int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; int Slen, Plen, Ilen, Ijlen; int i, j, u, v; int ret = 0; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; #ifdef DEBUG_KEYGEN unsigned char *tmpout = out; int tmpn = n; #endif EVP_MD_CTX_init(&ctx); #ifdef DEBUG_KEYGEN fprintf(stderr, "KEYGEN DEBUG\n"); fprintf(stderr, "ID %d, ITER %d\n", id, iter); fprintf(stderr, "Password (length %d):\n", passlen); h__dump(pass, passlen); fprintf(stderr, "Salt (length %d):\n", saltlen); h__dump(salt, saltlen); #endif v = EVP_MD_block_size(md_type); u = EVP_MD_size(md_type); if (u < 0) return 0; D = OPENSSL_malloc(v); Ai = OPENSSL_malloc(u); B = OPENSSL_malloc(v + 1); Slen = v * ((saltlen + v - 1) / v); if (passlen) Plen = v * ((passlen + v - 1) / v); else Plen = 0; Ilen = Slen + Plen; I = OPENSSL_malloc(Ilen); Ij = BN_new(); Bpl1 = BN_new(); if (!D || !Ai || !B || !I || !Ij || !Bpl1) goto err; for (i = 0; i < v; i++) D[i] = id; p = I; for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; for (;;) { if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || !EVP_DigestUpdate(&ctx, D, v) || !EVP_DigestUpdate(&ctx, I, Ilen) || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) goto err; for (j = 1; j < iter; j++) { if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || !EVP_DigestUpdate(&ctx, Ai, u) || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) goto err; } memcpy(out, Ai, min(n, u)); if (u >= n) { #ifdef DEBUG_KEYGEN fprintf(stderr, "Output KEY (length %d)\n", tmpn); h__dump(tmpout, tmpn); #endif ret = 1; goto end; } n -= u; out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ if (!BN_bin2bn(B, v, Bpl1)) goto err; if (!BN_add_word(Bpl1, 1)) goto err; for (j = 0; j < Ilen; j += v) { if (!BN_bin2bn(I + j, v, Ij)) goto err; if (!BN_add(Ij, Ij, Bpl1)) goto err; if (!BN_bn2bin(Ij, B)) goto err; Ijlen = BN_num_bytes(Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { if (!BN_bn2bin(Ij, B)) goto err; memcpy(I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { memset(I + j, 0, v - Ijlen); if (!BN_bn2bin(Ij, I + j + v - Ijlen)) goto err; #endif } else if (!BN_bn2bin(Ij, I + j)) goto err; } } err: PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_MALLOC_FAILURE); end: OPENSSL_free(Ai); OPENSSL_free(B); OPENSSL_free(D); OPENSSL_free(I); BN_free(Ij); BN_free(Bpl1); EVP_MD_CTX_cleanup(&ctx); return ret; }
/* seed1 through seed5 are virtually concatenated */ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, const void *seed1, int seed1_len, const void *seed2, int seed2_len, const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len, unsigned char *out, int olen) { int chunk; size_t j; EVP_MD_CTX ctx, ctx_tmp; EVP_PKEY *mac_key; unsigned char A1[EVP_MAX_MD_SIZE]; size_t A1_len; int ret = 0; chunk=EVP_MD_size(md); OPENSSL_assert(chunk >= 0); EVP_MD_CTX_init(&ctx); EVP_MD_CTX_init(&ctx_tmp); EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); if (!mac_key) goto err; if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) goto err; if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) goto err; if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) goto err; if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) goto err; if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) goto err; if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) goto err; if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) goto err; for (;;) { /* Reinit mac contexts */ if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) goto err; if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) goto err; if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) goto err; if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) goto err; if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) goto err; if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) goto err; if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) goto err; if (olen > chunk) { if (!EVP_DigestSignFinal(&ctx,out,&j)) goto err; out+=j; olen-=j; /* calc the next A1 value */ if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) goto err; } else /* last one */ { if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) goto err; memcpy(out,A1,olen); break; } } ret = 1; err: EVP_PKEY_free(mac_key); EVP_MD_CTX_cleanup(&ctx); EVP_MD_CTX_cleanup(&ctx_tmp); OPENSSL_cleanse(A1,sizeof(A1)); return ret; }
int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) { ASN1_OCTET_STRING *os; EVP_MD_CTX mdc_tmp, *mdc; int ret = 0, i; int md_type; STACK_OF(X509_ATTRIBUTE) *sk; BIO *btmp; EVP_PKEY *pkey; EVP_MD_CTX_init(&mdc_tmp); if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); goto err; } md_type = OBJ_obj2nid(si->digest_alg->algorithm); btmp = bio; for (;;) { if ((btmp == NULL) || ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } BIO_get_md_ctx(btmp, &mdc); if (mdc == NULL) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_MD_CTX_type(mdc) == md_type) break; /* * Workaround for some broken clients that put the signature OID * instead of the digest OID in digest_alg->algorithm */ if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) break; btmp = BIO_next(btmp); } /* * mdc is the digest ctx that we want, unless there are attributes, in * which case the digest is the signed attributes */ if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc)) goto err; sk = si->auth_attr; if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; unsigned int md_len; int alen; ASN1_OCTET_STRING *message_digest; if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len)) goto err; message_digest = PKCS7_digest_from_attributes(sk); if (!message_digest) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } if ((message_digest->length != (int)md_len) || (memcmp(message_digest->data, md_dat, md_len))) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE); ret = -1; goto err; } if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), NULL)) goto err; alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); if (alen <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB); ret = -1; goto err; } if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) goto err; OPENSSL_free(abuf); } os = si->enc_digest; pkey = X509_get_pubkey(x509); if (!pkey) { ret = -1; goto err; } i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey); EVP_PKEY_free(pkey); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE); ret = -1; goto err; } ret = 1; err: EVP_MD_CTX_cleanup(&mdc_tmp); return (ret); }
/** * Funkcja generuje skrót z certyfikatu wykorzystując podaną w drugim parametrze * metodę. * \param certyfikat Bufor generyczny ze zdekodowanym certyfikatem. * \param method Metoda generowania skrótu. W chwili obecnej do wyboru: * - LIBBMDXADES_DIGEST_METHOD_SHA1 * - LIBBMDXADES_DIGEST_METHOD_MD5 * \param basedHash Skrót zakodowany do base64. * \retval 0 Wszystko OK. * \retval -1 Nieznana metoda. * \retval -2 Brak pamięci. * */ long _getCertificateDigest(GenBuf_t **certyfikat, LIBBMDXADES_DIGEST_METHOD_t method, char **basedHash) { EVP_MD_CTX mdctx; /*kontekst digesta*/ const EVP_MD *md; /*metoda skrotu*/ char md_value[EVP_MAX_MD_SIZE]; /*otrzymany skrot*/ long md_len = 0; /*dlugosc skrotu*/ unsigned int ui_temp = 0; if (certyfikat == NULL) { PRINT_DEBUG("Wrong argument 1\n"); return ERR_arg+1; } if (*certyfikat == NULL) { PRINT_DEBUG("Wrong argument 1\n"); return ERR_arg+1; } if (basedHash == NULL) { PRINT_DEBUG("Wrong argument 2\n"); return ERR_arg+2; } if (*basedHash != NULL) { PRINT_DEBUG("Wrong argument 2\n"); return ERR_arg+2; } OpenSSL_add_all_digests(); switch (method) { case LIBBMDXADES_DIGEST_METHOD_SHA1: md = EVP_get_digestbyname("sha1"); break; case LIBBMDXADES_DIGEST_METHOD_MD5: md = EVP_get_digestbyname("md5"); break; default: PRINT_DEBUG("UNKNOWN DIGEST METHOD!\n"); return -1; } EVP_MD_CTX_init(&mdctx); /*inicjalizacja kontekstu*/ EVP_DigestInit_ex(&mdctx, md, NULL); /*ustawiamy odpowiednia metode liczenia skrotu*/ EVP_DigestUpdate(&mdctx, (*certyfikat)->buf, (*certyfikat)->size);/*dodajemy tekst*/ ui_temp = md_len; EVP_DigestFinal_ex(&mdctx, (unsigned char*)md_value, &ui_temp); md_len = ui_temp; EVP_MD_CTX_cleanup(&mdctx); (*basedHash) = (char *) spc_base64_encode((unsigned char *)md_value, md_len, 0); if (*basedHash == NULL) { PRINT_ERROR("NO MEMORY!\n"); return -2; } return 0; }
