Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | | - |
17 | | - |
18 | | - |
19 | | - |
20 | | - |
21 | | - |
22 | | - |
23 | | - |
24 | | - |
25 | | - |
26 | | - |
27 | | - |
28 | | - |
29 | | - |
30 | | - |
31 | | - |
32 | | - |
33 | | - |
34 | | - |
35 | | - |
36 | | - |
37 | | - |
38 | | - |
39 | | - |
40 | | - |
41 | | - |
42 | | - |
43 | | - |
44 | | - |
45 | | - |
46 | | - |
47 | | - |
48 | | - |
49 | | - |
50 | | - |
51 | | - |
52 | | - |
53 | | - |
54 | | - |
55 | | - |
56 | | - |
57 | | - |
58 | | - |
59 | #include <stdio.h> | - |
60 | #include <stdlib.h> | - |
61 | #include <string.h> | - |
62 | | - |
63 | #include <openssl/bn.h> | - |
64 | #include <openssl/err.h> | - |
65 | #include <openssl/evp.h> | - |
66 | #include <openssl/rsa.h> | - |
67 | #include <openssl/sha.h> | - |
68 | | - |
69 | static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; | - |
70 | | - |
71 | int | - |
72 | RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash, | - |
73 | const unsigned char *EM, int sLen) | - |
74 | { | - |
75 | return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); never executed: return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, ((void *)0) , EM, sLen); | 0 |
76 | } | - |
77 | | - |
78 | int | - |
79 | RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | - |
80 | const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM, | - |
81 | int sLen) | - |
82 | { | - |
83 | int i; | - |
84 | int ret = 0; | - |
85 | int hLen, maskedDBLen, MSBits, emLen; | - |
86 | const unsigned char *H; | - |
87 | unsigned char *DB = NULL; | - |
88 | EVP_MD_CTX ctx; | - |
89 | unsigned char H_[EVP_MAX_MD_SIZE]; | - |
90 | | - |
91 | EVP_MD_CTX_init(&ctx); | - |
92 | | - |
93 | if (mgf1Hash == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
94 | mgf1Hash = Hash; never executed: mgf1Hash = Hash; | 0 |
95 | | - |
96 | hLen = EVP_MD_size(Hash); | - |
97 | if (hLen < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
98 | goto err; never executed: goto err; | 0 |
99 | | - |
100 | | - |
101 | | - |
102 | | - |
103 | | - |
104 | | - |
105 | if (sLen == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
106 | sLen = hLen; never executed: sLen = hLen; | 0 |
107 | else if (sLen == -2)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
108 | sLen = -2; never executed: sLen = -2; | 0 |
109 | else if (sLen < -2) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
110 | RSAerror(RSA_R_SLEN_CHECK_FAILED); | - |
111 | goto err; never executed: goto err; | 0 |
112 | } | - |
113 | | - |
114 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; | - |
115 | emLen = RSA_size(rsa); | - |
116 | if (EM[0] & (0xFF << MSBits)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
117 | RSAerror(RSA_R_FIRST_OCTET_INVALID); | - |
118 | goto err; never executed: goto err; | 0 |
119 | } | - |
120 | if (MSBits == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
121 | EM++; | - |
122 | emLen--; | - |
123 | } never executed: end of block | 0 |
124 | if (emLen < (hLen + sLen + 2)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
125 | | - |
126 | RSAerror(RSA_R_DATA_TOO_LARGE); | - |
127 | goto err; never executed: goto err; | 0 |
128 | } | - |
129 | if (EM[emLen - 1] != 0xbc) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
130 | RSAerror(RSA_R_LAST_OCTET_INVALID); | - |
131 | goto err; never executed: goto err; | 0 |
132 | } | - |
133 | maskedDBLen = emLen - hLen - 1; | - |
134 | H = EM + maskedDBLen; | - |
135 | DB = malloc(maskedDBLen); | - |
136 | if (!DB) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
137 | RSAerror(ERR_R_MALLOC_FAILURE); | - |
138 | goto err; never executed: goto err; | 0 |
139 | } | - |
140 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
141 | goto err; never executed: goto err; | 0 |
142 | for (i = 0; i < maskedDBLen; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
143 | DB[i] ^= EM[i]; never executed: DB[i] ^= EM[i]; | 0 |
144 | if (MSBits)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
145 | DB[0] &= 0xFF >> (8 - MSBits); never executed: DB[0] &= 0xFF >> (8 - MSBits); | 0 |
146 | for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
147 | ; never executed: ; | 0 |
148 | if (DB[i++] != 0x1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
149 | RSAerror(RSA_R_SLEN_RECOVERY_FAILED); | - |
150 | goto err; never executed: goto err; | 0 |
151 | } | - |
152 | if (sLen >= 0 && (maskedDBLen - i) != sLen) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
153 | RSAerror(RSA_R_SLEN_CHECK_FAILED); | - |
154 | goto err; never executed: goto err; | 0 |
155 | } | - |
156 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
157 | !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
158 | !EVP_DigestUpdate(&ctx, mHash, hLen))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
159 | goto err; never executed: goto err; | 0 |
160 | if (maskedDBLen - i) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
161 | if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
