OpenCoverage

rsa_sign.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/rsa/rsa_sign.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */ -

4 * -

5 * This package is an SSL implementation written -

6 * by Eric Young (eay@cryptsoft.com). -

7 * The implementation was written so as to conform with Netscapes SSL. -

8 * -

9 * This library is free for commercial and non-commercial use as long as -

10 * the following conditions are aheared to. The following conditions -

11 * apply to all code found in this distribution, be it the RC4, RSA, -

12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation -

13 * included with this distribution is covered by the same copyright terms -

14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). -

15 * -

16 * Copyright remains Eric Young's, and as such any Copyright notices in -

17 * the code are not to be removed. -

18 * If this package is used in a product, Eric Young should be given attribution -

19 * as the author of the parts of the library used. -

20 * This can be in the form of a textual message at program startup or -

21 * in documentation (online or textual) provided with the package. -

22 * -

23 * Redistribution and use in source and binary forms, with or without -

24 * modification, are permitted provided that the following conditions -

25 * are met: -

26 * 1. Redistributions of source code must retain the copyright -

27 * notice, this list of conditions and the following disclaimer. -

28 * 2. Redistributions in binary form must reproduce the above copyright -

29 * notice, this list of conditions and the following disclaimer in the -

30 * documentation and/or other materials provided with the distribution. -

31 * 3. All advertising materials mentioning features or use of this software -

32 * must display the following acknowledgement: -

33 * "This product includes cryptographic software written by -

34 * Eric Young (eay@cryptsoft.com)" -

35 * The word 'cryptographic' can be left out if the rouines from the library -

36 * being used are not cryptographic related :-). -

37 * 4. If you include any Windows specific code (or a derivative thereof) from -

38 * the apps directory (application code) you must include an acknowledgement: -

39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -

40 * -

41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -

42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -

43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -

44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -

45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -

46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -

47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -

48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -

49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -

50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -

51 * SUCH DAMAGE. -

52 * -

53 * The licence and distribution terms for any publically available version or -

54 * derivative of this code cannot be changed. i.e. this code cannot simply be -

55 * copied and put under another distribution licence -

56 * [including the GNU Public Licence.] -

57 */ -

58 -

59 #include <stdio.h> -

60 #include <string.h> -

61 -

62 #include <openssl/bn.h> -

63 #include <openssl/err.h> -

64 #include <openssl/objects.h> -

65 #include <openssl/rsa.h> -

66 #include <openssl/x509.h> -

67 -

68 #include "rsa_locl.h" -

69 -

70 /* Size of an SSL signature: MD5+SHA1 */ -

71 #define SSL_SIG_LENGTH 36 -

72 -

73 static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *, -

74 unsigned int); -

75 -

76 /* -

77 * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as -

78 * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This -

79 * encodes the DigestInfo (T and tLen) but does not add the padding. -

80 * -

81 * On success, it returns one and sets `*out' to a newly allocated buffer -

82 * containing the result and `*out_len' to its length. Freeing `*out' is -

83 * the caller's responsibility. Failure is indicated by zero. -

84 */ -

85 static int -

86 encode_pkcs1(unsigned char **out, int *out_len, int type, -

87 const unsigned char *m, unsigned int m_len) -

88 { -

89 X509_SIG sig; -

90 X509_ALGOR algor; -

91 ASN1_TYPE parameter; -

92 ASN1_OCTET_STRING digest; -

93 uint8_t *der = NULL; -

94 int len; -

95 -

96 sig.algor = &algor; -

if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) {

(sig.algor->al...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 142 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-142

98 RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); -

return 0;

never executed: return 0;

100 } -

101

if (sig.algor->algorithm->length == 0) {

sig.algor->alg...m->length == 0	Description
TRUE	never evaluated
FALSE	evaluated 142 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-142

102 RSAerror( -

103 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); -

104

return 0;

never executed: return 0;

105 } -

106 parameter.type = V_ASN1_NULL; -

107 parameter.value.ptr = NULL; -

108 sig.algor->parameter = &parameter; -

109 -

110 sig.digest = &digest; -

111 sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */ -

112 sig.digest->length = m_len; -

113 -

114

if ((len = i2d_X509_SIG(&sig, &der)) < 0)

(len = i2d_X50...ig, &der)) < 0	Description
TRUE	never evaluated
FALSE	evaluated 142 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-142

115

return 0;

never executed: return 0;

