• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * A simple ASN.1 DER encoder/decoder for DSA-Sig-Value and ECDSA-Sig-Value.
12  *
13  * DSA-Sig-Value ::= SEQUENCE {
14  *  r  INTEGER,
15  *  s  INTEGER
16  * }
17  *
18  * ECDSA-Sig-Value ::= SEQUENCE {
19  *  r  INTEGER,
20  *  s  INTEGER
21  * }
22  */
23 
24 #include <openssl/crypto.h>
25 #include <openssl/bn.h>
26 #include "crypto/asn1_dsa.h"
27 #include "internal/packet.h"
28 
29 #define ID_SEQUENCE 0x30
30 #define ID_INTEGER 0x02
31 
32 /*
33  * Outputs the encoding of the length octets for a DER value with a content
34  * length of cont_len bytes to pkt. The maximum supported content length is
35  * 65535 (0xffff) bytes.
36  *
37  * Returns 1 on success or 0 on error.
38  */
ossl_encode_der_length(WPACKET * pkt,size_t cont_len)39 int ossl_encode_der_length(WPACKET *pkt, size_t cont_len)
40 {
41     if (cont_len > 0xffff)
42         return 0; /* Too large for supported length encodings */
43 
44     if (cont_len > 0xff) {
45         if (!WPACKET_put_bytes_u8(pkt, 0x82)
46                 || !WPACKET_put_bytes_u16(pkt, cont_len))
47             return 0;
48     } else {
49         if (cont_len > 0x7f
50                 && !WPACKET_put_bytes_u8(pkt, 0x81))
51             return 0;
52         if (!WPACKET_put_bytes_u8(pkt, cont_len))
53             return 0;
54     }
55 
56     return 1;
57 }
58 
59 /*
60  * Outputs the DER encoding of a positive ASN.1 INTEGER to pkt.
61  *
62  * Results in an error if n is negative or too large.
63  *
64  * Returns 1 on success or 0 on error.
65  */
ossl_encode_der_integer(WPACKET * pkt,const BIGNUM * n)66 int ossl_encode_der_integer(WPACKET *pkt, const BIGNUM *n)
67 {
68     unsigned char *bnbytes;
69     size_t cont_len;
70 
71     if (BN_is_negative(n))
72         return 0;
73 
74     /*
75      * Calculate the ASN.1 INTEGER DER content length for n.
76      * This is the number of whole bytes required to represent n (i.e. rounded
77      * down), plus one.
78      * If n is zero then the content is a single zero byte (length = 1).
79      * If the number of bits of n is a multiple of 8 then an extra zero padding
80      * byte is included to ensure that the value is still treated as positive
81      * in the INTEGER two's complement representation.
82      */
83     cont_len = BN_num_bits(n) / 8 + 1;
84 
85     if (!WPACKET_start_sub_packet(pkt)
86             || !WPACKET_put_bytes_u8(pkt, ID_INTEGER)
87             || !ossl_encode_der_length(pkt, cont_len)
88             || !WPACKET_allocate_bytes(pkt, cont_len, &bnbytes)
89             || !WPACKET_close(pkt))
90         return 0;
91 
92     if (bnbytes != NULL
93             && BN_bn2binpad(n, bnbytes, (int)cont_len) != (int)cont_len)
94         return 0;
95 
96     return 1;
97 }
98 
99 /*
100  * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to pkt. pkt
101  * may be initialised with a NULL buffer which enables pkt to be used to
102  * calculate how many bytes would be needed.
103  *
104  * Returns 1 on success or 0 on error.
105  */
ossl_encode_der_dsa_sig(WPACKET * pkt,const BIGNUM * r,const BIGNUM * s)106 int ossl_encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s)
107 {
108     WPACKET tmppkt, *dummypkt;
109     size_t cont_len;
110     int isnull = WPACKET_is_null_buf(pkt);
111 
112     if (!WPACKET_start_sub_packet(pkt))
113         return 0;
114 
115     if (!isnull) {
116         if (!WPACKET_init_null(&tmppkt, 0))
117             return 0;
118         dummypkt = &tmppkt;
119     } else {
120         /* If the input packet has a NULL buffer, we don't need a dummy packet */
121         dummypkt = pkt;
122     }
123 
124     /* Calculate the content length */
125     if (!ossl_encode_der_integer(dummypkt, r)
126             || !ossl_encode_der_integer(dummypkt, s)
127             || !WPACKET_get_length(dummypkt, &cont_len)
128             || (!isnull && !WPACKET_finish(dummypkt))) {
129         if (!isnull)
130             WPACKET_cleanup(dummypkt);
131         return 0;
132     }
133 
134     /* Add the tag and length bytes */
135     if (!WPACKET_put_bytes_u8(pkt, ID_SEQUENCE)
136             || !ossl_encode_der_length(pkt, cont_len)
137                /*
138                 * Really encode the integers. We already wrote to the main pkt
139                 * if it had a NULL buffer, so don't do it again
140                 */
141             || (!isnull && !ossl_encode_der_integer(pkt, r))
142             || (!isnull && !ossl_encode_der_integer(pkt, s))
143             || !WPACKET_close(pkt))
144         return 0;
145 
146     return 1;
147 }
148 
149 /*
150  * Decodes the DER length octets in pkt and initialises subpkt with the
151  * following bytes of that length.
