/*
 * rsa.c
 * -----
 * Basic RSA functions based on Cryptech ModExp core.
 *
 * The mix of what we're doing in software vs what we're doing on the
 * FPGA is a moving target.  Goal for now is to have the bits we need
 * to do in C be straightforward to review and as simple as possible
 * (but no simpler).
 *
 * Much of the code in this module is based, at least loosely, on Tom
 * St Denis's libtomcrypt code.
 *
 * Authors: Rob Austein
 * Copyright (c) 2015, NORDUnet A/S
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * We use "Tom's Fast Math" library for our bignum implementation.
 * This particular implementation has a couple of nice features:
 *
 * - The code is relatively readable, thus reviewable.
 *
 * - The bignum representation doesn't use dynamic memory, which
 *   simplifies things for us.
 *
 * The price tag for not using dynamic memory is that libtfm has to be
 * configured to know about the largest bignum one wants it to be able
 * to support at compile time.  This should not be a serious problem.
 *
 * We use a lot of one-element arrays (fp_int[1] instead of plain
 * fp_int) to avoid having to prefix every use of an fp_int with "&".
 * Perhaps we should encapsulate this idiom in a typedef.
 *
 * Unfortunately, libtfm is bad about const-ification, but we want to
 * hide that from our users, so our public API uses const as
 * appropriate and we use inline functions to remove const constraints
 * in a relatively type-safe manner before calling libtom.
 */

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <assert.h>

#include "hal.h"
#include "hal_internal.h"
#include <tfm.h>
#include "asn1_internal.h"

/*
 * Whether to use ModExp core.  It works, but at the moment it's so
 * slow that a full test run can take more than an hour.
 */

#ifndef HAL_RSA_USE_MODEXP
#define HAL_RSA_USE_MODEXP 1
#endif

#ifdef RPC_CLIENT
#define hal_get_random(core, buffer, length) hal_rpc_get_random(buffer, length)
#endif

/*
 * Whether we want debug output.
 */

static int debug = 0;

void hal_rsa_set_debug(const int onoff)
{
  debug = onoff;
}

/*
 * Whether we want RSA blinding.
 */

static int blinding = 1;

void hal_rsa_set_blinding(const int onoff)
{
  blinding = onoff;
}

/*
 * RSA key implementation.  This structure type is private to this
 * module, anything else that needs to touch one of these just gets a
 * typed opaque pointer.  We do, however, export the size, so that we
 * can make memory allocation the caller's problem.
 */

struct hal_rsa_key {
  hal_key_type_t type;      /* What kind of key this is */
  fp_int n[1];                  /* The modulus */
  fp_int e[1];                  /* Public exponent */
  fp_int d[1];                  /* Private exponent */
  fp_int p[1];                  /* 1st prime factor */
  fp_int q[1];                  /* 2nd prime factor */
  fp_int u[1];                  /* 1/q mod p */
  fp_int dP[1];                 /* d mod (p - 1) */
  fp_int dQ[1];                 /* d mod (q - 1) */
};

const size_t hal_rsa_key_t_size = sizeof(hal_rsa_key_t);

/*
 * Initializers.  We want to be able to initialize automatic fp_int
 * variables a sane value (less error prone), but picky compilers
 * whine about the number of curly braces required.  So we define a
 * macro which isolates that madness in one place.
 */

#define INIT_FP_INT     {{{0}}}

/*
 * Error handling.
 */

#define lose(_code_)                                    \
  do { err = _code_; goto fail; } while (0)

#define FP_CHECK(_expr_)                                \
  do {                                                  \
    switch (_expr_) {                                   \
    case FP_OKAY: break;                                \
    case FP_VAL:  lose(HAL_ERROR_BAD_ARGUMENTS);        \
    case FP_MEM:  lose(HAL_ERROR_ALLOCATION_FAILURE);   \
    default:      lose(HAL_ERROR_IMPOSSIBLE);  		\
    }                                                   \
  } while (0)


/*
 * Unpack a bignum into a byte array, with length check.
 */

static hal_error_t unpack_fp(const fp_int * const bn, uint8_t *buffer, const size_t length)
{
  hal_error_t err = HAL_OK;

  assert(bn != NULL && buffer != NULL);

  const size_t bytes = fp_unsigned_bin_size(unconst_fp_int(bn));

  if (bytes > length)
    lose(HAL_ERROR_RESULT_TOO_LONG);

  memset(buffer, 0, length);
  fp_to_unsigned_bin(unconst_fp_int(bn), buffer + length - bytes);

 fail:
  return err;
}

#if HAL_RSA_USE_MODEXP

/*
 * Unwrap bignums into byte arrays, feed them into hal_modexp(), and
 * wrap result back up as a bignum.
 */

static hal_error_t modexp(const hal_core_t *core,
                          const fp_int * msg,
                          const fp_int * const exp,
                          const fp_int * const mod,
                          fp_int *res)
{
  hal_error_t err = HAL_OK;

  if (((err = hal_core_check_name(&core, MODEXPS6_NAME)) != HAL_OK) &&
      ((err = hal_core_check_name(&core, MODEXPA7_NAME)) != HAL_OK))
    return err;

  assert(msg != NULL && exp != NULL && mod != NULL && res != NULL);

  fp_int reduced_msg[1] = INIT_FP_INT;

