X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Finner.h;h=07e1d0a478e801a91580658918130fb8b595e407;hp=c507102c77f4aed79f847adb14e15d0c9ca2d6aa;hb=b715b43e411dc5d5949df6f75ef7bb65952db11c;hpb=491a45337de8dc0a4c100abf33f5c0e187a08afd diff --git a/src/inner.h b/src/inner.h index c507102..07e1d0a 100644 --- a/src/inner.h +++ b/src/inner.h @@ -114,6 +114,10 @@ #define BR_64 1 #elif defined(__x86_64__) || defined(_M_X64) #define BR_64 1 +#elif defined(__aarch64__) || defined(_M_ARM64) +#define BR_64 1 +#elif defined(__mips64) +#define BR_64 1 #endif #endif @@ -305,9 +309,20 @@ * values are documented on: * https://sourceforge.net/p/predef/wiki/OperatingSystems/ * - * TODO: enrich the list of detected system. Also add detection for - * alternate system calls like getentropy(), which are usually - * preferable when available. + * Win32's CryptGenRandom() should be available on Windows systems. + * + * /dev/urandom should work on all Unix-like systems (including macOS X). + * + * getentropy() is present on Linux (Glibc 2.25+), FreeBSD (12.0+) and + * OpenBSD (5.6+). For OpenBSD, there does not seem to be easy to use + * macros to test the minimum version, so we just assume that it is + * recent enough (last version without getentropy() has gone out of + * support in May 2015). + * + * Ideally we should use getentropy() on macOS (10.12+) too, but I don't + * know how to test the exact OS version with preprocessor macros. + * + * TODO: enrich the list of detected system. */ #ifndef BR_USE_URANDOM @@ -324,6 +339,15 @@ #endif #endif +#ifndef BR_USE_GETENTROPY +#if (defined __linux__ \ + && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25))) \ + || (defined __FreeBSD__ && __FreeBSD__ >= 12) \ + || defined __OpenBSD__ +#define BR_USE_GETENTROPY 1 +#endif +#endif + #ifndef BR_USE_WIN32_RAND #if defined _WIN32 || defined _WIN64 #define BR_USE_WIN32_RAND 1 @@ -1943,6 +1967,27 @@ uint32_t br_rsa_pkcs1_sig_unpad(const unsigned char *sig, size_t sig_len, const unsigned char *hash_oid, size_t hash_len, unsigned char *hash_out); +/* + * Apply proper PSS padding. The 'x' buffer is output only: it + * receives the value that is to be exponentiated. + */ +uint32_t br_rsa_pss_sig_pad(const br_prng_class **rng, + const br_hash_class *hf_data, const br_hash_class *hf_mgf1, + const unsigned char *hash, size_t salt_len, + uint32_t n_bitlen, unsigned char *x); + +/* + * Check PSS padding. The provided value is the one _after_ + * the modular exponentiation; it is modified by this function. + * This function infers the signature length from the public key + * size, i.e. it assumes that this has already been verified (as + * part of the exponentiation). + */ +uint32_t br_rsa_pss_sig_unpad( + const br_hash_class *hf_data, const br_hash_class *hf_mgf1, + const unsigned char *hash, size_t salt_len, + const br_rsa_public_key *pk, unsigned char *x); + /* * Apply OAEP padding. Returned value is the actual padded string length, * or zero on error. @@ -1973,8 +2018,8 @@ void br_mgf1_xor(void *data, size_t len, * implementations. */ uint32_t br_rsa_i31_keygen_inner(const br_prng_class **rng, - br_rsa_private_key *sk, unsigned char *kbuf_priv, - br_rsa_public_key *pk, unsigned char *kbuf_pub, + br_rsa_private_key *sk, void *kbuf_priv, + br_rsa_public_key *pk, void *kbuf_pub, unsigned size, uint32_t pubexp, br_i31_modpow_opt_type mp31); /* ==================================================================== */ @@ -2027,6 +2072,72 @@ void br_ecdsa_i31_bits2int(uint32_t *x, void br_ecdsa_i15_bits2int(uint16_t *x, const void *src, size_t len, uint32_t ebitlen); +/* ==================================================================== */ +/* + * ASN.1 support functions. + */ + +/* + * A br_asn1_uint structure contains encoding information about an + * INTEGER nonnegative value: pointer to the integer contents (unsigned + * big-endian representation), length of the integer