2014-01-08 18:24:30 +00:00
|
|
|
From 67aaa70fb0e889ff7dd3668561bfb002dd83e018 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Elio Maldonado <emaldona@redhat.com>
|
|
|
|
Date: Wed, 8 Jan 2014 10:02:19 -0800
|
|
|
|
Subject: [PATCH 39/39] Sync up with nss-3.15.4 changes in freebl and softoken
|
|
|
|
|
|
|
|
- Remove RSA_BlockOAEP cases which aren't used by the pem module after all
|
|
|
|
- Copied the private RSA_BlockType data structure from freebl/pkcss11.c
|
|
|
|
- Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c
|
|
|
|
- per Mozilla Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl
|
|
|
|
- https://bugzilla.mozilla.org/show_bug.cgi?id=836019
|
|
|
|
---
|
|
|
|
mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 133 ++++-----------------------
|
|
|
|
1 file changed, 16 insertions(+), 117 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
|
|
|
index 5ac4f39..103eeda 100644
|
|
|
|
--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
|
|
|
+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
2014-01-08 17:08:35 +00:00
|
|
|
@@ -60,6 +60,21 @@
|
2013-02-15 23:34:49 +00:00
|
|
|
|
2014-01-08 17:08:35 +00:00
|
|
|
#define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
|
2013-02-15 23:34:49 +00:00
|
|
|
|
2014-01-07 21:48:44 +00:00
|
|
|
+/*
|
|
|
|
+ * RSA block types
|
|
|
|
+ *
|
|
|
|
+ * The actual values are important -- they are fixed, *not* arbitrary.
|
|
|
|
+ * The explicit value assignments are not needed (because C would give
|
|
|
|
+ * us those same values anyway) but are included as a reminder...
|
|
|
|
+ */
|
|
|
|
+typedef enum {
|
|
|
|
+ RSA_BlockUnused = 0, /* unused */
|
|
|
|
+ RSA_BlockPrivate = 1, /* pad for a private-key operation */
|
|
|
|
+ RSA_BlockPublic = 2, /* pad for a public-key operation */
|
|
|
|
+ RSA_BlockRaw = 4, /* simply justify the block appropriately */
|
|
|
|
+ RSA_BlockTotal
|
|
|
|
+} RSA_BlockType;
|
|
|
|
+
|
2014-01-08 17:08:35 +00:00
|
|
|
unsigned
|
|
|
|
pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
|
2013-02-15 23:34:49 +00:00
|
|
|
{
|
2014-01-08 18:24:30 +00:00
|
|
|
@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
2014-01-08 17:08:35 +00:00
|
|
|
/*
|
|
|
|
* Blocks intended for private-key operation.
|
|
|
|
*/
|
2014-01-07 21:48:44 +00:00
|
|
|
- case RSA_BlockPrivate0: /* essentially unused */
|
2014-01-08 17:08:35 +00:00
|
|
|
case RSA_BlockPrivate: /* preferred method */
|
2014-01-07 21:48:44 +00:00
|
|
|
/*
|
|
|
|
* 0x00 || BT || Pad || 0x00 || ActualData
|
2014-01-08 18:24:30 +00:00
|
|
|
@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
2014-01-07 21:48:44 +00:00
|
|
|
nss_ZFreeIf(block);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
- nsslibc_memset(bp,
|
|
|
|
- blockType == RSA_BlockPrivate0
|
|
|
|
- ? RSA_BLOCK_PRIVATE0_PAD_OCTET
|
|
|
|
- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
|
|
|
|
+ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
|
|
|
|
bp += padLen;
|
|
|
|
*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
|
|
|
|
nsslibc_memcpy(bp, data->data, data->len);
|
2014-01-08 18:24:30 +00:00
|
|
|
@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
2014-01-08 17:08:35 +00:00
|
|
|
|
2014-01-07 21:48:44 +00:00
|
|
|
break;
|
2013-02-15 23:34:49 +00:00
|
|
|
|
|
|
|
- /*
|
|
|
|
- * Blocks intended for public-key operation, using
|
|
|
|
- * Optimal Asymmetric Encryption Padding (OAEP).
|
|
|
|
- */
|
|
|
|
- case RSA_BlockOAEP:
|
|
|
|
- /*
|
|
|
|
- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
|
|
|
|
- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
|
|
|
|
- *
|
|
|
|
- * where:
|
|
|
|
- * PaddedData is "Pad1 || ActualData [|| Pad2]"
|
|
|
|
- * Salt is random data.
|
|
|
|
- * Pad1 is all zeros.
|
|
|
|
- * Pad2, if present, is random data.
|
|
|
|
- * (The "modified" fields are all the same length as the original
|
|
|
|
- * unmodified values; they are just xor'd with other values.)
|
|
|
|
- *
|
|
|
|
- * Modified1 is an XOR of PaddedData with a special octet
|
|
|
|
- * string constructed of iterated hashing of Salt (see below).