static int rsa_sign_with_key(RSA *rsa, const void *data, const int data_size, uint8_t **sigp, uint *sig_size) { EVP_PKEY *key; EVP_MD_CTX *context; int size, ret = 0; uint8_t *sig; key = EVP_PKEY_new(); if (!key) return rsa_err("EVP_PKEY object creation failed"); if (!EVP_PKEY_set1_RSA(key, rsa)) { ret = rsa_err("EVP key setup failed"); goto err_set; } size = EVP_PKEY_size(key); sig = malloc(size); if (!sig) { fprintf(stderr, "Out of memory for signature (%d bytes)\n", size); ret = -ENOMEM; goto err_alloc; } context = EVP_MD_CTX_create(); if (!context) { ret = rsa_err("EVP context creation failed"); goto err_create; } EVP_MD_CTX_init(context); if (!EVP_SignInit(context, EVP_sha1())) { ret = rsa_err("Signer setup failed"); goto err_sign; } if (!EVP_SignUpdate(context, data, data_size)) { ret = rsa_err("Signing data failed"); goto err_sign; } if (!EVP_SignFinal(context, sig, sig_size, key)) { ret = rsa_err("Could not obtain signature"); goto err_sign; } EVP_MD_CTX_cleanup(context); EVP_MD_CTX_destroy(context); EVP_PKEY_free(key); printf("Got signature: %d bytes, expected %d\n", *sig_size, size); *sigp = sig; *sig_size = size; return 0; err_sign: EVP_MD_CTX_destroy(context); err_create: free(sig); err_alloc: err_set: EVP_PKEY_free(key); return ret; }
int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey, const EVP_MD *type) { EVP_MD_CTX ctx; unsigned char *p,*buf_in=NULL,*buf_out=NULL; int i,inl=0,outl=0,outll=0; X509_ALGOR *a; EVP_MD_CTX_init(&ctx); for (i=0; i<2; i++) { if (i == 0) a=algor1; else a=algor2; if (a == NULL) continue; if (type->pkey_type == NID_dsaWithSHA1) { /* special case: RFC 2459 tells us to omit 'parameters' * with id-dsa-with-sha1 */ ASN1_TYPE_free(a->parameter); a->parameter = NULL; } else if ((a->parameter == NULL) || (a->parameter->type != V_ASN1_NULL)) { ASN1_TYPE_free(a->parameter); if ((a->parameter=ASN1_TYPE_new()) == NULL) goto err; a->parameter->type=V_ASN1_NULL; } ASN1_OBJECT_free(a->algorithm); a->algorithm=OBJ_nid2obj(type->pkey_type); if (a->algorithm == NULL) { ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE); goto err; } if (a->algorithm->length == 0) { ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); goto err; } } inl=i2d(data,NULL); buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); outll=outl=EVP_PKEY_size(pkey); buf_out=(unsigned char *)OPENSSL_malloc((unsigned int)outl); if ((buf_in == NULL) || (buf_out == NULL)) { outl=0; ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE); goto err; } p=buf_in; i2d(data,&p); if (!EVP_SignInit_ex(&ctx,type, NULL) || !EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl) || !EVP_SignFinal(&ctx,(unsigned char *)buf_out, (unsigned int *)&outl,pkey)) { outl=0; ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB); goto err; } if (signature->data != NULL) OPENSSL_free(signature->data); signature->data=buf_out; buf_out=NULL; signature->length=outl; /* In the interests of compatibility, I'll make sure that * the bit string has a 'not-used bits' value of 0 */ signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; err: EVP_MD_CTX_cleanup(&ctx); if (buf_in != NULL) { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); } if (buf_out != NULL) { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); } return(outl); }
/** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the * canonicalized rrset. * @param algo: DNSKEY algorithm. * @param sigblock: signature rdata field from RRSIG * @param sigblock_len: length of sigblock data. * @param key: public key data from DNSKEY RR. * @param keylen: length of keydata. * @param reason: bogus reason in more detail. * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ enum sec_status verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { const EVP_MD *digest_type; EVP_MD_CTX ctx; int res, dofree = 0; EVP_PKEY *evp_key = NULL; if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { verbose(VERB_QUERY, "verify: failed to setup key"); *reason = "use of key for crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } /* if it is a DSA signature in bind format, convert to DER format */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && sigblock_len == 1+2*SHA_DIGEST_LENGTH) { if(!setup_dsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup DSA sig"); *reason = "use of key for DSA crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } dofree = 1; } #ifdef USE_ECDSA else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { /* EVP uses ASN prefix on sig, which is not in the wire data */ if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); *reason = "use of signature for ECDSA crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } dofree = 1; } #endif /* USE_ECDSA */ /* do the signature cryptography work */ EVP_MD_CTX_init(&ctx); if(EVP_VerifyInit(&ctx, digest_type) == 0) { verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), (unsigned int)ldns_buffer_limit(buf)) == 0) { verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); if(EVP_MD_CTX_cleanup(&ctx) == 0) { verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } EVP_PKEY_free(evp_key); if(dofree) free(sigblock); if(res == 1) { return sec_status_secure; } else if(res == 0) { verbose(VERB_QUERY, "verify: signature mismatch"); *reason = "signature crypto failed"; return sec_status_bogus; } log_crypto_error("verify:", ERR_get_error()); return sec_status_unchecked; }
int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) { EVP_MD_CTX ctx; unsigned char md_tmp[EVP_MAX_MD_SIZE]; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; int i; PBEPARAM *pbe; int saltlen, iter; unsigned char *salt; const unsigned char *pbuf; int mdsize; /* Extract useful info from parameter */ if (param == NULL || param->type != V_ASN1_SEQUENCE || param->value.sequence == NULL) { EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); return 0; } pbuf = param->value.sequence->data; if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) { EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); return 0; } if (!pbe->iter) iter = 1; else iter = ASN1_INTEGER_get (pbe->iter); salt = pbe->salt->data; saltlen = pbe->salt->length; if(!pass) passlen = 0; else if(passlen == -1) passlen = strlen(pass); EVP_MD_CTX_init(&ctx); EVP_DigestInit_ex(&ctx, md, NULL); EVP_DigestUpdate(&ctx, pass, passlen); EVP_DigestUpdate(&ctx, salt, saltlen); PBEPARAM_free(pbe); EVP_DigestFinal_ex(&ctx, md_tmp, NULL); mdsize = EVP_MD_size(md); if (mdsize < 0) return 0; for (i = 1; i < iter; i++) { EVP_DigestInit_ex(&ctx, md, NULL); EVP_DigestUpdate(&ctx, md_tmp, mdsize); EVP_DigestFinal_ex (&ctx, md_tmp, NULL); } EVP_MD_CTX_cleanup(&ctx); OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)); memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher)); OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16); memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)), EVP_CIPHER_iv_length(cipher)); EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de); OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE); OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return 1; }
int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, const unsigned char *mHash, const EVP_MD *Hash, int sLen) { int i; int ret = 0; int hLen, maskedDBLen, MSBits, emLen; unsigned char *H, *salt = NULL, *p; EVP_MD_CTX ctx; hLen = EVP_MD_size(Hash); if (hLen < 0) goto err; /* * Negative sLen has special meanings: * -1 sLen == hLen * -2 salt length is maximized * -N reserved */ if (sLen == -1) sLen = hLen; else if (sLen == -2) sLen = -2; else if (sLen < -2) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); goto err; } MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; emLen = RSA_size(rsa); if (MSBits == 0) { *EM++ = 0; emLen--; } if (sLen == -2) { sLen = emLen - hLen - 2; } else if (emLen < (hLen + sLen + 2)) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); goto err; } if (sLen > 0) { salt = (unsigned char*)OPENSSL_malloc(sLen); if (!salt) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, ERR_R_MALLOC_FAILURE); goto err; } if (RAND_bytes(salt, sLen) <= 0) goto err; } maskedDBLen = emLen - hLen - 1; H = EM + maskedDBLen; EVP_MD_CTX_init(&ctx); EVP_DigestInit_ex(&ctx, Hash, NULL); EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); EVP_DigestUpdate(&ctx, mHash, hLen); if (sLen) EVP_DigestUpdate(&ctx, salt, sLen); EVP_DigestFinal(&ctx, H, NULL); EVP_MD_CTX_cleanup(&ctx); /* Generate dbMask in place then perform XOR on it */ if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) goto err; p = EM; /* Initial PS XORs with all zeroes which is a NOP so just update * pointer. Note from a test above this value is guaranteed to * be non-negative. */ p += emLen - sLen - hLen - 2; *p++ ^= 0x1; if (sLen > 0) { for (i = 0; i < sLen; i++) *p++ ^= salt[i]; } if (MSBits) EM[0] &= 0xFF >> (8 - MSBits); /* H is already in place so just set final 0xbc */ EM[emLen - 1] = 0xbc; ret = 1; err: if (salt) OPENSSL_free(salt); return ret; }
