diff -up ./nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream ./nss/lib/ckfw/pem/rsawrapr.c --- ./nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream 2013-12-26 14:21:08.000000000 -0800 +++ ./nss/lib/ckfw/pem/rsawrapr.c 2014-01-07 13:26:43.350502692 -0800 @@ -1,5 +1,10 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + /* - * PKCS#1 encoding and decoding functions. + RSA PKCS#1 v2.1 (RFC 3447) encoding and decoding functions. + * This file is believed to contain no code licensed from other parties. * * ***** BEGIN LICENSE BLOCK ***** @@ -42,21 +47,38 @@ #include "ckpem.h" #include "blapi.h" +#include "secitem.h" +/*#include "blapii.h"*/ +/* #include "softoken.h" #include "sechash.h" -#include "base.h" - +#include "base.h"#include "lowkeyi.h" +*/ #include "secerr.h" #define RSA_BLOCK_MIN_PAD_LEN 8 #define RSA_BLOCK_FIRST_OCTET 0x00 -#define RSA_BLOCK_PRIVATE0_PAD_OCTET 0x00 #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 -#define OAEP_SALT_LEN 8 -#define OAEP_PAD_LEN 8 -#define OAEP_PAD_OCTET 0x00 +/* + * RSA block types + * + * The actual values are important -- they are fixed, *not* arbitrary. + * The explicit value assignments are not needed (because C would give + * us those same values anyway) but are included as a reminder... + */ +typedef enum { + RSA_BlockUnused = 0, /* unused */ + RSA_BlockPrivate = 1, /* pad for a private-key operation */ + RSA_BlockPublic = 2, /* pad for a public-key operation */ + RSA_BlockRaw = 4, /* simply justify the block appropriately */ + RSA_BlockTotal +} RSA_BlockType; + + +/* Needed for RSA-PSS functions */ +static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ @@ -78,141 +100,62 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey return 0; } -static SHA1Context *SHA1_CloneContext(SHA1Context * original) -{ - SHA1Context *clone = NULL; - unsigned char *pBuf; - int sha1ContextSize = SHA1_FlattenSize(original); - SECStatus frv; - unsigned char buf[FLAT_BUFSIZE]; - - PORT_Assert(sizeof buf >= sha1ContextSize); - if (sizeof buf >= sha1ContextSize) { - pBuf = buf; - } else { - pBuf = nss_ZAlloc(NULL, sha1ContextSize); - if (!pBuf) - goto done; - } - - frv = SHA1_Flatten(original, pBuf); - if (frv == SECSuccess) { - clone = SHA1_Resurrect(pBuf, NULL); - memset(pBuf, 0, sha1ContextSize); - } - done: - if (pBuf != buf) - nss_ZFreeIf(pBuf); - return clone; +/* Constant time comparison of a single byte. + * Returns 1 iff a == b, otherwise returns 0. + * Note: For ranges of bytes, use constantTimeCompare. + */ +static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { + unsigned char c = ~((a - b) | (b - a)); + c >>= 7; + return c; } -/* - * Modify data by XORing it with a special hash of salt. +/* Constant time comparison of a range of bytes. + * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise + * returns 0. */ -static SECStatus -oaep_xor_with_h1(unsigned char *data, unsigned int datalen, - unsigned char *salt, unsigned int saltlen) -{ - SHA1Context *sha1cx; - unsigned char *dp, *dataend; - unsigned char end_octet; - - sha1cx = SHA1_NewContext(); - if (sha1cx == NULL) { - return SECFailure; - } - - /* - * Get a hash of salt started; we will use it several times, - * adding in a different end octet (x00, x01, x02, ...). - */ - SHA1_Begin(sha1cx); - SHA1_Update(sha1cx, salt, saltlen); - end_octet = 0; - - dp = data; - dataend = data + datalen; - - while (dp < dataend) { - SHA1Context *sha1cx_h1; - unsigned int sha1len, sha1off; - unsigned char sha1[SHA1_LENGTH]; - - /* - * Create hash of (salt || end_octet) - */ - sha1cx_h1 = SHA1_CloneContext(sha1cx); - SHA1_Update(sha1cx_h1, &end_octet, 1); - SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); - SHA1_DestroyContext(sha1cx_h1, PR_TRUE); - PORT_Assert(sha1len == SHA1_LENGTH); - - /* - * XOR that hash with the data. - * When we have fewer than SHA1_LENGTH octets of data - * left to xor, use just the low-order ones of the hash. - */ - sha1off = 0; - if ((dataend - dp) < SHA1_LENGTH) - sha1off = SHA1_LENGTH - (dataend - dp); - while (sha1off < SHA1_LENGTH) - *dp++ ^= sha1[sha1off++]; - - /* - * Bump for next hash chunk. - */ - end_octet++; - } - - SHA1_DestroyContext(sha1cx, PR_TRUE); - return SECSuccess; +static unsigned char constantTimeCompare(const