rsa_ssl.c revision 337982
132517Sgibbs/* crypto/rsa/rsa_ssl.c */ 232517Sgibbs/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 332517Sgibbs * All rights reserved. 432517Sgibbs * 532517Sgibbs * This package is an SSL implementation written 632517Sgibbs * by Eric Young (eay@cryptsoft.com). 732517Sgibbs * The implementation was written so as to conform with Netscapes SSL. 832517Sgibbs * 932517Sgibbs * This library is free for commercial and non-commercial use as long as 1032517Sgibbs * the following conditions are aheared to. The following conditions 1132517Sgibbs * apply to all code found in this distribution, be it the RC4, RSA, 1232517Sgibbs * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1332517Sgibbs * included with this distribution is covered by the same copyright terms 1432517Sgibbs * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1532517Sgibbs * 1632517Sgibbs * Copyright remains Eric Young's, and as such any Copyright notices in 1732517Sgibbs * the code are not to be removed. 1832517Sgibbs * If this package is used in a product, Eric Young should be given attribution 1932517Sgibbs * as the author of the parts of the library used. 2032517Sgibbs * This can be in the form of a textual message at program startup or 2132517Sgibbs * in documentation (online or textual) provided with the package. 2232517Sgibbs * 2332517Sgibbs * Redistribution and use in source and binary forms, with or without 2432517Sgibbs * modification, are permitted provided that the following conditions 2532517Sgibbs * are met: 2632517Sgibbs * 1. Redistributions of source code must retain the copyright 2732517Sgibbs * notice, this list of conditions and the following disclaimer. 2832517Sgibbs * 2. Redistributions in binary form must reproduce the above copyright 2932517Sgibbs * notice, this list of conditions and the following disclaimer in the 3032517Sgibbs * documentation and/or other materials provided with the distribution. 3132517Sgibbs * 3. All advertising materials mentioning features or use of this software 3232517Sgibbs * must display the following acknowledgement: 3332517Sgibbs * "This product includes cryptographic software written by 3432517Sgibbs * Eric Young (eay@cryptsoft.com)" 3532517Sgibbs * The word 'cryptographic' can be left out if the rouines from the library 3632517Sgibbs * being used are not cryptographic related :-). 3732517Sgibbs * 4. If you include any Windows specific code (or a derivative thereof) from 3832517Sgibbs * the apps directory (application code) you must include an acknowledgement: 3932517Sgibbs * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4032517Sgibbs * 4132517Sgibbs * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4232517Sgibbs * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4332517Sgibbs * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4432517Sgibbs * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4532517Sgibbs * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4632517Sgibbs * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4732517Sgibbs * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4832517Sgibbs * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4932517Sgibbs * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5032517Sgibbs * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5132517Sgibbs * SUCH DAMAGE. 5232517Sgibbs * 5332517Sgibbs * The licence and distribution terms for any publically available version or 5432517Sgibbs * derivative of this code cannot be changed. i.e. this code cannot simply be 5532517Sgibbs * copied and put under another distribution licence 5632517Sgibbs * [including the GNU Public Licence.] 5732517Sgibbs */ 5832517Sgibbs 5932517Sgibbs#include <stdio.h> 6032517Sgibbs#include "cryptlib.h" 6132517Sgibbs#include <openssl/bn.h> 6232517Sgibbs#include <openssl/rsa.h> 6332517Sgibbs#include <openssl/rand.h> 6432517Sgibbs 6532517Sgibbsint RSA_padding_add_SSLv23(unsigned char *to, int tlen, 6632517Sgibbs const unsigned char *from, int flen) 6732517Sgibbs{ 6832517Sgibbs int i, j; 6932517Sgibbs unsigned char *p; 7035300Sbde 7132517Sgibbs if (flen > (tlen - 11)) { 7232517Sgibbs RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23, 7332517Sgibbs RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 7432517Sgibbs return (0); 7532517Sgibbs } 7632517Sgibbs 7732517Sgibbs p = (unsigned char *)to; 7832517Sgibbs 7932517Sgibbs *(p++) = 0; 8032517Sgibbs *(p++) = 2; /* Public Key BT (Block Type) */ 8132517Sgibbs 8232517Sgibbs /* pad out with non-zero random data */ 8332517Sgibbs j = tlen - 3 - 8 - flen; 8432517Sgibbs 8532517Sgibbs if (RAND_bytes(p, j) <= 0) 8632517Sgibbs return (0); 8732517Sgibbs for (i = 0; i < j; i++) { 8832517Sgibbs if (*p == '\0') 8932517Sgibbs do { 9032517Sgibbs if (RAND_bytes(p, 1) <= 0) 9132517Sgibbs return (0); 9232517Sgibbs } while (*p == '\0'); 9332517Sgibbs p++; 9432517Sgibbs } 9532517Sgibbs 9632517Sgibbs memset(p, 3, 8); 9732517Sgibbs p += 8; 9832517Sgibbs *(p++) = '\0'; 9932517Sgibbs 10032517Sgibbs memcpy(p, from, (unsigned int)flen); 10132517Sgibbs return (1); 10232517Sgibbs} 10332517Sgibbs 10432517Sgibbsint RSA_padding_check_SSLv23(unsigned char *to, int tlen, 10532517Sgibbs const unsigned char *from, int flen, int num) 10632517Sgibbs{ 10732517Sgibbs int i, j, k; 10832517Sgibbs const unsigned char *p; 10932517Sgibbs 11032517Sgibbs p = from; 11132517Sgibbs if (flen < 10) { 11232517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); 11332517Sgibbs return (-1); 11432517Sgibbs } 11532517Sgibbs /* Accept even zero-padded input */ 11632517Sgibbs if (flen == num) { 11732517Sgibbs if (*(p++) != 0) { 11832517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); 11932517Sgibbs return -1; 12032517Sgibbs } 12132517Sgibbs flen--; 12232517Sgibbs } 12332517Sgibbs if ((num != (flen + 1)) || (*(p++) != 02)) { 12432517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); 12532517Sgibbs return (-1); 12632517Sgibbs } 12732517Sgibbs 12832517Sgibbs /* scan over padding data */ 12932517Sgibbs j = flen - 1; /* one for type */ 13032517Sgibbs for (i = 0; i < j; i++) 13132517Sgibbs if (*(p++) == 0) 13232517Sgibbs break; 13332517Sgibbs 13432517Sgibbs if ((i == j) || (i < 8)) { 13532517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, 13632517Sgibbs RSA_R_NULL_BEFORE_BLOCK_MISSING); 13732517Sgibbs return (-1); 13832517Sgibbs } 13932517Sgibbs for (k = -9; k < -1; k++) { 14032517Sgibbs if (p[k] != 0x03) 14132517Sgibbs break; 14232517Sgibbs } 14332517Sgibbs if (k == -1) { 14432517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK); 14532517Sgibbs return (-1); 14632517Sgibbs } 14732517Sgibbs 14832517Sgibbs i++; /* Skip over the '\0' */ 14932517Sgibbs j -= i; 15032517Sgibbs if (j > tlen) { 15132517Sgibbs RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE); 15232517Sgibbs return (-1); 15332517Sgibbs } 15432517Sgibbs memcpy(to, p, (unsigned int)j); 15532517Sgibbs 15632517Sgibbs return (j); 15732517Sgibbs} 15832517Sgibbs