116 -

117 *out = der; -

118 *out_len = len; -

119 -

120

return 1;

executed 142 times by 5 tests: return 1;

Executed by:

libcrypto.so.44.0.1
pkcs7test
servertest
ssltest
tlstest

142

121 } -

122 -

123 int -

124 RSA_sign(int type, const unsigned char *m, unsigned int m_len, -

125 unsigned char *sigret, unsigned int *siglen, RSA *rsa) -

126 { -

127 const unsigned char *encoded = NULL; -

128 unsigned char *tmps = NULL; -

129 int encrypt_len, encoded_len = 0, ret = 0; -

130 -

131

if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign != NULL)

(rsa->flags & 0x0040)	Description
TRUE	never evaluated
FALSE	evaluated 51 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

rsa->meth->rsa...!= ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

0-51

132

return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);

never executed: return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);

133 -

134 /* Compute the encoded digest. */ -

135

if (type == NID_md5_sha1) {

type == 114	Description
TRUE	evaluated 15 times by 2 tests Evaluated by: servertest ssltest
FALSE	evaluated 36 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

15-36

136 /* -

137 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in -

138 * TLS 1.1 and earlier. It has no DigestInfo wrapper but -

139 * otherwise is RSASSA-PKCS-v1.5. -

140 */ -

141

if (m_len != SSL_SIG_LENGTH) {

m_len != 36	Description
TRUE	never evaluated
FALSE	evaluated 15 times by 2 tests Evaluated by: servertest ssltest

0-15

142 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); -

143

return 0;

never executed: return 0;

144 } -

145 encoded_len = SSL_SIG_LENGTH; -

146 encoded = m; -

147

} else {

executed 15 times by 2 tests: end of block

Executed by:

servertest
ssltest

148

if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))

!encode_pkcs1(...ype, m, m_len)	Description
TRUE	never evaluated
FALSE	evaluated 36 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-36

149

goto err;

never executed: goto err;

150 encoded = tmps; -

151

}

executed 36 times by 5 tests: end of block

Executed by:

libcrypto.so.44.0.1
pkcs7test
servertest
ssltest
tlstest

152

if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {

encoded_len > ...size(rsa) - 11	Description
TRUE	never evaluated
FALSE	evaluated 51 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-51

153 RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); -

154

goto err;

never executed: goto err;

155 } -

156

if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret,

(encrypt_len =... rsa, 1)) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 51 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-51

157

rsa, RSA_PKCS1_PADDING)) <= 0)

(encrypt_len =... rsa, 1)) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 51 times by 5 tests Evaluated by: libcrypto.so.44.0.1 pkcs7test servertest ssltest tlstest

0-51

158

goto err;

never executed: goto err;

159 -

160 *siglen = encrypt_len; -

161 ret = 1; -

162 -

163

err:

code before this statement executed 51 times by 5 tests: err:

Executed by:

libcrypto.so.44.0.1
pkcs7test
servertest
ssltest
tlstest

164 freezero(tmps, (size_t)encoded_len); -

165

return (ret);

executed 51 times by 5 tests: return (ret);

Executed by:

libcrypto.so.44.0.1
pkcs7test
servertest
ssltest
tlstest

166 } -

167 -

168 /* -

169 * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be -

170 * called in two modes. If `rm' is NULL, it verifies the signature for the -

171 * digest `m'. Otherwise, it recovers the digest from the signature, writing the -

172 * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest -

173 * algorithm to use. It returns one on successful verification and zero -

174 * otherwise. -

175 */ -

176 int -

177 int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, -

178 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, -

179 size_t siglen, RSA *rsa) -

180 { -

181 unsigned char *decrypt_buf, *encoded = NULL; -

182 int decrypt_len, encoded_len = 0, ret = 0; -

183 -

184

if (siglen != (size_t)RSA_size(rsa)) {

siglen != (siz...)RSA_size(rsa)	Description
TRUE	never evaluated
FALSE	evaluated 120 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-120

185 RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH); -

186

return 0;

never executed: return 0;

187 } -

188 -

189 /* Recover the encoded digest. */ -

190

if ((decrypt_buf = malloc(siglen)) == NULL) {

(decrypt_buf =...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 120 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-120

191 RSAerror(ERR_R_MALLOC_FAILURE); -

192

goto err;

never executed: goto err;

193 } -

194

if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,

(decrypt_len =... rsa, 1)) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 120 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-120

195

rsa, RSA_PKCS1_PADDING)) <= 0)

(decrypt_len =... rsa, 1)) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 120 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-120