unsigned char *a, + const unsigned char *b, + unsigned int len) { + unsigned char tmp = 0; + unsigned int i; + for (i = 0; i < len; ++i, ++a, ++b) + tmp |= *a ^ *b; + return constantTimeEQ8(0x00, tmp); } -/* - * Modify salt by XORing it with a special hash of data. +/* Constant time conditional. + * Returns a if c is 1, or b if c is 0. The result is undefined if c is + * not 0 or 1. */ -static SECStatus -oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, - unsigned char *data, unsigned int datalen) +static unsigned int constantTimeCondition(unsigned int c, + unsigned int a, + unsigned int b) { - unsigned char sha1[SHA1_LENGTH]; - unsigned char *psalt, *psha1, *saltend; - SECStatus rv; - - /* - * Create a hash of data. - */ - rv = SHA1_HashBuf(sha1, data, datalen); - if (rv != SECSuccess) { - return rv; - } - - /* - * XOR the low-order octets of that hash with salt. - */ - PORT_Assert(saltlen <= SHA1_LENGTH); - saltend = salt + saltlen; - psalt = salt; - psha1 = sha1 + SHA1_LENGTH - saltlen; - while (psalt < saltend) { - *psalt++ ^= *psha1++; - } + return (~(c - 1) & a) | ((c - 1) & b); +} - return SECSuccess; +static unsigned int +rsa_modulusLen(SECItem * modulus) +{ + unsigned char byteZero = modulus->data[0]; + unsigned int modLen = modulus->len - !byteZero; + return modLen; } /* * Format one block of data for public/private key encryption using * the rules defined in PKCS #1. */ -static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - RSA_BlockType blockType, - SECItem * data) +static unsigned char * +rsa_FormatOneBlock(unsigned modulusLen, + RSA_BlockType blockType, + SECItem * data) { unsigned char *block; unsigned char *bp; int padLen; - int i; + int i, j; SECStatus rv; block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); @@ -223,18 +166,17 @@ static unsigned char *rsa_FormatOneBlock /* * All RSA blocks start with two octets: - * 0x00 || BlockType + * 0x00 || BlockType */ *bp++ = RSA_BLOCK_FIRST_OCTET; *bp++ = (unsigned char) blockType; switch (blockType) { - /* - * Blocks intended for private-key operation. - */ - case RSA_BlockPrivate0: /* essentially unused */ - case RSA_BlockPrivate: /* preferred method */ + /* + * Blocks intended for private-key operation. + */ + case RSA_BlockPrivate: /* preferred method */ /* * 0x00 || BT || Pad || 0x00 || ActualData * 1 1 padLen 1 data->len @@ -246,138 +188,69 @@ static unsigned char *rsa_FormatOneBlock nss_ZFreeIf(block); return NULL; } - nsslibc_memset(bp, - blockType == RSA_BlockPrivate0 - ? RSA_BLOCK_PRIVATE0_PAD_OCTET - : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); + nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); bp += padLen; *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; nsslibc_memcpy(bp, data->data, data->len); break; - /* - * Blocks intended for public-key operation. - */ - case RSA_BlockPublic: - - /* - * 0x00 || BT || Pad || 0x00 || ActualData - * 1 1 padLen 1 data->len - * Pad is all non-zero random bytes. - */ - padLen = modulusLen - data->len - 3; - PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); - if (padLen < RSA_BLOCK_MIN_PAD_LEN) { - nss_ZFreeIf(block); - return NULL; - } - for (i = 0; i < padLen; i++) { - /* Pad with non-zero random data. */ - do { - rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); - } while (rv == SECSuccess - && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); - if (rv != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - } - bp += padLen; - *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; - nsslibc_memcpy(bp, data->data, data->len); - - break; - - /* - * Blocks intended for public-key operation, using - * Optimal Asymmetric Encryption Padding (OAEP). - */ - case RSA_BlockOAEP: - /* - * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) - * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] - * - * where: - * PaddedData is "Pad1 || ActualData [|| Pad2]" - * Salt is random data. - * Pad1 is all zeros. - * Pad2, if present, is random data. - * (The "modified" fields are all the same length as the original - * unmodified values; they are just xor'd with other values.) - * - * Modified1 is an XOR of PaddedData with a special octet - * string constructed of iterated hashing of Salt (see below). - * Modified2 is an XOR of Salt with the low-order octets of - * the hash of Modified1 (see farther below ;-). - * - * Whew! - */ - - - /* - * Salt - */ - rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); - if (rv != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - bp += OAEP_SALT_LEN; - - /* - * Pad1 - */ - nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); - bp += OAEP_PAD_LEN; - - /* - * Data - */ - nsslibc_memcpy(bp, data->data, data->len); - bp += data->len; - - /* - * Pad2 - */ - if (bp < (block + modulusLen)) { - rv = RNG_GenerateGlobalRandomBytes(bp, - block - bp + modulusLen); - if (rv != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - } - - /* - * Now we have the following: - * 0x00 || BT || Salt || PaddedData - * (From this point on, "Pad1 || Data [|| Pad2]" is treated - * as the one entity PaddedData.) - * - * We need to turn PaddedData into Modified1. - */ - if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, - modulusLen - 2 - OAEP_SALT_LEN, - block + 2, OAEP_SALT_LEN) != SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - - /* - * Now we have: - * 0x00 || BT || Salt || Modified1(PaddedData) - * - * The remaining task is to turn Salt into Modified2. - */ - if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, - block + 2 + OAEP_SALT_LEN, - modulusLen - 2 - OAEP_SALT_LEN) != - SECSuccess) { - nss_ZFreeIf(block); - return NULL; - } - - break; + /* + * Blocks intended for public-key operation. + */ + case RSA_BlockPublic: + + /* + * 0x00 || BT || Pad || 0x00 || ActualData + * 1 1 padLen 1 data->len + * Pad is all non-zero random bytes. + * + * Build the block left to right. + * Fill the entire block from Pad to the end with random bytes. + * Use the bytes after Pad as a supply of extra random bytes from + * which to find replacements for the zero bytes in Pad. + * If we need more than that, refill the bytes after Pad with + * new random bytes as necessary. + */ + padLen = modulusLen - (data->len + 3); + PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); + if (padLen < RSA_BLOCK_MIN_PAD_LEN) { + nss_ZFreeIf (block); + return NULL; + } + j = modulusLen - 2; + rv = RNG_GenerateGlobalRandomBytes(bp, j); + if (rv == SECSuccess) { + for (i = 0; i < padLen; ) { + unsigned char repl; + /* Pad with non-zero random data. */ + if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { + ++i; + continue; + } + if (j <= padLen) { + rv = RNG_GenerateGlobalRandomBytes(bp + padLen, + modulusLen - (2 + padLen)); + if (rv != SECSuccess) + break; + j = modulusLen - 2; + } + do { + repl = bp[--j]; + } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); + if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { + bp[i++] = repl; + } + } + } + if (rv != SECSuccess) { + /*sftk_fatalError = PR_TRUE;*/ + nss_ZFreeIf (block); + return NULL; + } + bp += padLen; + *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; + nsslibc_memcpy(bp, data->data, data->len); + break; default: PORT_Assert(0); @@ -389,54 +262,21 @@ static unsigned char *rsa_FormatOneBlock } static SECStatus -rsa_FormatBlock(SECItem * result, unsigned modulusLen, - RSA_BlockType blockType, SECItem * data) +rsa_FormatBlock(SECItem * result, + unsigned modulusLen, + RSA_BlockType blockType, + SECItem * data) { - /* - * XXX For now assume that the data length fits in a single - * XXX encryption block; the ASSERTs below force this. - * XXX To fix it, each case will have to loop over chunks whose - * XXX lengths satisfy the assertions, until all data is handled. - * XXX (Unless RSA has more to say about how to handle data - * XXX which does not fit in a single encryption block?) - * XXX And I do not know what the result is supposed to be, - * XXX so the interface to this function may need to change - * XXX to allow for returning multiple blocks, if they are - * XXX not wanted simply concatenated one after the other. - */ - switch (blockType) { - case RSA_BlockPrivate0: - case RSA_BlockPrivate: - case RSA_BlockPublic: + case RSA_BlockPrivate: + case RSA_BlockPublic: /* * 0x00 || BT || Pad || 0x00 || ActualData * * The "3" below is the first octet + the second octet + the 0x00 * octet that always comes just before the ActualData. */ - PORT_Assert(data->len <= - (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))); - - result->data = rsa_FormatOneBlock(modulusLen, blockType, data); - if (result->data == NULL) { - result->len = 0; - return SECFailure; - } - result->len = modulusLen; - - break; - - case RSA_BlockOAEP: - /* - * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) - * - * The "2" below is the first octet + the second octet. - * (The other fields do not contain the clear values, but are - * the same length as the clear values.) - */ - PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN - + OAEP_PAD_LEN))); + PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))); result->data = rsa_FormatOneBlock(modulusLen, blockType, data); if (result->data == NULL) { @@ -447,7 +287,7 @@ rsa_FormatBlock(SECItem * result, unsign break; - case RSA_BlockRaw: + case RSA_BlockRaw: /* * Pad || ActualData * Pad is zeros. The application is responsible for recovering @@ -476,36 +316,34 @@ rsa_FormatBlock(SECItem * result, unsign SECStatus pem_RSA_Sign(pemLOWKEYPrivateKey * key, unsigned char *output, - unsigned int *output_len, + unsigned int *outputLen, unsigned int maxOutputLen, - unsigned char *input, unsigned int input_len) + unsigned char *input, unsigned int inputLen) { SECStatus rv = SECSuccess; - unsigned int modulus_len = pem_PrivateModulusLen(key); + unsigned int modulusLen = pem_PrivateModulusLen(key); SECItem formatted; SECItem unformatted; - if (maxOutputLen < modulus_len) + if (maxOutputLen < modulusLen) return SECFailure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) return SECFailure; - unformatted.len = input_len; + unformatted.len = inputLen; unformatted.data = input; formatted.data = NULL; - rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate, + rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate, &unformatted); if (rv != SECSuccess) goto done; rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data); - *output_len = modulus_len; + *outputLen = modulusLen; - goto done; - - done: +done: if (formatted.data != NULL) nss_ZFreeIf(formatted.data); return rv; @@ -515,17 +353,17 @@ pem_RSA_Sign(pemLOWKEYPrivateKey * key, /* XXX Doesn't set error code */ SECStatus RSA_CheckSign(NSSLOWKEYPublicKey * key, - unsigned char *sign, - unsigned int sign_len, + unsigned char *sig, + unsigned int sigLen, unsigned char *hash, unsigned int hash_len) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); unsigned int i; unsigned char *buffer; - modulus_len = pem_PublicModulusLen(key); - if (sign_len != modulus_len) + modulusLen = pem_PublicModulusLen(key); + if (sigLen != modulusLen) goto failure; /* * 0x00 || BT || Pad || 0x00 || ActualData @@ -533,17 +371,17 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, * The "3" below is the first octet + the second octet + the 0x00 * octet that always comes just before the ActualData. */ - if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN)) + if (hash_len > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); + buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); if (!buffer) goto failure; - rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); + rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); if (rv != SECSuccess) goto loser; @@ -552,7 +390,7 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, */ if (buffer[0] != 0 || buffer[1] != 1) goto loser; - for (i = 2; i < modulus_len - hash_len - 1; i++) { + for (i = 2; i < modulusLen - hash_len - 1; i++) { if (buffer[i] != 0xff) goto loser; } @@ -562,7 +400,7 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, /* * make sure we get the same results */ - if (memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0) + if (memcmp(buffer + modulusLen - hash_len, hash, hash_len) != 0) goto loser; nss_ZFreeIf(buffer); @@ -579,25 +417,25 @@ SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey * key, unsigned char *data, unsigned int *data_len, - unsigned int max_output_len, - unsigned char *sign, unsigned int sign_len) + unsigned int maxOutputLen, + unsigned char *sig, unsigned int sigLen) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); unsigned int i; unsigned char *buffer; - if (sign_len != modulus_len) + if (sigLen != modulusLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); + buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); if (!buffer) goto failure; - rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); + rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); if (rv != SECSuccess) goto loser; *data_len = 0; @@ -607,9 +445,9 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey */ if (buffer[0] != 0 || buffer[1] != 1) goto loser; - for (i = 2; i < modulus_len; i++) { + for (i = 2; i < modulusLen; i++) { if (buffer[i] == 0) { - *data_len = modulus_len - i - 1; + *data_len = modulusLen - i - 1; break; } if (buffer[i] != 0xff) @@ -617,13 +455,13 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey } if (*data_len == 0) goto loser; - if (*data_len > max_output_len) + if (*data_len > maxOutputLen) goto loser; /* * make sure we get the same results */ - nsslibc_memcpy(data, buffer + modulus_len - *data_len, *data_len); + nsslibc_memcpy(data, buffer + modulusLen - *data_len, *data_len); nss_ZFreeIf(buffer); return SECSuccess; @@ -638,26 +476,26 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey * key, unsigned char *output, - unsigned int *output_len, - unsigned int max_output_len, - unsigned char *input, unsigned int input_len) + unsigned int *outputLen, + unsigned int maxOutputLen, + unsigned char *input, unsigned int inputLen) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); SECItem formatted; SECItem unformatted; formatted.data = NULL; - if (max_output_len < modulus_len) + if (maxOutputLen < modulusLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - unformatted.len = input_len; + unformatted.len = inputLen; unformatted.data = input; formatted.data = NULL; - rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic, + rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic, &unformatted); if (rv != SECSuccess) goto failure; @@ -667,7 +505,7 @@ RSA_EncryptBlock(NSSLOWKEYPublicKey * ke goto failure; nss_ZFreeIf(formatted.data); - *output_len = modulus_len; + *outputLen = modulusLen; return SECSuccess; failure: @@ -681,22 +519,22 @@ RSA_EncryptBlock(NSSLOWKEYPublicKey * ke SECStatus pem_RSA_DecryptBlock(pemLOWKEYPrivateKey * key, unsigned char *output, - unsigned int *output_len, - unsigned int max_output_len, - unsigned char *input, unsigned int input_len) + unsigned int *outputLen, + unsigned int maxOutputLen, + unsigned char *input, unsigned int inputLen) { SECStatus rv; - unsigned int modulus_len = pem_PrivateModulusLen(key); + unsigned int modulusLen = pem_PrivateModulusLen(key); unsigned int i; unsigned char *buffer; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - if (input_len != modulus_len) + if (inputLen != modulusLen) goto failure; - buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); + buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); if (!buffer) goto failure; @@ -707,19 +545,19 @@ pem_RSA_DecryptBlock(pemLOWKEYPrivateKey if (buffer[0] != 0 || buffer[1] != 2) goto loser; - *output_len = 0; - for (i = 2; i < modulus_len; i++) { + *outputLen = 0; + for (i = 2; i < modulusLen; i++) { if (buffer[i] == 0) { - *output_len = modulus_len - i - 1; + *outputLen = modulusLen - i - 1; break; } } - if (*output_len == 0) + if (*outputLen == 0) goto loser; - if (*output_len > max_output_len) + if (*outputLen > maxOutputLen) goto loser; - nsslibc_memcpy(output, buffer + modulus_len - *output_len, *output_len); + nsslibc_memcpy(output, buffer + modulusLen - *outputLen, *outputLen); nss_ZFreeIf(buffer); return SECSuccess; @@ -739,32 +577,32 @@ pem_RSA_DecryptBlock(pemLOWKEYPrivateKey SECStatus pem_RSA_SignRaw(pemLOWKEYPrivateKey * key, unsigned char *output, - unsigned int *output_len, + unsigned int *outputLen, unsigned int maxOutputLen, - unsigned char *input, unsigned int input_len) + unsigned char *input, unsigned int inputLen) { SECStatus rv = SECSuccess; - unsigned int modulus_len = pem_PrivateModulusLen(key); + unsigned int modulusLen = pem_PrivateModulusLen(key); SECItem formatted; SECItem unformatted; - if (maxOutputLen < modulus_len) + if (maxOutputLen < modulusLen) return SECFailure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) return SECFailure; - unformatted.len = input_len; + unformatted.len = inputLen; unformatted.data = input; formatted.data = NULL; - rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, + rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted); if (rv != SECSuccess) goto done; rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data); - *output_len = modulus_len; + *outputLen = modulusLen; done: if (formatted.data != NULL) @@ -775,27 +613,27 @@ pem_RSA_SignRaw(pemLOWKEYPrivateKey * ke /* XXX Doesn't set error code */ SECStatus RSA_CheckSignRaw(NSSLOWKEYPublicKey * key, - unsigned char *sign, - unsigned int sign_len, + unsigned char *sig, + unsigned int sigLen, unsigned char *hash, unsigned int hash_len) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); unsigned char *buffer; - if (sign_len != modulus_len) + if (sigLen != modulusLen) goto failure; - if (hash_len > modulus_len) + if (hash_len > modulusLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); + buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); if (!buffer) goto failure; - rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); + rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); if (rv != SECSuccess) goto loser; @@ -803,7 +641,7 @@ RSA_CheckSignRaw(NSSLOWKEYPublicKey * ke * make sure we get the same results */ /* NOTE: should we verify the leading zeros? */ - if (memcmp(buffer + (modulus_len - hash_len), hash, hash_len) != + if (memcmp(buffer + (modulusLen - hash_len), hash, hash_len) != 0) goto loser; @@ -821,25 +659,25 @@ SECStatus RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey * key, unsigned char *data, unsigned int *data_len, - unsigned int max_output_len, - unsigned char *sign, unsigned int sign_len) + unsigned int maxOutputLen, + unsigned char *sig, unsigned int sigLen) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); - if (sign_len != modulus_len) + if (sigLen != modulusLen) goto failure; - if (max_output_len < modulus_len) + if (maxOutputLen < modulusLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - rv = RSA_PublicKeyOp(&key->u.rsa, data, sign); + rv = RSA_PublicKeyOp(&key->u.rsa, data, sig); if (rv != SECSuccess) goto failure; - *data_len = modulus_len; + *data_len = modulusLen; return SECSuccess; failure: @@ -851,26 +689,26 @@ RSA_CheckSignRecoverRaw(NSSLOWKEYPublicK SECStatus RSA_EncryptRaw(NSSLOWKEYPublicKey * key, unsigned char *output, - unsigned int *output_len, - unsigned int max_output_len, - unsigned char *input, unsigned int input_len) + unsigned int *outputLen, + unsigned int maxOutputLen, + unsigned char *input, unsigned int inputLen) { SECStatus rv; - unsigned int modulus_len = pem_PublicModulusLen(key); + unsigned int modulusLen = pem_PublicModulusLen(key); SECItem formatted; SECItem unformatted; formatted.data = NULL; - if (max_output_len < modulus_len) + if (maxOutputLen < modulusLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - unformatted.len = input_len; + unformatted.len = inputLen; unformatted.data = input; formatted.data = NULL; - rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, + rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted); if (rv != SECSuccess) goto failure; @@ -880,7 +718,7 @@ RSA_EncryptRaw(NSSLOWKEYPublicKey * key, goto failure; nss_ZFreeIf(formatted.data); - *output_len = modulus_len; + *outputLen = modulusLen; return SECSuccess; failure: @@ -893,21 +731,21 @@ RSA_EncryptRaw(NSSLOWKEYPublicKey * key, SECStatus pem_RSA_DecryptRaw(pemLOWKEYPrivateKey * key, unsigned char *output, - unsigned int *output_len, - unsigned int max_output_len, - unsigned char *input, unsigned int input_len) + unsigned int *outputLen, + unsigned int maxOutputLen, + unsigned char *input, unsigned int inputLen) { SECStatus rv; - unsigned int modulus_len = pem_PrivateModulusLen(key); + unsigned int modulusLen = pem_PrivateModulusLen(key); - if (modulus_len <= 0) + if (modulusLen <= 0) goto failure; - if (modulus_len > max_output_len) + if (modulusLen > maxOutputLen) goto failure; PORT_Assert(key->keyType == pemLOWKEYRSAKey); if (key->keyType != pemLOWKEYRSAKey) goto failure; - if (input_len != modulus_len) + if (inputLen != modulusLen) goto failure; rv = RSA_PrivateKeyOp(&key->u.rsa, output, input); @@ -915,7 +753,7 @@ pem_RSA_DecryptRaw(pemLOWKEYPrivateKey * goto failure; } - *output_len = modulus_len; + *outputLen = modulusLen; return SECSuccess; failure: