156083Skris/* crypto/rsa/rsa_ssl.c */
256083Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
356083Skris * All rights reserved.
456083Skris *
556083Skris * This package is an SSL implementation written
656083Skris * by Eric Young (eay@cryptsoft.com).
756083Skris * The implementation was written so as to conform with Netscapes SSL.
8296465Sdelphij *
956083Skris * This library is free for commercial and non-commercial use as long as
1056083Skris * the following conditions are aheared to.  The following conditions
1156083Skris * apply to all code found in this distribution, be it the RC4, RSA,
1256083Skris * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
1356083Skris * included with this distribution is covered by the same copyright terms
1456083Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15296465Sdelphij *
1656083Skris * Copyright remains Eric Young's, and as such any Copyright notices in
1756083Skris * the code are not to be removed.
1856083Skris * If this package is used in a product, Eric Young should be given attribution
1956083Skris * as the author of the parts of the library used.
2056083Skris * This can be in the form of a textual message at program startup or
2156083Skris * in documentation (online or textual) provided with the package.
22296465Sdelphij *
2356083Skris * Redistribution and use in source and binary forms, with or without
2456083Skris * modification, are permitted provided that the following conditions
2556083Skris * are met:
2656083Skris * 1. Redistributions of source code must retain the copyright
2756083Skris *    notice, this list of conditions and the following disclaimer.
2856083Skris * 2. Redistributions in binary form must reproduce the above copyright
2956083Skris *    notice, this list of conditions and the following disclaimer in the
3056083Skris *    documentation and/or other materials provided with the distribution.
3156083Skris * 3. All advertising materials mentioning features or use of this software
3256083Skris *    must display the following acknowledgement:
3356083Skris *    "This product includes cryptographic software written by
3456083Skris *     Eric Young (eay@cryptsoft.com)"
3556083Skris *    The word 'cryptographic' can be left out if the rouines from the library
3656083Skris *    being used are not cryptographic related :-).
37296465Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from
3856083Skris *    the apps directory (application code) you must include an acknowledgement:
3956083Skris *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40296465Sdelphij *
4156083Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4256083Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4356083Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4456083Skris * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4556083Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4656083Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4756083Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4856083Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4956083Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5056083Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5156083Skris * SUCH DAMAGE.
52296465Sdelphij *
5356083Skris * The licence and distribution terms for any publically available version or
5456083Skris * derivative of this code cannot be changed.  i.e. this code cannot simply be
5556083Skris * copied and put under another distribution licence
5656083Skris * [including the GNU Public Licence.]
5756083Skris */
5856083Skris
5956083Skris#include <stdio.h>
6056083Skris#include "cryptlib.h"
6156083Skris#include <openssl/bn.h>
6256083Skris#include <openssl/rsa.h>
6356083Skris#include <openssl/rand.h>
6456083Skris
65109998Smarkmint RSA_padding_add_SSLv23(unsigned char *to, int tlen,
66296465Sdelphij                           const unsigned char *from, int flen)
67296465Sdelphij{
68296465Sdelphij    int i, j;
69296465Sdelphij    unsigned char *p;
7056083Skris
71296465Sdelphij    if (flen > (tlen - 11)) {
72296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
73296465Sdelphij               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74296465Sdelphij        return (0);
75296465Sdelphij    }
7656083Skris
77296465Sdelphij    p = (unsigned char *)to;
7856083Skris
79296465Sdelphij    *(p++) = 0;
80296465Sdelphij    *(p++) = 2;                 /* Public Key BT (Block Type) */
8156083Skris
82296465Sdelphij    /* pad out with non-zero random data */
83296465Sdelphij    j = tlen - 3 - 8 - flen;
8456083Skris
85296465Sdelphij    if (RAND_bytes(p, j) <= 0)
86296465Sdelphij        return (0);
87296465Sdelphij    for (i = 0; i < j; i++) {
88296465Sdelphij        if (*p == '\0')
89296465Sdelphij            do {
90296465Sdelphij                if (RAND_bytes(p, 1) <= 0)
91296465Sdelphij                    return (0);
92296465Sdelphij            } while (*p == '\0');
93296465Sdelphij        p++;
94296465Sdelphij    }
9556083Skris
96296465Sdelphij    memset(p, 3, 8);
97296465Sdelphij    p += 8;
98296465Sdelphij    *(p++) = '\0';
99296465Sdelphij
100296465Sdelphij    memcpy(p, from, (unsigned int)flen);
101296465Sdelphij    return (1);
102296465Sdelphij}
103296465Sdelphij
104109998Smarkmint RSA_padding_check_SSLv23(unsigned char *to, int tlen,
105296465Sdelphij                             const unsigned char *from, int flen, int num)
106296465Sdelphij{
107296465Sdelphij    int i, j, k;
108296465Sdelphij    const unsigned char *p;
10956083Skris
110296465Sdelphij    p = from;
111296465Sdelphij    if (flen < 10) {
112296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
113296465Sdelphij        return (-1);
114296465Sdelphij    }
115296465Sdelphij    if ((num != (flen + 1)) || (*(p++) != 02)) {
116296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
117296465Sdelphij        return (-1);
118296465Sdelphij    }
11956083Skris
120296465Sdelphij    /* scan over padding data */
121296465Sdelphij    j = flen - 1;               /* one for type */
122296465Sdelphij    for (i = 0; i < j; i++)
123296465Sdelphij        if (*(p++) == 0)
124296465Sdelphij            break;
12556083Skris
126296465Sdelphij    if ((i == j) || (i < 8)) {
127296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
128296465Sdelphij               RSA_R_NULL_BEFORE_BLOCK_MISSING);
129296465Sdelphij        return (-1);
130296465Sdelphij    }
131296465Sdelphij    for (k = -9; k < -1; k++) {
132296465Sdelphij        if (p[k] != 0x03)
133296465Sdelphij            break;
134296465Sdelphij    }
135296465Sdelphij    if (k == -1) {
136296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK);
137296465Sdelphij        return (-1);
138296465Sdelphij    }
13956083Skris
140296465Sdelphij    i++;                        /* Skip over the '\0' */
141296465Sdelphij    j -= i;
142296465Sdelphij    if (j > tlen) {
143296465Sdelphij        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
144296465Sdelphij        return (-1);
145296465Sdelphij    }
146296465Sdelphij    memcpy(to, p, (unsigned int)j);
14756083Skris
148296465Sdelphij    return (j);
149296465Sdelphij}
150