1 /*
2 * Copyright 2013 The Android Open Source Project
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 * * Redistributions of source code must retain the above copyright
7 * notice, this list of conditions and the following disclaimer.
8 * * Redistributions in binary form must reproduce the above copyright
9 * notice, this list of conditions and the following disclaimer in the
10 * documentation and/or other materials provided with the distribution.
11 * * Neither the name of Google Inc. nor the names of its contributors may
12 * be used to endorse or promote products derived from this software
13 * without specific prior written permission.
14 *
15 * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
17 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
18 * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
21 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
22 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <string.h>
28
29 #include "mincrypt/dsa_sig.h"
30 #include "mincrypt/p256.h"
31
32 /**
33 * Trims off the leading zero bytes and copy it to a buffer aligning it to the end.
34 */
trim_to_p256_bytes(unsigned char dst[P256_NBYTES],unsigned char * src,int src_len)35 static inline int trim_to_p256_bytes(unsigned char dst[P256_NBYTES], unsigned char *src,
36 int src_len) {
37 int dst_offset;
38 while (*src == '\0' && src_len > 0) {
39 src++;
40 src_len--;
41 }
42 if (src_len > P256_NBYTES || src_len < 1) {
43 return 0;
44 }
45 dst_offset = P256_NBYTES - src_len;
46 memset(dst, 0, dst_offset);
47 memcpy(dst + dst_offset, src, src_len);
48 return 1;
49 }
50
51 /**
52 * Unpacks the ASN.1 DSA signature sequence.
53 */
dsa_sig_unpack(unsigned char * sig,int sig_len,p256_int * r_int,p256_int * s_int)54 int dsa_sig_unpack(unsigned char* sig, int sig_len, p256_int* r_int, p256_int* s_int) {
55 /*
56 * Structure is:
57 * 0x30 0xNN SEQUENCE + s_length
58 * 0x02 0xNN INTEGER + r_length
59 * 0xAA 0xBB .. r_length bytes of "r" (offset 4)
60 * 0x02 0xNN INTEGER + s_length
61 * 0xMM 0xNN .. s_length bytes of "s" (offset 6 + r_len)
62 */
63 int seq_len;
64 unsigned char r_bytes[P256_NBYTES];
65 unsigned char s_bytes[P256_NBYTES];
66 int r_len;
67 int s_len;
68
69 memset(r_bytes, 0, sizeof(r_bytes));
70 memset(s_bytes, 0, sizeof(s_bytes));
71
72 /*
73 * Must have at least:
74 * 2 bytes sequence header and length
75 * 2 bytes R integer header and length
76 * 1 byte of R
77 * 2 bytes S integer header and length
78 * 1 byte of S
79 *
80 * 8 bytes total
81 */
82 if (sig_len < 8 || sig[0] != 0x30 || sig[2] != 0x02) {
83 return 0;
84 }
85
86 seq_len = sig[1];
87 if ((seq_len <= 0) || (seq_len + 2 != sig_len)) {
88 return 0;
89 }
90
91 r_len = sig[3];
92 /*
93 * Must have at least:
94 * 2 bytes for R header and length
95 * 2 bytes S integer header and length
96 * 1 byte of S
97 */
98 if ((r_len < 1) || (r_len > seq_len - 5) || (sig[4 + r_len] != 0x02)) {
99 return 0;
100 }
101 s_len = sig[5 + r_len];
102
103 /**
104 * Must have:
105 * 2 bytes for R header and length
106 * r_len bytes for R
107 * 2 bytes S integer header and length
108 */
109 if ((s_len < 1) || (s_len != seq_len - 4 - r_len)) {
110 return 0;
111 }
112
113 /*
114 * ASN.1 encoded integers are zero-padded for positive integers. Make sure we have
115 * a correctly-sized buffer and that the resulting integer isn't too large.
116 */
117 if (!trim_to_p256_bytes(r_bytes, &sig[4], r_len)
118 || !trim_to_p256_bytes(s_bytes, &sig[6 + r_len], s_len)) {
119 return 0;
120 }
121
122 p256_from_bin(r_bytes, r_int);
123 p256_from_bin(s_bytes, s_int);
124
125 return 1;
126 }
127