contents, + * and length of the encoded value. The data shall have minimal length: + * - If the integer value is zero, then 'len' must be zero. + * - If the integer value is not zero, then data[0] must be non-zero. + * + * Under these conditions, 'asn1len' is necessarily equal to either len + * or len+1. + */ +typedef struct { + const unsigned char *data; + size_t len; + size_t asn1len; +} br_asn1_uint; + +/* + * Given an encoded integer (unsigned big-endian, with possible leading + * bytes of value 0), returned the "prepared INTEGER" structure. + */ +br_asn1_uint br_asn1_uint_prepare(const void *xdata, size_t xlen); + +/* + * Encode an ASN.1 length. The length of the encoded length is returned. + * If 'dest' is NULL, then no encoding is performed, but the length of + * the encoded length is still computed and returned. + */ +size_t br_asn1_encode_length(void *dest, size_t len); + +/* + * Convenient macro for computing lengths of lengths. + */ +#define len_of_len(len) br_asn1_encode_length(NULL, len) + +/* + * Encode a (prepared) ASN.1 INTEGER. The encoded length is returned. + * If 'dest' is NULL, then no encoding is performed, but the length of + * the encoded integer is still computed and returned. + */ +size_t br_asn1_encode_uint(void *dest, br_asn1_uint pp); + +/* + * Get the OID that identifies an elliptic curve. Returned value is + * the DER-encoded OID, with the length (always one byte) but without + * the tag. Thus, the first byte of the returned buffer contains the + * number of subsequent bytes in the value. If the curve is not + * recognised, NULL is returned. + */ +const unsigned char *br_get_curve_OID(int curve); + +/* + * Inner function for EC private key encoding. This is equivalent to + * the API function br_encode_ec_raw_der(), except for an extra + * parameter: if 'include_curve_oid' is zero, then the curve OID is + * _not_ included in the output blob (this is for PKCS#8 support). + */ +size_t br_encode_ec_raw_der_inner(void *dest, + const br_ec_private_key *sk, const br_ec_public_key *pk, + int include_curve_oid); + /* ==================================================================== */ /* * SSL/TLS support functions. @@ -2271,6 +2382,7 @@ int br_ssl_choose_hash(unsigned bf); #define stxvw4x(xt, ra, rb) stxvw4x_(xt, ra, rb) #define bdnz(foo) bdnz_(foo) +#define bdz(foo) bdz_(foo) #define beq(foo) beq_(foo) #define li(rx, value) li_(rx, value) @@ -2289,6 +2401,7 @@ int br_ssl_choose_hash(unsigned bf); #define vsl(vrt, vra, vrb) vsl_(vrt, vra, vrb) #define vsldoi(vt, va, vb, sh) vsldoi_(vt, va, vb, sh) #define vsr(vrt, vra, vrb) vsr_(vrt, vra, vrb) +#define vaddcuw(vrt, vra, vrb) vaddcuw_(vrt, vra, vrb) #define vadduwm(vrt, vra, vrb) vadduwm_(vrt, vra, vrb) #define vsububm(vrt, vra, vrb) vsububm_(vrt, vra, vrb) #define vsubuwm(vrt, vra, vrb) vsubuwm_(vrt, vra, vrb) @@ -2306,6 +2419,7 @@ int br_ssl_choose_hash(unsigned bf); #define label(foo) #foo "%=:\n" #define bdnz_(foo) "\tbdnz\t" #foo "%=\n" +#define bdz_(foo) "\tbdz\t" #foo "%=\n" #define beq_(foo) "\tbeq\t" #foo "%=\n" #define li_(rx, value) "\tli\t" #rx "," #value "\n" @@ -2324,6 +2438,7 @@ int br_ssl_choose_hash(unsigned bf); #define vsl_(vrt, vra, vrb) "\tvsl\t" #vrt "," #vra "," #vrb "\n" #define vsldoi_(vt, va, vb, sh) "\tvsldoi\t" #vt "," #va "," #vb "," #sh "\n" #define vsr_(vrt, vra, vrb) "\tvsr\t" #vrt "," #vra "," #vrb "\n" +#define vaddcuw_(vrt, vra, vrb) "\tvaddcuw\t" #vrt "," #vra "," #vrb "\n" #define vadduwm_(vrt, vra, vrb) "\tvadduwm\t" #vrt "," #vra "," #vrb "\n" #define vsububm_(vrt, vra, vrb) "\tvsububm\t" #vrt "," #vra "," #vrb "\n" #define vsubuwm_(vrt, vra, vrb) "\tvsubuwm\t" #vrt "," #vra "," #vrb "\n" @@ -2378,8 +2493,8 @@ int br_ssl_choose_hash(unsigned bf); #else #define BR_TARGETS_X86_UP \ _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")") -#endif #define BR_TARGETS_X86_DOWN +#endif #pragma GCC diagnostic ignored "-Wpsabi" #endif