123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 |
- /*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
- /*
- * A simple ASN.1 DER encoder/decoder for DSA-Sig-Value and ECDSA-Sig-Value.
- *
- * DSA-Sig-Value ::= SEQUENCE {
- * r INTEGER,
- * s INTEGER
- * }
- *
- * ECDSA-Sig-Value ::= SEQUENCE {
- * r INTEGER,
- * s INTEGER
- * }
- */
- #include <openssl/crypto.h>
- #include <openssl/bn.h>
- #include "crypto/asn1_dsa.h"
- #include "internal/packet.h"
- #define ID_SEQUENCE 0x30
- #define ID_INTEGER 0x02
- /*
- * Outputs the encoding of the length octets for a DER value with a content
- * length of cont_len bytes to pkt. The maximum supported content length is
- * 65535 (0xffff) bytes.
- *
- * Returns 1 on success or 0 on error.
- */
- int encode_der_length(WPACKET *pkt, size_t cont_len)
- {
- if (cont_len > 0xffff)
- return 0; /* Too large for supported length encodings */
- if (cont_len > 0xff) {
- if (!WPACKET_put_bytes_u8(pkt, 0x82)
- || !WPACKET_put_bytes_u16(pkt, cont_len))
- return 0;
- } else {
- if (cont_len > 0x7f
- && !WPACKET_put_bytes_u8(pkt, 0x81))
- return 0;
- if (!WPACKET_put_bytes_u8(pkt, cont_len))
- return 0;
- }
- return 1;
- }
- /*
- * Outputs the DER encoding of a positive ASN.1 INTEGER to pkt.
- *
- * Results in an error if n is negative or too large.
- *
- * Returns 1 on success or 0 on error.
- */
- int encode_der_integer(WPACKET *pkt, const BIGNUM *n)
- {
- unsigned char *bnbytes;
- size_t cont_len;
- if (BN_is_negative(n))
- return 0;
- /*
- * Calculate the ASN.1 INTEGER DER content length for n.
- * This is the number of whole bytes required to represent n (i.e. rounded
- * down), plus one.
- * If n is zero then the content is a single zero byte (length = 1).
- * If the number of bits of n is a multiple of 8 then an extra zero padding
- * byte is included to ensure that the value is still treated as positive
- * in the INTEGER two's complement representation.
- */
- cont_len = BN_num_bits(n) / 8 + 1;
- if (!WPACKET_start_sub_packet(pkt)
- || !WPACKET_put_bytes_u8(pkt, ID_INTEGER)
- || !encode_der_length(pkt, cont_len)
- || !WPACKET_allocate_bytes(pkt, cont_len, &bnbytes)
- || !WPACKET_close(pkt))
- return 0;
- if (bnbytes != NULL
- && BN_bn2binpad(n, bnbytes, (int)cont_len) != (int)cont_len)
- return 0;
- return 1;
- }
- /*
- * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to pkt. pkt
- * may be initialised with a NULL buffer which enables pkt to be used to
- * calculate how many bytes would be needed.
- *
- * Returns 1 on success or 0 on error.
- */
- int encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s)
- {
- WPACKET tmppkt, *dummypkt;
- size_t cont_len;
- int isnull = WPACKET_is_null_buf(pkt);
- if (!WPACKET_start_sub_packet(pkt))
- return 0;
- if (!isnull) {
- if (!WPACKET_init_null(&tmppkt, 0))
- return 0;
- dummypkt = &tmppkt;
- } else {
- /* If the input packet has a NULL buffer, we don't need a dummy packet */
- dummypkt = pkt;
- }
- /* Calculate the content length */
- if (!encode_der_integer(dummypkt, r)
- || !encode_der_integer(dummypkt, s)
- || !WPACKET_get_length(dummypkt, &cont_len)
- || (!isnull && !WPACKET_finish(dummypkt))) {
- if (!isnull)
- WPACKET_cleanup(dummypkt);
- return 0;
- }
- /* Add the tag and length bytes */
- if (!WPACKET_put_bytes_u8(pkt, ID_SEQUENCE)
- || !encode_der_length(pkt, cont_len)
- /*
- * Really encode the integers. We already wrote to the main pkt
- * if it had a NULL buffer, so don't do it again
- */
- || (!isnull && !encode_der_integer(pkt, r))
- || (!isnull && !encode_der_integer(pkt, s))
- || !WPACKET_close(pkt))
- return 0;
- return 1;
- }
- /*
- * Decodes the DER length octets in pkt and initialises subpkt with the
- * following bytes of that length.
