]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * A simple ASN.1 DER encoder/decoder for DSA-Sig-Value and ECDSA-Sig-Value. | |
12 | * | |
13 | * DSA-Sig-Value ::= SEQUENCE { | |
14 | * r INTEGER, | |
15 | * s INTEGER | |
16 | * } | |
17 | * | |
18 | * ECDSA-Sig-Value ::= SEQUENCE { | |
19 | * r INTEGER, | |
20 | * s INTEGER | |
21 | * } | |
22 | */ | |
23 | ||
24 | #include <openssl/crypto.h> | |
25 | #include <openssl/bn.h> | |
26 | #include "crypto/asn1_dsa.h" | |
27 | #include "internal/packet.h" | |
28 | ||
29 | #define ID_SEQUENCE 0x30 | |
30 | #define ID_INTEGER 0x02 | |
31 | ||
32 | /* | |
33 | * Outputs the encoding of the length octets for a DER value with a content | |
34 | * length of cont_len bytes to pkt. The maximum supported content length is | |
35 | * 65535 (0xffff) bytes. | |
36 | * | |
37 | * Returns 1 on success or 0 on error. | |
38 | */ | |
39 | int encode_der_length(WPACKET *pkt, size_t cont_len) | |
40 | { | |
41 | if (cont_len > 0xffff) | |
42 | return 0; /* Too large for supported length encodings */ | |
43 | ||
44 | if (cont_len > 0xff) { | |
45 | if (!WPACKET_put_bytes_u8(pkt, 0x82) | |
46 | || !WPACKET_put_bytes_u16(pkt, cont_len)) | |
47 | return 0; | |
48 | } else { | |
49 | if (cont_len > 0x7f | |
50 | && !WPACKET_put_bytes_u8(pkt, 0x81)) | |
51 | return 0; | |
52 | if (!WPACKET_put_bytes_u8(pkt, cont_len)) | |
53 | return 0; | |
54 | } | |
55 | ||
56 | return 1; | |
57 | } | |
58 | ||
59 | /* | |
60 | * Outputs the DER encoding of a positive ASN.1 INTEGER to pkt. | |
61 | * | |
62 | * Results in an error if n is negative or too large. | |
63 | * | |
64 | * Returns 1 on success or 0 on error. | |
65 | */ | |
66 | int encode_der_integer(WPACKET *pkt, const BIGNUM *n) | |
67 | { | |
68 | unsigned char *bnbytes; | |
69 | size_t cont_len; | |
70 | ||
71 | if (BN_is_negative(n)) | |
72 | return 0; | |
73 | ||
74 | /* | |
75 | * Calculate the ASN.1 INTEGER DER content length for n. | |
76 | * This is the number of whole bytes required to represent n (i.e. rounded | |
77 | * down), plus one. | |
78 | * If n is zero then the content is a single zero byte (length = 1). | |
79 | * If the number of bits of n is a multiple of 8 then an extra zero padding | |
80 | * byte is included to ensure that the value is still treated as positive | |
81 | * in the INTEGER two's complement representation. | |
82 | */ | |
83 | cont_len = BN_num_bits(n) / 8 + 1; | |
84 | ||
85 | if (!WPACKET_start_sub_packet(pkt) | |
86 | || !WPACKET_put_bytes_u8(pkt, ID_INTEGER) | |
87 | || !encode_der_length(pkt, cont_len) | |
88 | || !WPACKET_allocate_bytes(pkt, cont_len, &bnbytes) | |
89 | || !WPACKET_close(pkt)) | |
90 | return 0; | |
91 | ||
92 | if (bnbytes != NULL | |
93 | && BN_bn2binpad(n, bnbytes, (int)cont_len) != (int)cont_len) | |
94 | return 0; | |
95 | ||
96 | return 1; | |
97 | } | |
98 | ||
99 | /* | |
100 | * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to pkt. pkt | |
101 | * may be initialised with a NULL buffer which enables pkt to be used to | |
102 | * calculate how many bytes would be needed. | |
103 | * | |
104 | * Returns 1 on success or 0 on error. | |
105 | */ | |
106 | int encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s) | |
107 | { | |
108 | WPACKET tmppkt, *dummypkt; | |
109 | size_t cont_len; | |
110 | int isnull = WPACKET_is_null_buf(pkt); | |
111 | ||
112 | if (!WPACKET_start_sub_packet(pkt)) | |
113 | return 0; | |
114 | ||
115 | if (!isnull) { | |
116 | if (!WPACKET_init_null(&tmppkt, 0)) | |
117 | return 0; | |
118 | dummypkt = &tmppkt; | |
119 | } else { | |
120 | /* If the input packet has a NULL buffer, we don't need a dummy packet */ | |
121 | dummypkt = pkt; | |
122 | } | |
123 | ||
124 | /* Calculate the content length */ | |
125 | if (!encode_der_integer(dummypkt, r) | |
126 | || !encode_der_integer(dummypkt, s) | |
127 | || !WPACKET_get_length(dummypkt, &cont_len) | |
128 | || (!isnull && !WPACKET_finish(dummypkt))) { | |
129 | if (!isnull) | |
130 | WPACKET_cleanup(dummypkt); | |
131 | return 0; | |
132 | } | |
133 | ||
134 | /* Add the tag and length bytes */ | |
135 | if (!WPACKET_put_bytes_u8(pkt, ID_SEQUENCE) | |
136 | || !encode_der_length(pkt, cont_len) | |
137 | /* | |