int libssh2_md5_init(libssh2_md5_ctx *ctx) { EVP_MD_CTX_init(ctx); return EVP_DigestInit(ctx, EVP_get_digestbyname("md5")); }
void QblEvpDigest::init() { EVP_MD_CTX_init(&mdctx); EVP_DigestInit_ex(&mdctx, getAlgorithm(), NULL); }
int libssh2_sha1_init(libssh2_sha1_ctx *ctx) { EVP_MD_CTX_init(ctx); return EVP_DigestInit(ctx, EVP_get_digestbyname("sha1")); }
int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP COMP_METHOD *comp; #endif const EVP_MD *m; EVP_MD_CTX md; int is_exp,n,i,j,k,cl; int reuse_dd = 0; is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; /* m == NULL will lead to a crash later */ OPENSSL_assert(m); #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp=NULL; else comp=s->s3->tmp.new_compression->method; #endif if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; ssl_replace_hash(&s->read_hash,m); #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (comp != NULL) { s->expand=COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } #endif memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; ssl_replace_hash(&s->write_hash,m); #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); if (i < 0) goto err2; cl=EVP_CIPHER_key_length(c); j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms= &(p[ 0]); n=i+i; key= &(p[ n]); n+=j+j; iv= &(p[ n]); n+=k+k; er1= &(s->s3->client_random[0]); er2= &(s->s3->server_random[0]); } else { n=i; ms= &(p[ n]); n+=i+j; key= &(p[ n]); n+=j+k; iv= &(p[ n]); n+=k; er1= &(s->s3->server_random[0]); er2= &(s->s3->client_random[0]); } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } EVP_MD_CTX_init(&md); memcpy(mac_secret,ms,i); if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,key,j); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL); key= &(exp_key[0]); if (k > 0) { EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL); iv= &(exp_iv[0]); } } s->session->key_arg_length=0; EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key)); OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv)); EVP_MD_CTX_cleanup(&md); return(1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); err2: return(0); }
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, const unsigned char *salt, const unsigned char *data, int datal, int count, unsigned char *key, unsigned char *iv) { EVP_MD_CTX c; unsigned char md_buf[EVP_MAX_MD_SIZE]; int niv,nkey,addmd=0; unsigned int mds=0,i; nkey=type->key_len; niv=type->iv_len; OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH); OPENSSL_assert(niv <= EVP_MAX_IV_LENGTH); if (data == NULL) return(nkey); EVP_MD_CTX_init(&c); for (;;) { EVP_DigestInit_ex(&c,md, NULL); if (addmd++) EVP_DigestUpdate(&c,&(md_buf[0]),mds); EVP_DigestUpdate(&c,data,datal); if (salt != NULL) EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN); EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds); for (i=1; i<(unsigned int)count; i++) { EVP_DigestInit_ex(&c,md, NULL); EVP_DigestUpdate(&c,&(md_buf[0]),mds); EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds); } i=0; if (nkey) { for (;;) { if (nkey == 0) break; if (i == mds) break; if (key != NULL) *(key++)=md_buf[i]; nkey--; i++; } } if (niv && (i != mds)) { for (;;) { if (niv == 0) break; if (i == mds) break; if (iv != NULL) *(iv++)=md_buf[i]; niv--; i++; } } if ((nkey == 0) && (niv == 0)) break; } EVP_MD_CTX_cleanup(&c); OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE); return(type->key_len); }
bool PaymentRequestPlus::getMerchant(X509_STORE* certStore, QString& merchant) const { merchant.clear(); if (!IsInitialized()) return false; // One day we'll support more PKI types, but just // x509 for now: const EVP_MD* digestAlgorithm = nullptr; if (paymentRequest.pki_type() == "x509+sha256") { digestAlgorithm = EVP_sha256(); } else if (paymentRequest.pki_type() == "x509+sha1") { digestAlgorithm = EVP_sha1(); } else if (paymentRequest.pki_type() == "none") { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: pki_type == none"; return false; } else { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: unknown pki_type " << QString::fromStdString(paymentRequest.pki_type()); return false; } payments::X509Certificates certChain; if (!certChain.ParseFromString(paymentRequest.pki_data())) { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: error parsing pki_data"; return false; } std::vector<X509*> certs; const QDateTime currentTime = QDateTime::currentDateTime(); for (int i = 0; i < certChain.certificate_size(); i++) { QByteArray certData(certChain.certificate(i).data(), certChain.certificate(i).size()); QSslCertificate qCert(certData, QSsl::Der); if (currentTime < qCert.effectiveDate() || currentTime > qCert.expiryDate()) { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: certificate expired or not yet active: " << qCert; return false; } #if QT_VERSION >= 0x050000 if (qCert.isBlacklisted()) { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: certificate blacklisted: " << qCert; return false; } #endif const unsigned char *data = (const unsigned char *)certChain.certificate(i).data(); X509 *cert = d2i_X509(nullptr, &data, certChain.certificate(i).size()); if (cert) certs.push_back(cert); } if (certs.empty()) { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: empty certificate chain"; return false; } // The first cert is the signing cert, the rest are untrusted certs that chain // to a valid root authority. OpenSSL needs them separately. STACK_OF(X509) *chain = sk_X509_new_null(); for (int i = certs.size() - 1; i > 0; i--) { sk_X509_push(chain, certs[i]); } X509 *signing_cert = certs[0]; // Now create a "store context", which is a single use object for checking, // load the signing cert into it and verify. X509_STORE_CTX *store_ctx = X509_STORE_CTX_new(); if (!store_ctx) { qWarning() << "PaymentRequestPlus::getMerchant: Payment request: error creating X509_STORE_CTX"; return false; } char *website = nullptr; bool fResult = true; try { if (!X509_STORE_CTX_init(store_ctx, certStore, signing_cert, chain)) { int error = X509_STORE_CTX_get_error(store_ctx); throw SSLVerifyError(X509_verify_cert_error_string(error)); } // Now do the verification! int result = X509_verify_cert(store_ctx); if (result != 1) { int error = X509_STORE_CTX_get_error(store_ctx); // For testing payment requests, we allow self signed root certs! // This option is just shown in the UI options, if -help-debug is enabled. if (!(error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT && gArgs.GetBoolArg("-allowselfsignedrootcertificates", DEFAULT_SELFSIGNED_ROOTCERTS))) { throw SSLVerifyError(X509_verify_cert_error_string(error)); } else { qDebug() << "PaymentRequestPlus::getMerchant: Allowing self signed root certificate, because -allowselfsignedrootcertificates is true."; } } X509_NAME *certname = X509_get_subject_name(signing_cert); // Valid cert; check signature: payments::PaymentRequest rcopy(paymentRequest); // Copy rcopy.set_signature(std::string("")); std::string data_to_verify; // Everything but the signature rcopy.SerializeToString(&data_to_verify); #if HAVE_DECL_EVP_MD_CTX_NEW EVP_MD_CTX *ctx = EVP_MD_CTX_new(); if (!ctx) throw SSLVerifyError("Error allocating OpenSSL context."); #else EVP_MD_CTX _ctx; EVP_MD_CTX *ctx; ctx = &_ctx; #endif EVP_PKEY *pubkey = X509_get_pubkey(signing_cert); EVP_MD_CTX_init(ctx); if (!EVP_VerifyInit_ex(ctx, digestAlgorithm, nullptr) || !EVP_VerifyUpdate(ctx, data_to_verify.data(), data_to_verify.size()) || !EVP_VerifyFinal(ctx, (const unsigned char*)paymentRequest.signature().data(), (unsigned int)paymentRequest.signature().size(), pubkey)) { throw SSLVerifyError("Bad signature, invalid payment request."); } #if HAVE_DECL_EVP_MD_CTX_NEW EVP_MD_CTX_free(ctx); #endif // OpenSSL API for getting human printable strings from certs is baroque. int textlen = X509_NAME_get_text_by_NID(certname, NID_commonName, nullptr, 0); website = new char[textlen + 1]; if (X509_NAME_get_text_by_NID(certname, NID_commonName, website, textlen + 1) == textlen && textlen > 0) { merchant = website; } else { throw SSLVerifyError("Bad certificate, missing common name."); } // TODO: detect EV certificates and set merchant = business name instead of unfriendly NID_commonName ? } catch (const SSLVerifyError& err) { fResult = false; qWarning() << "PaymentRequestPlus::getMerchant: SSL error: " << err.what(); } if (website) delete[] website; X509_STORE_CTX_free(store_ctx); for (unsigned int i = 0; i < certs.size(); i++) X509_free(certs[i]); return fResult; }
