From 67aaa70fb0e889ff7dd3668561bfb002dd83e018 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 8 Jan 2014 10:02:19 -0800 Subject: [PATCH 39/39] Sync up with nss-3.15.4 changes in freebl and softoken - Remove RSA_BlockOAEP cases which aren't used by the pem module after all - Copied the private RSA_BlockType data structure from freebl/pkcss11.c - Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c - per Mozilla Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl - https://bugzilla.mozilla.org/show_bug.cgi?id=836019 --- mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 133 ++++----------------------- 1 file changed, 16 insertions(+), 117 deletions(-) diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c index 5ac4f39..103eeda 100644 --- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c +++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c @@ -60,6 +60,21 @@ #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ +/* + * RSA block types + * + * The actual values are important -- they are fixed, *not* arbitrary. + * The explicit value assignments are not needed (because C would give + * us those same values anyway) but are included as a reminder... + */ +typedef enum { + RSA_BlockUnused = 0, /* unused */ + RSA_BlockPrivate = 1, /* pad for a private-key operation */ + RSA_BlockPublic = 2, /* pad for a public-key operation */ + RSA_BlockRaw = 4, /* simply justify the block appropriately */ + RSA_BlockTotal +} RSA_BlockType; + unsigned pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) { @@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, /* * Blocks intended for private-key operation. */ - case RSA_BlockPrivate0: /* essentially unused */ case RSA_BlockPrivate: /* preferred method */ /* * 0x00 || BT || Pad || 0x00 || ActualData @@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, nss_ZFreeIf(block); return NULL; } - nsslibc_memset(bp, - blockType == RSA_BlockPrivate0 - ? RSA_BLOCK_PRIVATE0_PAD_OCTET - : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); + nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); bp += padLen; *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; nsslibc_memcpy(bp, data->data, data->len); @@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, break; - /* - * Blocks intended for public-key operation, using - * Optimal Asymmetric Encryption Padding (OAEP). - */ - case RSA_BlockOAEP: - /* - * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) - * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] - * - * where: - * PaddedData is "Pad1 || ActualData [|| Pad2]" - * Salt is random data. - * Pad1 is all zeros. - * Pad2, if present, is random data. - * (The "modified" fields are all the same length as the original - * unmodified values; they are just xor'd with other values.) - * - * Modified1 is an XOR of PaddedData with a special octet - * string constructed of iterated hashing of Salt (see below). - * Modified2 is an XOR of Salt with the low-order octets of - * the hash of Modified1 (see farther below ;-). - * - * Whew! - */ - - - /* - * Salt - */ - rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); - if (rv != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - bp += OAEP_SALT_LEN; - - /* - * Pad1 - */ - nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); - bp += OAEP_PAD_LEN; - - /* - * Data - */ - nsslibc_memcpy(bp, data->data, data->len); - bp += data->len; - - /* - * Pad2 - */ - if (bp < (block + modulusLen)) { - rv = RNG_GenerateGlobalRandomBytes(bp, - block - bp + modulusLen); - if (rv != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - } - - /* - * Now we have the following: - * 0x00 || BT || Salt || PaddedData - * (From this point on, "Pad1 || Data [|| Pad2]" is treated - * as the one entity PaddedData.) - * - * We need to turn PaddedData into Modified1. - */ - if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, - modulusLen - 2 - OAEP_SALT_LEN, - block + 2, OAEP_SALT_LEN) != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - - /* - * Now we have: - * 0x00 || BT || Salt || Modified1(PaddedData) - * - * The remaining task is to turn Salt into Modified2. - */ - if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, - block + 2 + OAEP_SALT_LEN, - modulusLen - 2 - OAEP_SALT_LEN) != - SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - - break; - default: PORT_Assert(0); nss_ZFreeIf(block); @@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, */ switch (blockType) { - case RSA_BlockPrivate0: case RSA_BlockPrivate: case RSA_BlockPublic: /* @@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, break; - case RSA_BlockOAEP: - /* - * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) - * - * The "2" below is the first octet + the second octet. - * (The other fields do not contain the clear values, but are - * the same length as the clear values.) - */ - PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN - + OAEP_PAD_LEN))); - - result->data = rsa_FormatOneBlock(modulusLen, blockType, data); - if (result->data == NULL) { - result->len = 0; - return SECFailure; - } - result->len = modulusLen; - - break; - case RSA_BlockRaw: /* * Pad || ActualData -- 1.8.4.2