed: goto err; | 0 | ||||||||||||
216 | } | - | ||||||||||||
217 | if (timingsafe_bcmp(decrypt_buf,
| 0-14 | ||||||||||||
218 | m, SSL_SIG_LENGTH) != 0) {
| 0-14 | ||||||||||||
219 | RSAerror(RSA_R_BAD_SIGNATURE); | - | ||||||||||||
220 | goto err; never executed: goto err; | 0 | ||||||||||||
221 | } | - | ||||||||||||
222 | } executed 14 times by 1 test: end of block Executed by:
| 14 | ||||||||||||
223 | } else { | - | ||||||||||||
224 | /* | - | ||||||||||||
225 | * If recovering the digest, extract a digest-sized output from | - | ||||||||||||
226 | * the end of `decrypt_buf' for `encode_pkcs1', then compare the | - | ||||||||||||
227 | * decryption output as in a standard verification. | - | ||||||||||||
228 | */ | - | ||||||||||||
229 | if (rm != NULL) {
| 0-106 | ||||||||||||
230 | const EVP_MD *md; | - | ||||||||||||
231 | - | |||||||||||||
232 | if ((md = EVP_get_digestbynid(type)) == NULL) {
| 0 | ||||||||||||
233 | RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); | - | ||||||||||||
234 | goto err; never executed: goto err; | 0 | ||||||||||||
235 | } | - | ||||||||||||
236 | if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) {
| 0 | ||||||||||||
237 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); | - | ||||||||||||
238 | goto err; never executed: goto err; | 0 | ||||||||||||
239 | } | - | ||||||||||||
240 | m = decrypt_buf + decrypt_len - m_len; | - | ||||||||||||
241 | } never executed: end of block | 0 | ||||||||||||
242 | - | |||||||||||||
243 | /* Construct the encoded digest and ensure it matches */ | - | ||||||||||||
244 | if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))
| 0-106 | ||||||||||||
245 | goto err; never executed: goto err; | 0 | ||||||||||||
246 | - | |||||||||||||
247 | if (encoded_len != decrypt_len ||
| 0-106 | ||||||||||||
248 | timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {
| 0-106 | ||||||||||||
249 | RSAerror(RSA_R_BAD_SIGNATURE); | - | ||||||||||||
250 | goto err; never executed: goto err; | 0 | ||||||||||||
251 | } | - | ||||||||||||
252 | - | |||||||||||||
253 | /* Output the recovered digest. */ | - | ||||||||||||
254 | if (rm != NULL) {
| 0-106 | ||||||||||||
255 | memcpy(rm, m, m_len); | - | ||||||||||||
256 | *prm_len = m_len; | - | ||||||||||||
257 | } never executed: end of block | 0 | ||||||||||||
258 | } executed 106 times by 3 tests: end of block Executed by:
| 106 | ||||||||||||
259 | - | |||||||||||||
260 | ret = 1; | - | ||||||||||||
261 | err: code before this statement executed 120 times by 3 tests: err: Executed by:
| 120 | ||||||||||||
262 | freezero(encoded, (size_t)encoded_len); | - | ||||||||||||
263 | freezero(decrypt_buf, siglen); | - | ||||||||||||
264 | return ret; executed 120 times by 3 tests: return ret; Executed by:
| 120 | ||||||||||||
265 | } | - | ||||||||||||
266 | - | |||||||||||||
267 | int | - | ||||||||||||
268 | RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, | - | ||||||||||||
269 | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) | - | ||||||||||||
270 | { | - | ||||||||||||
271 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
| 0-120 | ||||||||||||
272 | return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, never executed: return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); | 0 | ||||||||||||
273 | rsa); never executed: return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); | 0 | ||||||||||||
274 | - | |||||||||||||
275 | return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa); executed 120 times by 3 tests: return int_rsa_verify(dtype, m, m_len, ((void *)0) , ((void *)0) , sigbuf, siglen, rsa); Executed by:
| 120 | ||||||||||||
276 | } | - | ||||||||||||
Source code | Switch to Preprocessed file |