196

goto err;

never executed: goto err;

197 -

198

if (type == NID_md5_sha1) {

type == 114	Description
TRUE	evaluated 14 times by 1 test Evaluated by: ssltest
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

14-106

199 /* -

200 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in -

201 * TLS 1.1 and earlier. It has no DigestInfo wrapper but -

202 * otherwise is RSASSA-PKCS1-v1_5. -

203 */ -

204

if (decrypt_len != SSL_SIG_LENGTH) {

decrypt_len != 36	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 1 test Evaluated by: ssltest

0-14

205 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); -

206

goto err;

never executed: goto err;

207 } -

208 -

209

if (rm != NULL) {

rm != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 1 test Evaluated by: ssltest

0-14

210 memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); -

211 *prm_len = SSL_SIG_LENGTH; -

212

} else {

never executed: end of block

213

if (m_len != SSL_SIG_LENGTH) {

m_len != 36	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 1 test Evaluated by: ssltest

0-14

214 RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); -

215

goto err;

never executed: goto err;

216 } -

217

if (timingsafe_bcmp(decrypt_buf,

timingsafe_bcm...f, m, 36) != 0	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 1 test Evaluated by: ssltest

0-14

218

m, SSL_SIG_LENGTH) != 0) {

timingsafe_bcm...f, m, 36) != 0	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 1 test Evaluated by: ssltest

0-14

219 RSAerror(RSA_R_BAD_SIGNATURE); -

220

goto err;

never executed: goto err;

221 } -

222

}

executed 14 times by 1 test: end of block

Executed by:

ssltest

223 } else { -

224 /* -

225 * If recovering the digest, extract a digest-sized output from -

226 * the end of `decrypt_buf' for `encode_pkcs1', then compare the -

227 * decryption output as in a standard verification. -

228 */ -

229

if (rm != NULL) {

rm != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-106

230 const EVP_MD *md; -

231 -

232

if ((md = EVP_get_digestbynid(type)) == NULL) {

(md = EVP_get_...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

233 RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); -

234

goto err;

never executed: goto err;

235 } -

236

if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) {

(m_len = EVP_M..._t)decrypt_len	Description
TRUE	never evaluated
FALSE	never evaluated

237 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); -

238

goto err;

never executed: goto err;

239 } -

240 m = decrypt_buf + decrypt_len - m_len; -

241

}

never executed: end of block

242 -

243 /* Construct the encoded digest and ensure it matches */ -

244

if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))

!encode_pkcs1(...ype, m, m_len)	Description
TRUE	never evaluated
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-106

245

goto err;

never executed: goto err;

246 -

247

if (encoded_len != decrypt_len ||

encoded_len != decrypt_len	Description
TRUE	never evaluated
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-106

248

timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {

timingsafe_bcm...oded_len) != 0	Description
TRUE	never evaluated
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-106

249 RSAerror(RSA_R_BAD_SIGNATURE); -

250

goto err;

never executed: goto err;

251 } -

252 -

253 /* Output the recovered digest. */ -

254

if (rm != NULL) {

rm != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 106 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

0-106

255 memcpy(rm, m, m_len); -

256 *prm_len = m_len; -

257

}

never executed: end of block

258

}

executed 106 times by 3 tests: end of block

Executed by:

pkcs7test
ssltest
tlstest

106

259 -

260 ret = 1; -

261

err:

code before this statement executed 120 times by 3 tests: err:

Executed by:

pkcs7test
ssltest
tlstest

120

262 freezero(encoded, (size_t)encoded_len); -

263 freezero(decrypt_buf, siglen); -

264

return ret;

executed 120 times by 3 tests: return ret;

Executed by:

pkcs7test
ssltest
tlstest

120

265 } -

266 -

267 int -

268 RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, -

269 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) -

270 { -

271

if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)

(rsa->flags & 0x0040)	Description
TRUE	never evaluated
FALSE	evaluated 120 times by 3 tests Evaluated by: pkcs7test ssltest tlstest

rsa->meth->rsa_verify	Description
TRUE	never evaluated
FALSE	never evaluated

0-120

272

return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,

never executed: return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);

273

rsa);

never executed: return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);

274 -

275

return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);

executed 120 times by 3 tests: return int_rsa_verify(dtype, m, m_len, ((void *)0) , ((void *)0) , sigbuf, siglen, rsa);

Executed by:

pkcs7test
ssltest
tlstest

120

276 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2