int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash, const unsigned char *EM, int sLen) { int i; int ret = 0; int hLen, maskedDBLen, MSBits, emLen; const unsigned char *H; unsigned char *DB = NULL; EVP_MD_CTX ctx; unsigned char H_[EVP_MAX_MD_SIZE]; hLen = EVP_MD_size(Hash); if (hLen < 0) goto err; /* * Negative sLen has special meanings: * -1 sLen == hLen * -2 salt length is autorecovered from signature * -N reserved */ if (sLen == -1) sLen = hLen; else if (sLen == -2) sLen = -2; else if (sLen < -2) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); goto err; } MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; emLen = RSA_size(rsa); if (EM[0] & (0xFF << MSBits)) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); goto err; } if (MSBits == 0) { EM++; emLen--; } if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); goto err; } if (EM[emLen - 1] != 0xbc) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); goto err; } maskedDBLen = emLen - hLen - 1; H = EM + maskedDBLen; DB = (unsigned char*)OPENSSL_malloc(maskedDBLen); if (!DB) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); goto err; } if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) goto err; for (i = 0; i < maskedDBLen; i++) DB[i] ^= EM[i]; if (MSBits) DB[0] &= 0xFF >> (8 - MSBits); for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; if (DB[i++] != 0x1) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); goto err; } if (sLen >= 0 && (maskedDBLen - i) != sLen) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); goto err; } EVP_MD_CTX_init(&ctx); EVP_DigestInit_ex(&ctx, Hash, NULL); EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); EVP_DigestUpdate(&ctx, mHash, hLen); if (maskedDBLen - i) EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); EVP_DigestFinal(&ctx, H_, NULL); EVP_MD_CTX_cleanup(&ctx); if (TINYCLR_SSL_MEMCMP(H_, H, hLen)) { RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); ret = 0; } else ret = 1; err: if (DB) OPENSSL_free(DB); return ret; }
bool find_server(EVP_PKEY *pk, sockaddr6 *addr, uint32_t usecs, uint32_t retries) { bool ok = false; interface ifs[16]; ssize_t count = active_interfaces(ifs, 16); if (count <= 0) return false; addr->sin6_family = AF_INET6; addr->sin6_port = htons(atoi(MCAST_PORT)); addr->sin6_scope_id = ifs[0].index; inet_pton(AF_INET6, MCAST_HOST, &addr->sin6_addr); int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); if (fd == -1) return false; struct ipv6_mreq req = { .ipv6mr_interface = ifs[0].index }; memcpy(&req.ipv6mr_multiaddr, &addr->sin6_addr, sizeof(struct in6_addr)); if (setsockopt(fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &req, sizeof(req))) { return false; } struct timeval timeout = { .tv_usec = usecs / retries }; setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)); sockaddr6 from6; socklen_t from_len = sizeof(from6); sockaddr *from = (sockaddr *) &from6; uint8_t ping[PING_LEN]; struct pong pong; ssize_t len; RAND_bytes(ping, PING_LEN); for (uint32_t i = 0; !ok && i < retries; i++) { EVP_MD_CTX ctx; sendto(fd, ping, PING_LEN, 0, (sockaddr *) addr, sizeof(*addr)); if ((len = recvfrom(fd, &pong, sizeof(pong), 0, from, &from_len)) > 0) { EVP_MD_CTX_init(&ctx); EVP_DigestVerifyInit(&ctx, NULL, EVP_sha256(), NULL, pk); EVP_DigestVerifyUpdate(&ctx, &ping, PING_LEN); EVP_DigestVerifyUpdate(&ctx, &pong, PONG_LEN); if (EVP_DigestVerifyFinal(&ctx, pong.sig, len) == 1) { memcpy(addr->sin6_addr.s6_addr, &pong.addr, 16); addr->sin6_port = pong.port; ok = true; } EVP_MD_CTX_cleanup(&ctx); } } close(fd); return ok; } int mcast_sock(interface *ifa, sockaddr6 *addr, char *host) { struct ipv6_mreq req = { .ipv6mr_interface = ifa->index }; inet_pton(AF_INET6, host, &req.ipv6mr_multiaddr); int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); if (fd == -1 || bind(fd, (sockaddr *) addr, sizeof(*addr))) goto error; if (setsockopt(fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &req, sizeof(req))) goto error; return fd; error: if (fd >= 0) close(fd); return -1; } char *name(sockaddr6 *addr, socklen_t len) { static char host[NI_MAXHOST]; int flags = NI_NUMERICHOST; getnameinfo((struct sockaddr *) addr, len, host, NI_MAXHOST, NULL, 0, flags); return host; }
void HMAC_CTX_init(HMAC_CTX *ctx) { EVP_MD_CTX_init(&ctx->i_ctx); EVP_MD_CTX_init(&ctx->o_ctx); EVP_MD_CTX_init(&ctx->md_ctx); }
CK_RV PKCS11_Digest_OpenSSL::DigestInit(Cryptoki_Session_Context* pSessionCtx, CK_MECHANISM_PTR pMechanism) { OPENSSL_HEADER(); OpenSSLDigestData* pDigData; const EVP_MD* pDigest; CK_OBJECT_HANDLE hKey = CK_OBJECT_HANDLE_INVALID; bool isHMAC = false; if(pSessionCtx == NULL) return CKR_SESSION_CLOSED; if(pSessionCtx->DigestCtx != NULL) return CKR_SESSION_PARALLEL_NOT_SUPPORTED; // another digest is in progress pDigData = (OpenSSLDigestData*)TINYCLR_SSL_MALLOC(sizeof(*pDigData)); if(pDigData == NULL) return CKR_DEVICE_MEMORY; TINYCLR_SSL_MEMSET(pDigData, 0, sizeof(*pDigData)); EVP_MD_CTX_init(&pDigData->CurrentCtx); switch(pMechanism->mechanism) { case CKM_SHA_1: pDigest = EVP_sha1(); break; case CKM_SHA224: pDigest = EVP_sha224(); break; case CKM_SHA256: pDigest = EVP_sha256(); break; case CKM_SHA384: pDigest = EVP_sha384(); break; case CKM_SHA512: pDigest = EVP_sha512(); break; case CKM_MD5: pDigest = EVP_md5(); break; case CKM_RIPEMD160: pDigest = EVP_ripemd160(); break; case CKM_MD5_HMAC: pDigest = EVP_md5(); isHMAC = true; break; case CKM_SHA_1_HMAC: pDigest = EVP_sha1(); isHMAC = true; break; case CKM_SHA256_HMAC: pDigest = EVP_sha256(); isHMAC = true; break; case CKM_SHA384_HMAC: pDigest = EVP_sha384(); isHMAC = true; break; case CKM_SHA512_HMAC: pDigest = EVP_sha512(); isHMAC = true; break; case CKM_RIPEMD160_HMAC: pDigest = EVP_ripemd160(); isHMAC = true; break; default: OPENSSL_SET_AND_LEAVE(CKR_MECHANISM_INVALID); } if(isHMAC) { if(pMechanism->pParameter != NULL && pMechanism->ulParameterLen == sizeof(CK_OBJECT_HANDLE)) { hKey = SwapEndianIfBEc32(*(CK_OBJECT_HANDLE*)pMechanism->pParameter); } else { OPENSSL_SET_AND_LEAVE(CKR_MECHANISM_PARAM_INVALID); } pDigData->HmacKey = PKCS11_Keys_OpenSSL::GetKeyFromHandle(pSessionCtx, hKey, TRUE); if(pDigData->HmacKey==NULL) OPENSSL_SET_AND_LEAVE(CKR_MECHANISM_PARAM_INVALID); pDigData->HmacCtx.md = pDigest; OPENSSL_CHECKRESULT(HMAC_Init(&pDigData->HmacCtx, pDigData->HmacKey->key, pDigData->HmacKey->size/8, pDigData->HmacCtx.md)); } else { OPENSSL_CHECKRESULT(EVP_DigestInit_ex(&pDigData->CurrentCtx, pDigest, NULL)); } pSessionCtx->DigestCtx = pDigData; OPENSSL_CLEANUP(); if(retVal != CKR_OK && pDigData != NULL) { TINYCLR_SSL_FREE(pDigData); } OPENSSL_RETURN(); }