162 | goto err; never executed: goto err; | 0 |
163 | } never executed: end of block | 0 |
164 | if (!EVP_DigestFinal_ex(&ctx, H_, NULL))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
165 | goto err; never executed: goto err; | 0 |
166 | if (timingsafe_bcmp(H_, H, hLen)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
167 | RSAerror(RSA_R_BAD_SIGNATURE); | - |
168 | ret = 0; | - |
169 | } else never executed: end of block | 0 |
170 | ret = 1; never executed: ret = 1; | 0 |
171 | | - |
172 | err: code before this statement never executed: err: | 0 |
173 | free(DB); | - |
174 | EVP_MD_CTX_cleanup(&ctx); | - |
175 | | - |
176 | return ret; never executed: return ret; | 0 |
177 | } | - |
178 | | - |
179 | int | - |
180 | RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | - |
181 | const unsigned char *mHash, const EVP_MD *Hash, int sLen) | - |
182 | { | - |
183 | return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); never executed: return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, ((void *)0) , sLen); | 0 |
184 | } | - |
185 | | - |
186 | int | - |
187 | RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, | - |
188 | const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash, | - |
189 | int sLen) | - |
190 | { | - |
191 | int i; | - |
192 | int ret = 0; | - |
193 | int hLen, maskedDBLen, MSBits, emLen; | - |
194 | unsigned char *H, *salt = NULL, *p; | - |
195 | EVP_MD_CTX ctx; | - |
196 | | - |
197 | EVP_MD_CTX_init(&ctx); | - |
198 | | - |
199 | if (mgf1Hash == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
200 | mgf1Hash = Hash; never executed: mgf1Hash = Hash; | 0 |
201 | | - |
202 | hLen = EVP_MD_size(Hash); | - |
203 | if (hLen < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
204 | goto err; never executed: goto err; | 0 |
205 | | - |
206 | | - |
207 | | - |
208 | | - |
209 | | - |
210 | | - |
211 | if (sLen == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
212 | sLen = hLen; never executed: sLen = hLen; | 0 |
213 | else if (sLen == -2)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
214 | sLen = -2; never executed: sLen = -2; | 0 |
215 | else if (sLen < -2) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
216 | RSAerror(RSA_R_SLEN_CHECK_FAILED); | - |
217 | goto err; never executed: goto err; | 0 |
218 | } | - |
219 | | - |
220 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; | - |
221 | emLen = RSA_size(rsa); | - |
222 | if (MSBits == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
223 | *EM++ = 0; | - |
224 | emLen--; | - |
225 | } never executed: end of block | 0 |
226 | if (sLen == -2)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
227 | sLen = emLen - hLen - 2; never executed: sLen = emLen - hLen - 2; | 0 |
228 | else if (emLen < (hLen + sLen + 2)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
229 | RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | - |
230 | goto err; never executed: goto err; | 0 |
231 | } | - |
232 | if (sLen > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
233 | salt = malloc(sLen); | - |
234 | if (!salt) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
235 | RSAerror(ERR_R_MALLOC_FAILURE); | - |
236 | goto err; never executed: goto err; | 0 |
237 | } | - |
238 | arc4random_buf(salt, sLen); | - |
239 | } never executed: end of block | 0 |
240 | maskedDBLen = emLen - hLen - 1; | - |
241 | H = EM + maskedDBLen; | - |
242 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
243 | !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
244 | !EVP_DigestUpdate(&ctx, mHash, hLen))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
245 | goto err; never executed: goto err; | 0 |
246 | if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
247 | goto err; never executed: goto err; | 0 |
248 | if (!EVP_DigestFinal_ex(&ctx, H, NULL))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
249 | goto err; never executed: goto err; | 0 |
250 | | - |
251 | | - |
252 | if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
253 | goto err; never executed: goto err; | 0 |
254 | | - |
255 | p = EM; | - |
256 | | - |
257 | | - |
258 | | - |
259 | | - |
260 | | - |
261 | | - |
262 | p += emLen - sLen - hLen - 2; | - |
263 | *p++ ^= 0x1; | - |
264 | if (sLen > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
265 | for (i = 0; i < sLen; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
266 | *p++ ^= salt[i]; never executed: *p++ ^= salt[i]; | 0 |
267 | } never executed: end of block | 0 |
268 | if (MSBits)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
269 | EM[0] &= 0xFF >> (8 - MSBits); never executed: EM[0] &= 0xFF >> (8 - MSBits); | 0 |
270 | | - |
271 | | - |
272 | EM[emLen - 1] = 0xbc; | - |
273 | | - |
274 | ret = 1; | - |
275 | | - |
276 | err: code before this statement never executed: err: | 0 |
277 | free(salt); | - |
278 | EVP_MD_CTX_cleanup(&ctx); | - |
279 | | - |
280 | return ret; never executed: return ret; | 0 |
281 | } | - |
| | |