152  *
153  * Returns 1 on success or 0 on failure.
154  */
ossl_decode_der_length(PACKET * pkt,PACKET * subpkt)155 int ossl_decode_der_length(PACKET *pkt, PACKET *subpkt)
156 {
157     unsigned int byte;
158 
159     if (!PACKET_get_1(pkt, &byte))
160         return 0;
161 
162     if (byte < 0x80)
163         return PACKET_get_sub_packet(pkt, subpkt, (size_t)byte);
164     if (byte == 0x81)
165         return PACKET_get_length_prefixed_1(pkt, subpkt);
166     if (byte == 0x82)
167         return PACKET_get_length_prefixed_2(pkt, subpkt);
168 
169     /* Too large, invalid, or not DER. */
170     return 0;
171 }
172 
173 /*
174  * Decodes a single ASN.1 INTEGER value from pkt, which must be DER encoded,
175  * and updates n with the decoded value.
176  *
177  * The BIGNUM, n, must have already been allocated by calling BN_new().
178  * pkt must not be NULL.
179  *
180  * An attempt to consume more than len bytes results in an error.
181  * Returns 1 on success or 0 on error.
182  *
183  * If the PACKET is supposed to only contain a single INTEGER value with no
184  * trailing garbage then it is up to the caller to verify that all bytes
185  * were consumed.
186  */
ossl_decode_der_integer(PACKET * pkt,BIGNUM * n)187 int ossl_decode_der_integer(PACKET *pkt, BIGNUM *n)
188 {
189     PACKET contpkt, tmppkt;
190     unsigned int tag, tmp;
191 
192     /* Check we have an integer and get the content bytes */
193     if (!PACKET_get_1(pkt, &tag)
194             || tag != ID_INTEGER
195             || !ossl_decode_der_length(pkt, &contpkt))
196         return 0;
197 
198     /* Peek ahead at the first bytes to check for proper encoding */
199     tmppkt = contpkt;
200     /* The INTEGER must be positive */
201     if (!PACKET_get_1(&tmppkt, &tmp)
202             || (tmp & 0x80) != 0)
203         return 0;
204     /* If there a zero padding byte the next byte must have the msb set */
205     if (PACKET_remaining(&tmppkt) > 0 && tmp == 0) {
206         if (!PACKET_get_1(&tmppkt, &tmp)
207                 || (tmp & 0x80) == 0)
208             return 0;
209     }
210 
211     if (BN_bin2bn(PACKET_data(&contpkt),
212                   (int)PACKET_remaining(&contpkt), n) == NULL)
213         return 0;
214 
215     return 1;
216 }
217 
218 /*
219  * Decodes a single DSA-Sig-Value or ECDSA-Sig-Value from *ppin, which must be
220  * DER encoded, updates r and s with the decoded values, and increments *ppin
221  * past the data that was consumed.
222  *
223  * The BIGNUMs, r and s, must have already been allocated by calls to BN_new().
224  * ppin and *ppin must not be NULL.
225  *
226  * An attempt to consume more than len bytes results in an error.
227  * Returns the number of bytes of input consumed or 0 if an error occurs.
228  *
229  * If the buffer is supposed to only contain a single [EC]DSA-Sig-Value with no
230  * trailing garbage then it is up to the caller to verify that all bytes
231  * were consumed.
232  */
ossl_decode_der_dsa_sig(BIGNUM * r,BIGNUM * s,const unsigned char ** ppin,size_t len)233 size_t ossl_decode_der_dsa_sig(BIGNUM *r, BIGNUM *s,
234                                const unsigned char **ppin, size_t len)
235 {
236     size_t consumed;
237     PACKET pkt, contpkt;
238     unsigned int tag;
239 
240     if (!PACKET_buf_init(&pkt, *ppin, len)
241             || !PACKET_get_1(&pkt, &tag)
242             || tag != ID_SEQUENCE
243             || !ossl_decode_der_length(&pkt, &contpkt)
244             || !ossl_decode_der_integer(&contpkt, r)
245             || !ossl_decode_der_integer(&contpkt, s)
246             || PACKET_remaining(&contpkt) != 0)
247         return 0;
248 
249     consumed = PACKET_data(&pkt) - *ppin;
250     *ppin += consumed;
251     return consumed;
252 }
253