- *
- * Returns 1 on success or 0 on failure.
- */
- int decode_der_length(PACKET *pkt, PACKET *subpkt)
- {
- unsigned int byte;
- if (!PACKET_get_1(pkt, &byte))
- return 0;
- if (byte < 0x80)
- return PACKET_get_sub_packet(pkt, subpkt, (size_t)byte);
- if (byte == 0x81)
- return PACKET_get_length_prefixed_1(pkt, subpkt);
- if (byte == 0x82)
- return PACKET_get_length_prefixed_2(pkt, subpkt);
- /* Too large, invalid, or not DER. */
- return 0;
- }
- /*
- * Decodes a single ASN.1 INTEGER value from pkt, which must be DER encoded,
- * and updates n with the decoded value.
- *
- * The BIGNUM, n, must have already been allocated by calling BN_new().
- * pkt must not be NULL.
- *
- * An attempt to consume more than len bytes results in an error.
- * Returns 1 on success or 0 on error.
- *
- * If the PACKET is supposed to only contain a single INTEGER value with no
- * trailing garbage then it is up to the caller to verify that all bytes
- * were consumed.
- */
- int decode_der_integer(PACKET *pkt, BIGNUM *n)
- {
- PACKET contpkt, tmppkt;
- unsigned int tag, tmp;
- /* Check we have an integer and get the content bytes */
- if (!PACKET_get_1(pkt, &tag)
- || tag != ID_INTEGER
- || !decode_der_length(pkt, &contpkt))
- return 0;
- /* Peek ahead at the first bytes to check for proper encoding */
- tmppkt = contpkt;
- /* The INTEGER must be positive */
- if (!PACKET_get_1(&tmppkt, &tmp)
- || (tmp & 0x80) != 0)
- return 0;
- /* If there a zero padding byte the next byte must have the msb set */
- if (PACKET_remaining(&tmppkt) > 0 && tmp == 0) {
- if (!PACKET_get_1(&tmppkt, &tmp)
- || (tmp & 0x80) == 0)
- return 0;
- }
- if (BN_bin2bn(PACKET_data(&contpkt),
- (int)PACKET_remaining(&contpkt), n) == NULL)
- return 0;
- return 1;
- }
- /*
- * Decodes a single DSA-Sig-Value or ECDSA-Sig-Value from *ppin, which must be
- * DER encoded, updates r and s with the decoded values, and increments *ppin
- * past the data that was consumed.
- *
- * The BIGNUMs, r and s, must have already been allocated by calls to BN_new().
- * ppin and *ppin must not be NULL.
- *
- * An attempt to consume more than len bytes results in an error.
- * Returns the number of bytes of input consumed or 0 if an error occurs.
- *
- * If the buffer is supposed to only contain a single [EC]DSA-Sig-Value with no
- * trailing garbage then it is up to the caller to verify that all bytes
- * were consumed.
- */
- size_t decode_der_dsa_sig(BIGNUM *r, BIGNUM *s, const unsigned char **ppin,
- size_t len)
- {
- size_t consumed;
- PACKET pkt, contpkt;
- unsigned int tag;
- if (!PACKET_buf_init(&pkt, *ppin, len)
- || !PACKET_get_1(&pkt, &tag)
- || tag != ID_SEQUENCE
- || !decode_der_length(&pkt, &contpkt)
- || !decode_der_integer(&contpkt, r)
- || !decode_der_integer(&contpkt, s)
- || PACKET_remaining(&contpkt) != 0)
- return 0;
- consumed = PACKET_data(&pkt) - *ppin;
- *ppin += consumed;
- return consumed;
- }
|