|
|
|
|
- * Modified2 is an XOR of Salt with the low-order octets of
|
|
|
|
- * the hash of Modified1 (see farther below ;-).
|
|
|
|
- *
|
|
|
|
- * Whew!
|
|
|
|
- */
|
|
|
|
-
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Salt
|
|
|
|
- */
|
|
|
|
- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
|
|
|
|
- if (rv != SECSuccess) {
|
|
|
|
- nss_ZFreeIf(block);
|
|
|
|
- return NULL;
|
|
|
|
- }
|
|
|
|
- bp += OAEP_SALT_LEN;
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Pad1
|
|
|
|
- */
|
|
|
|
- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
|
|
|
|
- bp += OAEP_PAD_LEN;
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Data
|
|
|
|
- */
|
|
|
|
- nsslibc_memcpy(bp, data->data, data->len);
|
|
|
|
- bp += data->len;
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Pad2
|
|
|
|
- */
|
|
|
|
- if (bp < (block + modulusLen)) {
|
|
|
|
- rv = RNG_GenerateGlobalRandomBytes(bp,
|
|
|
|
- block - bp + modulusLen);
|
|
|
|
- if (rv != SECSuccess) {
|
|
|
|
- nss_ZFreeIf(block);
|
|
|
|
- return NULL;
|
|
|
|
- }
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Now we have the following:
|
|
|
|
- * 0x00 || BT || Salt || PaddedData
|
|
|
|
- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
|
|
|
|
- * as the one entity PaddedData.)
|
|
|
|
- *
|
|
|
|
- * We need to turn PaddedData into Modified1.
|
|
|
|
- */
|
|
|
|
- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
|
|
|
|
- modulusLen - 2 - OAEP_SALT_LEN,
|
|
|
|
- block + 2, OAEP_SALT_LEN) != SECSuccess) {
|
|
|
|
- nss_ZFreeIf(block);
|
|
|
|
- return NULL;
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- /*
|
|
|
|
- * Now we have:
|
|
|
|
- * 0x00 || BT || Salt || Modified1(PaddedData)
|
|
|
|
- *
|
|
|
|
- * The remaining task is to turn Salt into Modified2.
|
|
|
|
- */
|
|
|
|
- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
|
|
|
|
- block + 2 + OAEP_SALT_LEN,
|
|
|
|
- modulusLen - 2 - OAEP_SALT_LEN) !=
|
|
|
|
- SECSuccess) {
|
|
|
|
- nss_ZFreeIf(block);
|
|
|
|
- return NULL;
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- break;
|
2014-01-08 17:08:35 +00:00
|
|
|
-
|
2013-02-15 23:34:49 +00:00
|
|
|
default:
|
|
|
|
PORT_Assert(0);
|
2014-01-08 17:08:35 +00:00
|
|
|
nss_ZFreeIf(block);
|
2014-01-08 18:24:30 +00:00
|
|
|
@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
|
2014-01-08 17:08:35 +00:00
|
|
|
*/
|
2013-02-15 23:34:49 +00:00
|
|
|
|
2014-01-07 21:48:44 +00:00
|
|
|
switch (blockType) {
|
|
|
|
- case RSA_BlockPrivate0:
|
2014-01-08 17:08:35 +00:00
|
|
|
case RSA_BlockPrivate:
|
|
|
|
case RSA_BlockPublic:
|
2014-01-07 21:48:44 +00:00
|
|
|
/*
|
2014-01-08 18:24:30 +00:00
|
|
|
@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
|
|
|
|
|
|
|
|
break;
|
2014-01-08 17:08:35 +00:00
|
|
|
|
2014-01-07 21:48:44 +00:00
|
|
|
- case RSA_BlockOAEP:
|
|
|
|
- /*
|
|
|
|
- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
|
|
|
|
- *
|
|
|
|
- * The "2" below is the first octet + the second octet.
|
|
|
|
- * (The other fields do not contain the clear values, but are
|
|
|
|
- * the same length as the clear values.)
|
|
|
|
- */
|
|
|
|
- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
|
|
|
|
- + OAEP_PAD_LEN)));
|
|
|
|
-
|
2014-01-08 17:08:35 +00:00
|
|
|
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
|
|
|
|
- if (result->data == NULL) {
|
2014-01-08 18:24:30 +00:00
|
|
|
- result->len = 0;
|
|
|
|
- return SECFailure;
|
|
|
|
- }
|
|
|
|
- result->len = modulusLen;
|
|
|
|
-
|
|
|
|
- break;
|
|
|
|
-
|
|
|
|
case RSA_BlockRaw:
|
|
|
|
/*
|
|
|
|
* Pad || ActualData
|
|
|
|
--
|
|
|
|
1.8.4.2
|
|
|
|
|