138 | * Really encode the integers. We already wrote to the main pkt | |
139 | * if it had a NULL buffer, so don't do it again | |
140 | */ | |
141 | || (!isnull && !encode_der_integer(pkt, r)) | |
142 | || (!isnull && !encode_der_integer(pkt, s)) | |
143 | || !WPACKET_close(pkt)) | |
144 | return 0; | |
145 | ||
146 | return 1; | |
147 | } | |
148 | ||
149 | /* | |
150 | * Decodes the DER length octets in pkt and initialises subpkt with the | |
151 | * following bytes of that length. | |
152 | * | |
153 | * Returns 1 on success or 0 on failure. | |
154 | */ | |
155 | int decode_der_length(PACKET *pkt, PACKET *subpkt) | |
156 | { | |
157 | unsigned int byte; | |
158 | ||
159 | if (!PACKET_get_1(pkt, &byte)) | |
160 | return 0; | |
161 | ||
162 | if (byte < 0x80) | |
163 | return PACKET_get_sub_packet(pkt, subpkt, (size_t)byte); | |
164 | if (byte == 0x81) | |
165 | return PACKET_get_length_prefixed_1(pkt, subpkt); | |
166 | if (byte == 0x82) | |
167 | return PACKET_get_length_prefixed_2(pkt, subpkt); | |
168 | ||
169 | /* Too large, invalid, or not DER. */ | |
170 | return 0; | |
171 | } | |
172 | ||
173 | /* | |
174 | * Decodes a single ASN.1 INTEGER value from pkt, which must be DER encoded, | |
175 | * and updates n with the decoded value. | |
176 | * | |
177 | * The BIGNUM, n, must have already been allocated by calling BN_new(). | |
178 | * pkt must not be NULL. | |
179 | * | |
180 | * An attempt to consume more than len bytes results in an error. | |
181 | * Returns 1 on success or 0 on error. | |
182 | * | |
183 | * If the PACKET is supposed to only contain a single INTEGER value with no | |
184 | * trailing garbage then it is up to the caller to verify that all bytes | |
185 | * were consumed. | |
186 | */ | |
187 | int decode_der_integer(PACKET *pkt, BIGNUM *n) | |
188 | { | |
189 | PACKET contpkt, tmppkt; | |
190 | unsigned int tag, tmp; | |
191 | ||
192 | /* Check we have an integer and get the content bytes */ | |
193 | if (!PACKET_get_1(pkt, &tag) | |
194 | || tag != ID_INTEGER | |
195 | || !decode_der_length(pkt, &contpkt)) | |
196 | return 0; | |
197 | ||
198 | /* Peek ahead at the first bytes to check for proper encoding */ | |
199 | tmppkt = contpkt; | |
200 | /* The INTEGER must be positive */ | |
201 | if (!PACKET_get_1(&tmppkt, &tmp) | |
202 | || (tmp & 0x80) != 0) | |
203 | return 0; | |
204 | /* If there a zero padding byte the next byte must have the msb set */ | |
205 | if (PACKET_remaining(&tmppkt) > 0 && tmp == 0) { | |
206 | if (!PACKET_get_1(&tmppkt, &tmp) | |
207 | || (tmp & 0x80) == 0) | |
208 | return 0; | |
209 | } | |
210 | ||
211 | if (BN_bin2bn(PACKET_data(&contpkt), | |
212 | (int)PACKET_remaining(&contpkt), n) == NULL) | |
213 | return 0; | |
214 | ||
215 | return 1; | |
216 | } | |
217 | ||
218 | /* | |
219 | * Decodes a single DSA-Sig-Value or ECDSA-Sig-Value from *ppin, which must be | |
220 | * DER encoded, updates r and s with the decoded values, and increments *ppin | |
221 | * past the data that was consumed. | |
222 | * | |
223 | * The BIGNUMs, r and s, must have already been allocated by calls to BN_new(). | |
224 | * ppin and *ppin must not be NULL. | |
225 | * | |
226 | * An attempt to consume more than len bytes results in an error. | |
227 | * Returns the number of bytes of input consumed or 0 if an error occurs. | |
228 | * | |
229 | * If the buffer is supposed to only contain a single [EC]DSA-Sig-Value with no | |
230 | * trailing garbage then it is up to the caller to verify that all bytes | |
231 | * were consumed. | |
232 | */ | |
233 | size_t decode_der_dsa_sig(BIGNUM *r, BIGNUM *s, const unsigned char **ppin, | |
234 | size_t len) | |
235 | { | |
236 | size_t consumed; | |
237 | PACKET pkt, contpkt; | |
238 | unsigned int tag; | |
239 | ||
240 | if (!PACKET_buf_init(&pkt, *ppin, len) | |
241 | || !PACKET_get_1(&pkt, &tag) | |
242 | || tag != ID_SEQUENCE | |
243 | || !decode_der_length(&pkt, &contpkt) | |
244 | || !decode_der_integer(&contpkt, r) | |
245 | || !decode_der_integer(&contpkt, s) | |
246 | || PACKET_remaining(&contpkt) != 0) | |
247 | return 0; | |
248 | ||
249 | consumed = PACKET_data(&pkt) - *ppin; | |
250 | *ppin += consumed; | |
251 | return consumed; | |
252 | } | |
253 |