/* * verify HMAC signature on JWT */ static apr_byte_t apr_jws_verify_rsa(apr_pool_t *pool, apr_jwt_t *jwt, apr_jwk_t *jwk, apr_jwt_error_t *err) { apr_byte_t rc = FALSE; /* get the OpenSSL digest function */ const EVP_MD *digest = NULL; if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) return FALSE; EVP_MD_CTX ctx; EVP_MD_CTX_init(&ctx); RSA * pubkey = RSA_new(); BIGNUM * modulus = BN_new(); BIGNUM * exponent = BN_new(); BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus); BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent); pubkey->n = modulus; pubkey->e = exponent; EVP_PKEY* pRsaKey = EVP_PKEY_new(); if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) { pRsaKey = NULL; apr_jwt_error_openssl(err, "EVP_PKEY_assign_RSA"); goto end; } if (apr_jws_signature_starts_with(pool, jwt->header.alg, "PS") == TRUE) { int status = 0; unsigned char *pDecrypted = apr_pcalloc(pool, jwt->signature.length); status = RSA_public_decrypt(jwt->signature.length, jwt->signature.bytes, pDecrypted, pubkey, RSA_NO_PADDING); if (status == -1) { apr_jwt_error_openssl(err, "RSA_public_decrypt"); goto end; } unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey)); unsigned int uDigestLen = RSA_size(pubkey); if (!EVP_DigestInit(&ctx, digest)) { apr_jwt_error_openssl(err, "EVP_DigestInit"); goto end; } if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) { apr_jwt_error_openssl(err, "EVP_DigestUpdate"); goto end; } if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) { apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal"); goto end; } /* verify the data */ status = RSA_verify_PKCS1_PSS(pubkey, pDigest, digest, pDecrypted, -2 /* salt length recovered from signature*/); if (status != 1) { apr_jwt_error_openssl(err, "RSA_verify_PKCS1_PSS"); goto end; } rc = TRUE; } else if (apr_jws_signature_starts_with(pool, jwt->header.alg, "RS") == TRUE) { if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) { apr_jwt_error_openssl(err, "EVP_VerifyInit_ex"); goto end; } if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) { apr_jwt_error_openssl(err, "EVP_VerifyUpdate"); goto end; } if (!EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes, jwt->signature.length, pRsaKey)) { apr_jwt_error_openssl(err, "wrong key? EVP_VerifyFinal"); goto end; } rc = TRUE; } end: if (pRsaKey) { EVP_PKEY_free(pRsaKey); } else if (pubkey) { RSA_free(pubkey); } EVP_MD_CTX_cleanup(&ctx); return rc; }
int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out, size_t *md_out_size, const uint8_t header[13], const uint8_t *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const uint8_t *mac_secret, unsigned mac_secret_length) { HASH_CTX md_state; void (*md_final_raw)(HASH_CTX *ctx, uint8_t *md_out); void (*md_transform)(HASH_CTX *ctx, const uint8_t *block); unsigned md_size, md_block_size = 64; // md_length_size is the number of bytes in the length field that terminates // the hash. unsigned md_length_size = 8; // Bound the acceptable input so we can forget about many possible overflows // later in this function. This is redundant with the record size limits in // TLS. if (data_plus_mac_plus_padding_size >= 1024 * 1024) { assert(0); return 0; } switch (EVP_MD_type(md)) { case NID_sha1: SHA1_Init(&md_state.sha1); md_final_raw = tls1_sha1_final_raw; md_transform = tls1_sha1_transform; md_size = SHA_DIGEST_LENGTH; break; case NID_sha256: SHA256_Init(&md_state.sha256); md_final_raw = tls1_sha256_final_raw; md_transform = tls1_sha256_transform; md_size = SHA256_DIGEST_LENGTH; break; case NID_sha384: SHA384_Init(&md_state.sha512); md_final_raw = tls1_sha512_final_raw; md_transform = tls1_sha512_transform; md_size = SHA384_DIGEST_LENGTH; md_block_size = 128; md_length_size = 16; break; default: // EVP_tls_cbc_record_digest_supported should have been called first to // check that the hash function is supported. assert(0); *md_out_size = 0; return 0; } assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); assert(md_block_size <= MAX_HASH_BLOCK_SIZE); assert(md_size <= EVP_MAX_MD_SIZE); static const size_t kHeaderLength = 13; // kVarianceBlocks is the number of blocks of the hash that we have to // calculate in constant time because they could be altered by the // padding value. // // TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not // required to be minimal. Therefore we say that the final six blocks // can vary based on the padding. static const size_t kVarianceBlocks = 6; // From now on we're dealing with the MAC, which conceptually has 13 // bytes of `header' before the start of the data. size_t len = data_plus_mac_plus_padding_size + kHeaderLength; // max_mac_bytes contains the maximum bytes of bytes in the MAC, including // |header|, assuming that there's no padding. size_t max_mac_bytes = len - md_size - 1; // num_blocks is the maximum number of hash blocks. size_t num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; // In order to calculate the MAC in constant time we have to handle // the final blocks specially because the padding value could cause the // end to appear somewhere in the final |kVarianceBlocks| blocks and we // can't leak where. However, |num_starting_blocks| worth of data can // be hashed right away because no padding value can affect whether // they are plaintext. size_t num_starting_blocks = 0; // k is the starting byte offset into the conceptual header||data where // we start processing. size_t k = 0; // mac_end_offset is the index just past the end of the data to be // MACed. size_t mac_end_offset = data_plus_mac_size + kHeaderLength - md_size; // c is the index of the 0x80 byte in the final hash block that // contains application data. size_t c = mac_end_offset % md_block_size; // index_a is the hash block number that contains the 0x80 terminating // value. size_t index_a = mac_end_offset / md_block_size; // index_b is the hash block number that contains the 64-bit hash // length, in bits. size_t index_b = (mac_end_offset + md_length_size) / md_block_size; if (num_blocks > kVarianceBlocks) { num_starting_blocks = num_blocks - kVarianceBlocks; k = md_block_size * num_starting_blocks; } // bits is the hash-length in bits. It includes the additional hash // block for the masked HMAC key. size_t bits = 8 * mac_end_offset; // at most 18 bits to represent // Compute the initial HMAC block. bits += 8 * md_block_size; // hmac_pad is the masked HMAC key. uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE]; OPENSSL_memset(hmac_pad, 0, md_block_size); assert(mac_secret_length <= sizeof(hmac_pad)); OPENSSL_memcpy(hmac_pad, mac_secret, mac_secret_length); for (size_t i = 0; i < md_block_size; i++) { hmac_pad[i] ^= 0x36; } md_transform(&md_state, hmac_pad); // The length check means |bits| fits in four bytes. uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES]; OPENSSL_memset(length_bytes, 0, md_length_size - 4); length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24); length_bytes[md_length_size - 3] = (uint8_t)(bits >> 16); length_bytes[md_length_size - 2] = (uint8_t)(bits >> 8); length_bytes[md_length_size - 1] = (uint8_t)bits; if (k > 0) { // k is a multiple of md_block_size. uint8_t first_block[MAX_HASH_BLOCK_SIZE]; OPENSSL_memcpy(first_block, header, 13); OPENSSL_memcpy(first_block + 13, data, md_block_size - 13); md_transform(&md_state, first_block); for (size_t i = 1; i < k / md_block_size; i++) { md_transform(&md_state, data + md_block_size * i - 13); } } uint8_t mac_out[EVP_MAX_MD_SIZE]; OPENSSL_memset(mac_out, 0, sizeof(mac_out)); // We now process the final hash blocks. For each block, we construct // it in constant time. If the |i==index_a| then we'll include the 0x80 // bytes and zero pad etc. For each block we selectively copy it, in // constant time, to |mac_out|. for (size_t i = num_starting_blocks; i <= num_starting_blocks + kVarianceBlocks; i++) { uint8_t block[MAX_HASH_BLOCK_SIZE]; uint8_t is_block_a = constant_time_eq_8(i, index_a); uint8_t is_block_b = constant_time_eq_8(i, index_b); for (size_t j = 0; j < md_block_size; j++) { uint8_t b = 0; if (k < kHeaderLength) { b = header[k]; } else if (k < data_plus_mac_plus_padding_size + kHeaderLength) { b = data[k - kHeaderLength]; } k++; uint8_t is_past_c = is_block_a & constant_time_ge_8(j, c); uint8_t is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1); // If this is the block containing the end of the // application data, and we are at the offset for the // 0x80 value, then overwrite b with 0x80. b = constant_time_select_8(is_past_c, 0x80, b); // If this the the block containing the end of the // application data and we're past the 0x80 value then // just write zero. b = b & ~is_past_cp1; // If this is index_b (the final block), but not // index_a (the end of the data), then the 64-bit // length didn't fit into index_a and we're having to // add an extra block of zeros. b &= ~is_block_b | is_block_a; // The final bytes of one of the blocks contains the // length. if (j >= md_block_size - md_length_size) { // If this is index_b, write a length byte. b = constant_time_select_8( is_block_b, length_bytes[j - (md_block_size - md_length_size)], b); } block[j] = b; } md_transform(&md_state, block); md_final_raw(&md_state, block); // If this is index_b, copy the hash value to |mac_out|. for (size_t j = 0; j < md_size; j++) { mac_out[j] |= block[j] & is_block_b; } } EVP_MD_CTX md_ctx; EVP_MD_CTX_init(&md_ctx); if (!EVP_DigestInit_ex(&md_ctx, md, NULL /* engine */)) { EVP_MD_CTX_cleanup(&md_ctx); return 0; } // Complete the HMAC in the standard manner. for (size_t i = 0; i < md_block_size; i++) { hmac_pad[i] ^= 0x6a; } EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); EVP_DigestUpdate(&md_ctx, mac_out, md_size); unsigned md_out_size_u; EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); return 1; }
