commit b0acb7743f6c1e4b8307b5898598be4f13095f49
author David Benjamin <davidben@chromium.org> Thu May 28 16:53:31 2015 -0400
committer Adam Langley <agl@google.com> Tue Jun 16 19:09:45 2015 +0000
tree 7d0010e2815b749adeec0187cbbae4eac0fc1d6f
parent d87021d2467fca449d98f1251ddc3c87b9b97f30

Export pkcs1_prefixed_msg as RSA_add_pkcs1_prefix.

Platform crypto APIs for PKCS#1 RSA signatures vary between expecting the
caller to prepend the DigestInfo prefix (RSA_sign_raw) and prepending it
internally (RSA_sign). Currently, Chromium implements sign or sign_raw as
appropriate. To avoid needing both variants, the new asynchronous methods will
only expose the higher-level one, sign.

To satisfy ports which previously implemented sign_raw, expose the DigestInfo
prefix as a utility function.

BUG=347404

Change-Id: I04c397b5e9502b2942f6698ecf81662a3c9282e6
Reviewed-on: https://boringssl-review.googlesource.com/4940
Reviewed-by: Adam Langley <agl@google.com>

crypto/err/rsa.errordata

diff --git a/crypto/err/rsa.errordata b/crypto/err/rsa.errordata
index 091d2cd..94b4bcb 100644
--- a/crypto/err/rsa.errordata
+++ b/crypto/err/rsa.errordata
@@ -3,6 +3,7 @@
 RSA,function,102,BN_BLINDING_invert_ex
 RSA,function,103,BN_BLINDING_new
 RSA,function,104,BN_BLINDING_update
+RSA,function,123,RSA_add_pkcs1_prefix
 RSA,function,105,RSA_check_key
 RSA,function,106,RSA_new_method
 RSA,function,107,RSA_padding_add_PKCS1_OAEP_mgf1
@@ -22,7 +23,6 @@
 RSA,function,121,encrypt
 RSA,function,122,keygen
 RSA,function,128,keygen_multiprime
-RSA,function,123,pkcs1_prefixed_msg
 RSA,function,124,private_transform
 RSA,function,125,rsa_setup_blinding
 RSA,function,126,sign_raw

crypto/rsa/rsa.c

diff --git a/crypto/rsa/rsa.c b/crypto/rsa/rsa.c
index 51cc790..6fdc349 100644
--- a/crypto/rsa/rsa.c
+++ b/crypto/rsa/rsa.c
@@ -368,20 +368,16 @@
     },
 };
 
-/* TODO(fork): mostly new code, needs careful review. */
-
-/* pkcs1_prefixed_msg builds a PKCS#1, prefixed version of |msg| for the given
- * hash function and sets |out_msg| to point to it. On successful return,
- * |*out_msg| may be allocated memory and, if so, |*is_alloced| will be 1. */
-static int pkcs1_prefixed_msg(uint8_t **out_msg, size_t *out_msg_len,
-                              int *is_alloced, int hash_nid, const uint8_t *msg,
-                              size_t msg_len) {
+int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
+                         int *is_alloced, int hash_nid, const uint8_t *msg,
+                         size_t msg_len) {
   unsigned i;
 
   if (hash_nid == NID_md5_sha1) {
     /* Special case: SSL signature, just check the length. */
     if (msg_len != SSL_SIG_LENGTH) {
-      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_INVALID_MESSAGE_LENGTH);
+      OPENSSL_PUT_ERROR(RSA, RSA_add_pkcs1_prefix,
+                        RSA_R_INVALID_MESSAGE_LENGTH);
       return 0;
     }
 
@@ -404,13 +400,13 @@
 
     signed_msg_len = prefix_len + msg_len;
     if (signed_msg_len < prefix_len) {
-      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_TOO_LONG);
+      OPENSSL_PUT_ERROR(RSA, RSA_add_pkcs1_prefix, RSA_R_TOO_LONG);
       return 0;
     }
 
     signed_msg = OPENSSL_malloc(signed_msg_len);
     if (!signed_msg) {
-      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(RSA, RSA_add_pkcs1_prefix, ERR_R_MALLOC_FAILURE);
       return 0;
     }
 
@@ -424,7 +420,7 @@
     return 1;
   }
 
-  OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+  OPENSSL_PUT_ERROR(RSA, RSA_add_pkcs1_prefix, RSA_R_UNKNOWN_ALGORITHM_TYPE);
   return 0;
 }
 
@@ -441,8 +437,8 @@
     return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
   }
 
-  if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
-                          hash_nid, in, in_len)) {
+  if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
+                            &signed_msg_is_alloced, hash_nid, in, in_len)) {
     return 0;
   }
 
@@ -499,8 +495,8 @@
     goto out;
   }
 
-  if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
-                          hash_nid, msg, msg_len)) {
+  if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
+                            &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
     goto out;
   }
 

include/openssl/rsa.h

diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index e27f04e..61e1069 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -321,6 +321,14 @@
                                                   const EVP_MD *mgf1Hash,
                                                   int sLen);
 
+/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
+ * header for the given hash function and sets |out_msg| to point to it. On
+ * successful return, |*out_msg| may be allocated memory and, if so,
+ * |*is_alloced| will be 1. */
+OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
+                                        int *is_alloced, int hash_nid,
+                                        const uint8_t *msg, size_t msg_len);
+
 
 /* ASN.1 functions. */
 
@@ -537,7 +545,7 @@
 #define RSA_F_decrypt 120
 #define RSA_F_encrypt 121
 #define RSA_F_keygen 122
-#define RSA_F_pkcs1_prefixed_msg 123
+#define RSA_F_RSA_add_pkcs1_prefix 123
 #define RSA_F_private_transform 124
 #define RSA_F_rsa_setup_blinding 125
 #define RSA_F_sign_raw 126