/* * verify EC signature on JWT */ static apr_byte_t apr_jws_verify_ec(apr_pool_t *pool, apr_jwt_t *jwt, apr_jwk_t *jwk, apr_jwt_error_t *err) { int nid = apr_jws_ec_alg_to_curve(jwt->header.alg); if (nid == -1) { apr_jwt_error(err, "no OpenSSL Elliptic Curve identifier found for algorithm \"%s\"", jwt->header.alg); return FALSE; } EC_GROUP *curve = EC_GROUP_new_by_curve_name(nid); if (curve == NULL) { apr_jwt_error(err, "no OpenSSL Elliptic Curve found for algorithm \"%s\"", jwt->header.alg); return FALSE; } apr_byte_t rc = FALSE; /* get the OpenSSL digest function */ const EVP_MD *digest = NULL; if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) return FALSE; EVP_MD_CTX ctx; EVP_MD_CTX_init(&ctx); EC_KEY * pubkey = EC_KEY_new(); EC_KEY_set_group(pubkey, curve); BIGNUM * x = BN_new(); BIGNUM * y = BN_new(); BN_bin2bn(jwk->key.ec->x, jwk->key.ec->x_len, x); BN_bin2bn(jwk->key.ec->y, jwk->key.ec->y_len, y); if (!EC_KEY_set_public_key_affine_coordinates(pubkey, x, y)) { apr_jwt_error_openssl(err, "EC_KEY_set_public_key_affine_coordinates"); return FALSE; } EVP_PKEY* pEcKey = EVP_PKEY_new(); if (!EVP_PKEY_assign_EC_KEY(pEcKey, pubkey)) { pEcKey = NULL; apr_jwt_error_openssl(err, "EVP_PKEY_assign_EC_KEY"); goto end; } ctx.pctx = EVP_PKEY_CTX_new(pEcKey, NULL); if (!EVP_PKEY_verify_init(ctx.pctx)) { apr_jwt_error_openssl(err, "EVP_PKEY_verify_init"); goto end; } if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) { apr_jwt_error_openssl(err, "EVP_VerifyInit_ex"); goto end; } if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) { apr_jwt_error_openssl(err, "EVP_VerifyUpdate"); goto end; } if (!EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes, jwt->signature.length, pEcKey)) { apr_jwt_error_openssl(err, "wrong key? EVP_VerifyFinal"); goto end; } rc = TRUE; end: if (pEcKey) { EVP_PKEY_free(pEcKey); } else if (pubkey) { EC_KEY_free(pubkey); } EVP_MD_CTX_cleanup(&ctx); return rc; }
int main(int argc, char *argv[]) { int i,err=0; char **P,**R; static unsigned char buf[1000]; char *p,*r; EVP_MD_CTX c; unsigned char md[SHA_DIGEST_LENGTH]; #ifdef CHARSET_EBCDIC ebcdic2ascii(test[0], test[0], op_strlen(test[0])); ebcdic2ascii(test[1], test[1], op_strlen(test[1])); #endif EVP_MD_CTX_init(&c); P=test; R=ret; i=1; while (*P != NULL) { EVP_Digest(*P,strlen((char *)*P),md,NULL,EVP_sha1(), NULL); p=pt(md); if (op_strcmp(p,(char *)*R) != 0) { printf("error calculating SHA1 on '%s'\n",*P); printf("got %s instead of %s\n",p,*R); err++; } else printf("test %d ok\n",i); i++; R++; P++; } op_memset(buf,'a',1000); #ifdef CHARSET_EBCDIC ebcdic2ascii(buf, buf, 1000); #endif /*CHARSET_EBCDIC*/ EVP_DigestInit_ex(&c,EVP_sha1(), NULL); for (i=0; i<1000; i++) EVP_DigestUpdate(&c,buf,1000); EVP_DigestFinal_ex(&c,md,NULL); p=pt(md); r=bigret; if (op_strcmp(p,r) != 0) { printf("error calculating SHA1 on 'a' * 1000\n"); printf("got %s instead of %s\n",p,r); err++; } else printf("test 3 ok\n"); #ifdef OPENSSL_SYS_NETWARE if (err) printf("ERROR: %d\n", err); #endif EXIT(err); EVP_MD_CTX_cleanup(&c); return(0); }
static void ssleay_rand_add(const void *buf, int num, double add) { int i,j,k,st_idx; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX m; int do_not_lock; /* * (Based on the rand(3) manpage) * * The input is chopped up into units of 20 bytes (or less for * the last block). Each of these blocks is run through the hash * function as follows: The data passed to the hash function * is the current 'md', the same number of bytes from the 'state' * (the location determined by in incremented looping index) as * the current 'block', the new key data 'block', and 'count' * (which is incremented after each use). * The result of this is kept in 'md' and also xored into the * 'state' at the same locations that were used as input into the * hash function. */ /* check if we already have the lock */ if (crypto_lock_rand) { CRYPTO_r_lock(CRYPTO_LOCK_RAND2); do_not_lock = (locking_thread == CRYPTO_thread_id()); CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); } else do_not_lock = 0; if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); st_idx=state_index; /* use our own copies of the counters so that even * if a concurrent thread seeds with exactly the * same data and uses the same subarray there's _some_ * difference */ md_c[0] = md_count[0]; md_c[1] = md_count[1]; memcpy(local_md, md, sizeof md); /* state_index <= state_num <= STATE_SIZE */ state_index += num; if (state_index >= STATE_SIZE) { state_index%=STATE_SIZE; state_num=STATE_SIZE; } else if (state_num < STATE_SIZE) { if (state_index > state_num) state_num=state_index; } /* state_index <= state_num <= STATE_SIZE */ /* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] * are what we will use now, but other threads may use them * as well */ md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_init(&m); for (i=0; i<num; i+=MD_DIGEST_LENGTH) { j=(num-i); j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j; MD_Init(&m); MD_Update(&m,local_md,MD_DIGEST_LENGTH); k=(st_idx+j)-STATE_SIZE; if (k > 0) { MD_Update(&m,&(state[st_idx]),j-k); MD_Update(&m,&(state[0]),k); } else MD_Update(&m,&(state[st_idx]),j); MD_Update(&m,buf,j); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Final(&m,local_md); md_c[1]++; buf=(const char *)buf + j; for (k=0; k<j; k++) { /* Parallel threads may interfere with this, * but always each byte of the new state is * the XOR of some previous value of its * and local_md (itermediate values may be lost). * Alway using locking could hurt performance more * than necessary given that conflicts occur only * when the total seeding is longer than the random * state. */ state[st_idx++]^=local_md[k]; if (st_idx >= STATE_SIZE) st_idx=0; } } EVP_MD_CTX_cleanup(&m); if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that * other thread's seeding remains without effect (except for * the incremented counter). By XORing it we keep at least as * much entropy as fits into md. */ for (k = 0; k < (int)sizeof(md); k++) { md[k] ^= local_md[k]; } if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ entropy += add; if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) assert(md_c[1] == md_count[1]); #endif }
static int sign_with_p12_key(const struct http_io_conf *const config, char *key_file, const char *pwd, char *plain_text, char *signed_buf, size_t buflen) { unsigned char hash[SHA256_DIGEST_LENGTH]; unsigned char sign[256]; unsigned int sign_len = 0; FILE *fp = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pkey = NULL; X509 *x509 = NULL; EVP_MD_CTX *ctx = NULL; RSA *prikey = NULL; SHA256_CTX sha256; const char *c; int ret; memset(hash, 0, SHA256_DIGEST_LENGTH); memset(sign, 0, 256); if (!(fp = fopen(key_file, "rb"))){ (*config->log)(LOG_ERR, "Error opening cert file %s: %s", key_file, strerror(errno)); return 1; } p12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (!p12) { (*config->log)(LOG_ERR, "Error reading PKCS#12 file: %s", strerror(errno)); return 1; } STACK_OF(X509) *ca = NULL; ret = PKCS12_parse(p12, pwd, &pkey, &x509, &ca); PKCS12_free(p12); if (ret == 0) { (*config->log)(LOG_ERR, "Error parsing PKCS#12 file: %s", strerror(errno)); return 1; } sign_len = EVP_PKEY_size(pkey); ctx = EVP_MD_CTX_create(); EVP_MD_CTX_init(ctx); prikey = EVP_PKEY_get1_RSA(pkey); SHA256_Init(&sha256); c = plain_text; SHA256_Update(&sha256, c, strlen(c)); SHA256_Final(hash, &sha256); ret = RSA_sign(NID_sha256, hash, SHA256_DIGEST_LENGTH, sign, &sign_len, prikey); EVP_MD_CTX_destroy(ctx); RSA_free(prikey); EVP_PKEY_free(pkey); X509_free(x509); if (ret == 0) { (*config->log)(LOG_ERR, "Signing p12 key with RSA Signature failed "); return 1; } memset(signed_buf, 0, buflen); http_io_base64_encode_safe(signed_buf, buflen, sign, sign_len); return 0; }
static int ssleay_rand_bytes(unsigned char *buf, int num) { static volatile int stirred_pool = 0; int i,j,k,st_num,st_idx; int num_ceil; int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX m; #ifndef GETPID_IS_MEANINGLESS pid_t curr_pid = getpid(); #endif int do_stir_pool = 0; #ifdef OPENSSL_FIPS if(FIPS_mode()) { FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); return 0; } #endif #ifdef PREDICT if (rand_predictable) { static unsigned char val=0; for (i=0; i<num; i++) buf[i]=val++; return(1); } #endif if (num <= 0) return 1; EVP_MD_CTX_init(&m); /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2); /* * (Based on the rand(3) manpage:) * * For each group of 10 bytes (or less), we do the following: * * Input into the hash function the local 'md' (which is initialized from * the global 'md' before any bytes are generated), the bytes that are to * be overwritten by the random bytes, and bytes from the 'state' * (incrementing looping index). From this digest output (which is kept * in 'md'), the top (up to) 10 bytes are returned to the caller and the * bottom 10 bytes are xored into the 'state'. * * Finally, after we have finished 'num' random bytes for the * caller, 'count' (which is incremented) and the local and global 'md' * are fed into the hash function and the results are kept in the * global 'md'. */ CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ CRYPTO_w_lock(CRYPTO_LOCK_RAND2); locking_thread = CRYPTO_thread_id(); CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; if (!initialized) { RAND_poll(); initialized = 1; } if (!stirred_pool) do_stir_pool = 1; ok = (entropy >= ENTROPY_NEEDED); if (!ok) { /* If the PRNG state is not yet unpredictable, then seeing * the PRNG output may help attackers to determine the new * state; thus we have to decrease the entropy estimate. * Once we've had enough initial seeding we don't bother to * adjust the entropy count, though, because we're not ambitious * to provide *information-theoretic* randomness. * * NOTE: This approach fails if the program forks before * we have enough entropy. Entropy should be collected * in a separate input pool and be transferred to the * output pool only when the entropy limit has been reached. */ entropy -= num; if (entropy < 0) entropy = 0; } if (do_stir_pool) { /* In the output function only half of 'md' remains secret, * so we better make sure that the required entropy gets * 'evenly distributed' through 'state', our randomness pool. * The input function (ssleay_rand_add) chains all of 'md', * which makes it more suitable for this purpose. */ int n = STATE_SIZE; /* so that the complete pool gets accessed */ while (n > 0) { #if MD_DIGEST_LENGTH > 20 # error "Please adjust DUMMY_SEED." #endif #define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */ /* Note that the seed does not matter, it's just that * ssleay_rand_add expects to have something to hash. */ ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); n -= MD_DIGEST_LENGTH; } if (ok) stirred_pool = 1; } st_idx=state_index; st_num=state_num; md_c[0] = md_count[0]; md_c[1] = md_count[1]; memcpy(local_md, md, sizeof md); state_index+=num_ceil; if (state_index > state_num) state_index %= state_num; /* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] * are now ours (but other threads may use them too) */ md_count[0] += 1; /* before unlocking, we must clear 'crypto_lock_rand' */ crypto_lock_rand = 0; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); while (num > 0) { /* num_ceil -= MD_DIGEST_LENGTH/2 */ j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num; num-=j; MD_Init(&m); #ifndef GETPID_IS_MEANINGLESS if (curr_pid) /* just in the first iteration to save time */ { MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid); curr_pid = 0; } #endif MD_Update(&m,local_md,MD_DIGEST_LENGTH); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; if (k > 0) { MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k); MD_Update(&m,&(state[0]),k); } else MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2); MD_Final(&m,local_md); for (i=0; i<MD_DIGEST_LENGTH/2; i++) { state[st_idx++]^=local_md[i]; /* may compete with other threads */ if (st_idx >= st_num) st_idx=0; if (i < j) *(buf++)=local_md[i+MD_DIGEST_LENGTH/2]; } } MD_Init(&m); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Update(&m,local_md,MD_DIGEST_LENGTH); CRYPTO_w_lock(CRYPTO_LOCK_RAND); MD_Update(&m,md,MD_DIGEST_LENGTH); MD_Final(&m,md); CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_cleanup(&m); if (ok) return(1); else { RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " "http://www.openssl.org/support/faq.html"); return(0); } }
int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) { int ret = 0; int i, j; BIO *btmp; PKCS7_SIGNER_INFO *si; EVP_MD_CTX *mdc, ctx_tmp; STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; ASN1_OCTET_STRING *os = NULL; if (p7 == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); return 0; } if (p7->d.ptr == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); return 0; } EVP_MD_CTX_init(&ctx_tmp); i = OBJ_obj2nid(p7->type); p7->state = PKCS7_S_HEADER; switch (i) { case NID_pkcs7_data: os = p7->d.data; break; case NID_pkcs7_signedAndEnveloped: /* XXXXXXXXXXXXXXXX */ si_sk = p7->d.signed_and_enveloped->signer_info; os = p7->d.signed_and_enveloped->enc_data->enc_data; if (!os) { os = ASN1_OCTET_STRING_new(); if (!os) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); goto err; } p7->d.signed_and_enveloped->enc_data->enc_data = os; } break; case NID_pkcs7_enveloped: /* XXXXXXXXXXXXXXXX */ os = p7->d.enveloped->enc_data->enc_data; if (!os) { os = ASN1_OCTET_STRING_new(); if (!os) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); goto err; } p7->d.enveloped->enc_data->enc_data = os; } break; case NID_pkcs7_signed: si_sk = p7->d.sign->signer_info; os = PKCS7_get_octet_string(p7->d.sign->contents); /* If detached data then the content is excluded */ if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { ASN1_OCTET_STRING_free(os); os = NULL; p7->d.sign->contents->d.data = NULL; } break; case NID_pkcs7_digest: os = PKCS7_get_octet_string(p7->d.digest->contents); /* If detached data then the content is excluded */ if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) { ASN1_OCTET_STRING_free(os); os = NULL; p7->d.digest->contents->d.data = NULL; } break; default: PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; } if (si_sk != NULL) { for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); if (si->pkey == NULL) continue; j = OBJ_obj2nid(si->digest_alg->algorithm); btmp = bio; btmp = PKCS7_find_digest(&mdc, btmp, j); if (btmp == NULL) goto err; /* * We now have the EVP_MD_CTX, lets do the signing. */ if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc)) goto err; sk = si->auth_attr; /* * If there are attributes, we add the digest attribute and only * sign the attributes */ if (sk_X509_ATTRIBUTE_num(sk) > 0) { if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) goto err; } else { unsigned char *abuf = NULL; unsigned int abuflen; abuflen = EVP_PKEY_size(si->pkey); abuf = OPENSSL_malloc(abuflen); if (!abuf) goto err; if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, si->pkey)) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_EVP_LIB); goto err; } ASN1_STRING_set0(si->enc_digest, abuf, abuflen); } } } else if (i == NID_pkcs7_digest) { unsigned char md_data[EVP_MAX_MD_SIZE]; unsigned int md_len; if (!PKCS7_find_digest(&mdc, bio, OBJ_obj2nid(p7->d.digest->md->algorithm))) goto err; if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) goto err; ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); } if (!PKCS7_is_detached(p7)) { /* * NOTE(emilia): I think we only reach os == NULL here because detached * digested data support is broken. */ if (os == NULL) goto err; if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { char *cont; long contlen; btmp = BIO_find_type(bio, BIO_TYPE_MEM); if (btmp == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); goto err; } contlen = BIO_get_mem_data(btmp, &cont); /* * Mark the BIO read only then we can use its copy of the data * instead of making an extra copy. */ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); BIO_set_mem_eof_return(btmp, 0); ASN1_STRING_set0(os, (unsigned char *)cont, contlen); } } ret = 1; err: EVP_MD_CTX_cleanup(&ctx_tmp); return (ret); }
/* read the data and then respond */ static int client_certificate(SSL *s) { unsigned char *buf; unsigned char *p,*d; int i; unsigned int n; int cert_ch_len; unsigned char *cert_ch; buf=(unsigned char *)s->init_buf->data; /* We have a cert associated with the SSL, so attach it to * the session if it does not have one */ if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]), SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num); if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num)) return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i)); s->init_num += i; if (s->msg_callback) s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */ /* type=buf[0]; */ /* type eq x509 */ if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE); return(-1); } if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || (s->cert->key->privatekey == NULL)) { s->state=SSL2_ST_X509_GET_CLIENT_CERTIFICATE; } else s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C; } cert_ch = buf + 2; cert_ch_len = s->init_num - 2; if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; /* If we get an error we need to * ssl->rwstate=SSL_X509_LOOKUP; * return(error); * We should then be retried when things are ok and we * can get a cert or not */ i=0; if (s->ctx->client_cert_cb != NULL) { i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); } if (i < 0) { s->rwstate=SSL_X509_LOOKUP; return(-1); } s->rwstate=SSL_NOTHING; if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C; if ( !SSL_use_certificate(s,x509) || !SSL_use_PrivateKey(s,pkey)) { i=0; } X509_free(x509); EVP_PKEY_free(pkey); } else if (i == 1) { if (x509 != NULL) X509_free(x509); if (pkey != NULL) EVP_PKEY_free(pkey); SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); i=0; } if (i == 0) { /* We have no client certificate to respond with * so send the correct error message back */ s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_B; p=buf; *(p++)=SSL2_MT_ERROR; s2n(SSL2_PE_NO_CERTIFICATE,p); s->init_off=0; s->init_num=3; /* Write is done at the end */ } } if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B) { return(ssl2_do_write(s)); } if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C) { EVP_MD_CTX ctx; /* ok, now we calculate the checksum * do it first so we can reuse buf :-) */ p=buf; EVP_MD_CTX_init(&ctx); EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL); EVP_SignUpdate(&ctx,s->s2->key_material, s->s2->key_material_length); EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len); n=i2d_X509(s->session->sess_cert->peer_key->x509,&p); EVP_SignUpdate(&ctx,buf,(unsigned int)n); p=buf; d=p+6; *(p++)=SSL2_MT_CLIENT_CERTIFICATE; *(p++)=SSL2_CT_X509_CERTIFICATE; n=i2d_X509(s->cert->key->x509,&d); s2n(n,p); if (!EVP_SignFinal(&ctx,d,&n,s->cert->key->privatekey)) { /* this is not good. If things have failed it * means there so something wrong with the key. * We will continue with a 0 length signature */ } EVP_MD_CTX_cleanup(&ctx); s2n(n,p); d+=n; s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_D; s->init_num=d-buf; s->init_off=0; } /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */ return(ssl2_do_write(s)); }
int main (int argc,char **argv) { unsigned char md[SHA512_DIGEST_LENGTH]; int i; EVP_MD_CTX evp; #ifdef OPENSSL_IA32_SSE2 /* Alternative to this is to call OpenSSL_add_all_algorithms... * The below code is retained exclusively for debugging purposes. */ { char *env; if ((env=getenv("OPENSSL_ia32cap"))) OPENSSL_ia32cap = strtoul (env,NULL,0); } #endif fprintf(stdout,"Testing SHA-512 "); EVP_Digest ("abc",3,md,NULL,EVP_sha512(),NULL); if (memcmp(md,app_c1,sizeof(app_c1))) { fflush(stdout); fprintf(stderr,"\nTEST 1 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); EVP_Digest ("abcdefgh""bcdefghi""cdefghij""defghijk" "efghijkl""fghijklm""ghijklmn""hijklmno" "ijklmnop""jklmnopq""klmnopqr""lmnopqrs" "mnopqrst""nopqrstu",112,md,NULL,EVP_sha512(),NULL); if (memcmp(md,app_c2,sizeof(app_c2))) { fflush(stdout); fprintf(stderr,"\nTEST 2 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); EVP_MD_CTX_init (&evp); EVP_DigestInit_ex (&evp,EVP_sha512(),NULL); for (i=0;i<1000000;i+=288) EVP_DigestUpdate (&evp, "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa", (1000000-i)<288?1000000-i:288); EVP_DigestFinal_ex (&evp,md,NULL); EVP_MD_CTX_cleanup (&evp); if (memcmp(md,app_c3,sizeof(app_c3))) { fflush(stdout); fprintf(stderr,"\nTEST 3 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); fprintf(stdout," passed.\n"); fflush(stdout); fprintf(stdout,"Testing SHA-384 "); EVP_Digest ("abc",3,md,NULL,EVP_sha384(),NULL); if (memcmp(md,app_d1,sizeof(app_d1))) { fflush(stdout); fprintf(stderr,"\nTEST 1 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); EVP_Digest ("abcdefgh""bcdefghi""cdefghij""defghijk" "efghijkl""fghijklm""ghijklmn""hijklmno" "ijklmnop""jklmnopq""klmnopqr""lmnopqrs" "mnopqrst""nopqrstu",112,md,NULL,EVP_sha384(),NULL); if (memcmp(md,app_d2,sizeof(app_d2))) { fflush(stdout); fprintf(stderr,"\nTEST 2 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); EVP_MD_CTX_init (&evp); EVP_DigestInit_ex (&evp,EVP_sha384(),NULL); for (i=0;i<1000000;i+=64) EVP_DigestUpdate (&evp, "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa" "aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa", (1000000-i)<64?1000000-i:64); EVP_DigestFinal_ex (&evp,md,NULL); EVP_MD_CTX_cleanup (&evp); if (memcmp(md,app_d3,sizeof(app_d3))) { fflush(stdout); fprintf(stderr,"\nTEST 3 of 3 failed.\n"); return 1; } else fprintf(stdout,"."); fflush(stdout); fprintf(stdout," passed.\n"); fflush(stdout); return 0; }
int openssl_test() { EVP_MD_CTX md_ctx; testVector a, b, c; byte hash[SHA_DIGEST_SIZE]; a.input = "1234567890123456789012345678901234567890123456789012345678" "9012345678901234567890"; a.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6" "\x7a"; a.inLen = strlen(a.input); a.outLen = strlen(a.output); EVP_MD_CTX_init(&md_ctx); EVP_DigestInit(&md_ctx, EVP_md5()); EVP_DigestUpdate(&md_ctx, a.input, a.inLen); EVP_DigestFinal(&md_ctx, hash, 0); if (memcmp(hash, a.output, MD5_DIGEST_SIZE) != 0) return -71; b.input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaa"; b.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7" "\x53\x99\x5E\x26\xA0"; b.inLen = strlen(b.input); b.outLen = strlen(b.output); EVP_MD_CTX_init(&md_ctx); EVP_DigestInit(&md_ctx, EVP_sha1()); EVP_DigestUpdate(&md_ctx, b.input, b.inLen); EVP_DigestFinal(&md_ctx, hash, 0); if (memcmp(hash, b.output, SHA_DIGEST_SIZE) != 0) return -72; if (RAND_bytes(hash, sizeof(hash)) != 1) return -73; c.input = "what do ya want for nothing?"; c.output = "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7" "\x38"; c.inLen = strlen(c.input); c.outLen = strlen(c.output); HMAC(EVP_md5(), "Jefe", 4, (byte*)c.input, (int)c.inLen, hash, 0); if (memcmp(hash, c.output, MD5_DIGEST_SIZE) != 0) return -74; { /* des test */ const byte vector[] = { /* "now is the time for all " w/o trailing 0 */ 0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74, 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20, 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20 }; byte plain[24]; byte cipher[24]; const_DES_cblock key = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef }; DES_cblock iv = { 0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef }; DES_key_schedule sched; const byte verify[] = { 0x8b,0x7c,0x52,0xb0,0x01,0x2b,0x6c,0xb8, 0x4f,0x0f,0xeb,0xf3,0xfb,0x5f,0x86,0x73, 0x15,0x85,0xb3,0x22,0x4b,0x86,0x2b,0x4b }; DES_key_sched(&key, &sched); DES_cbc_encrypt(vector, cipher, sizeof(vector), &sched, &iv, DES_ENCRYPT); DES_cbc_encrypt(cipher, plain, sizeof(vector), &sched, &iv, DES_DECRYPT); if (memcmp(plain, vector, sizeof(vector)) != 0) return -75; if (memcmp(cipher, verify, sizeof(verify)) != 0) return -76; /* test changing iv */ DES_ncbc_encrypt(vector, cipher, 8, &sched, &iv, DES_ENCRYPT); DES_ncbc_encrypt(vector + 8, cipher + 8, 16, &sched, &iv, DES_ENCRYPT); if (memcmp(cipher, verify, sizeof(verify)) != 0) return -77; } /* end des test */ return 0; }