  if (fp_cmp_mag(unconst_fp_int(msg), unconst_fp_int(mod)) != FP_LT) {
    fp_init(reduced_msg);
    fp_mod(unconst_fp_int(msg), unconst_fp_int(mod), reduced_msg);
    msg = reduced_msg;
  }

  const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
  const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;

  uint8_t msgbuf[mod_len];
  uint8_t expbuf[exp_len];
  uint8_t modbuf[mod_len];
  uint8_t resbuf[mod_len];

  if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
      (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
      (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
      (err = hal_modexp(core,
                        msgbuf, sizeof(msgbuf),
                        expbuf, sizeof(expbuf),
                        modbuf, sizeof(modbuf),
                        resbuf, sizeof(resbuf))) != HAL_OK)
    goto fail;

  fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));

 fail:
  memset(msgbuf, 0, sizeof(msgbuf));
  memset(expbuf, 0, sizeof(expbuf));
  memset(modbuf, 0, sizeof(modbuf));
  return err;
}

/*
 * Wrapper to let us export our modexp function as a replacement for
 * TFM's, to avoid dragging in all of the TFM montgomery code when we
 * use TFM's Miller-Rabin test code.
 *
 * This code is here rather than in a separate module because of the
 * error handling: TFM's error codes aren't really capable of
 * expressing all the things that could go wrong here.
 */

int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
{
  return modexp(NULL, a, b, c, d) == HAL_OK ? FP_OKAY : FP_VAL;
}

#else /* HAL_RSA_USE_MODEXP */

/*
 * Workaround to let us use TFM's software implementation of modular
 * exponentiation when we want to test other things and don't want to
 * wait for the slow FPGA implementation.
 */

static hal_error_t modexp(const hal_core_t *core, /* ignored */
                          const fp_int * const msg,
                          const fp_int * const exp,
                          const fp_int * const mod,
                          fp_int *res)
{
  hal_error_t err = HAL_OK;
  FP_CHECK(fp_exptmod(unconst_fp_int(msg), unconst_fp_int(exp), unconst_fp_int(mod), res));
 fail:
  return err;
}

#endif /* HAL_RSA_USE_MODEXP */

/*
 * Create blinding factors.  There are various schemes for amortizing
 * the cost of this over multiple RSA operations, at present we don't
 * try.  Come back to this if it looks like a bottleneck.
 */

static hal_error_t create_blinding_factors(const hal_core_t *core, const hal_rsa_key_t * const key, fp_int *bf, fp_int *ubf)
{
  assert(key != NULL && bf != NULL && ubf != NULL);

  uint8_t rnd[fp_unsigned_bin_size(unconst_fp_int(key->n))];
  hal_error_t err = HAL_OK;

  if ((err = hal_get_random(NULL, rnd, sizeof(rnd))) != HAL_OK)
    goto fail;

  fp_init(bf);
  fp_read_unsigned_bin(bf,  rnd, sizeof(rnd));
  fp_copy(bf, ubf);

  if ((err = modexp(core, bf, key->e, key->n, bf)) != HAL_OK)
    goto fail;

  FP_CHECK(fp_invmod(ubf, unconst_fp_int(key->n), ubf));

 fail:
  memset(rnd, 0, sizeof(rnd));
  return err;
}

/*
 * RSA decryption via Chinese Remainder Theorem (Garner's formula).
 */

static hal_error_t rsa_crt(const hal_core_t *core, const hal_rsa_key_t * const key, fp_int *msg, fp_int *sig)
{
  assert(key != NULL && msg != NULL && sig != NULL);

  hal_error_t err = HAL_OK;
  fp_int t[1]   = INIT_FP_INT;
  fp_int m1[1]  = INIT_FP_INT;
  fp_int m2[1]  = INIT_FP_INT;
  fp_int bf[1]  = INIT_FP_INT;
  fp_int ubf[1] = INIT_FP_INT;

  /*
   * Handle blinding if requested.
   */
  if (blinding) {
    if ((err = create_blinding_factors(core, key, bf, ubf)) != HAL_OK)
      goto fail;
    FP_CHECK(fp_mulmod(msg, bf, unconst_fp_int(key->n), msg));
  }

  /*
   * m1 = msg ** dP mod p
   * m2 = msg ** dQ mod q
   */
  if ((err = modexp(core, msg, key->dP, key->p, m1)) != HAL_OK ||
      (err = modexp(core, msg, key->dQ, key->q, m2)) != HAL_OK)
    goto fail;

  /*
   * t = m1 - m2.
   */
  fp_sub(m1, m2, t);

  /*
   * Add zero (mod p) if needed to make t positive.  If doing this
   * once or twice doesn't help, something is very wrong.
   */
  if (fp_cmp_d(t, 0) == FP_LT)
    fp_add(t, unconst_fp_int(key->p), t);
  if (fp_cmp_d(t, 0) == FP_LT)
    fp_add(t, unconst_fp_int(key->p), t);
  if (fp_cmp_d(t, 0) == FP_LT)
    lose(HAL_ERROR_IMPOSSIBLE);

  /*
   * sig = (t * u mod p) * q + m2
   */
  FP_CHECK(fp_mulmod(t, unconst_fp_int(key->u), unconst_fp_int(key->p), t));
  fp_mul(t, unconst_fp_int(key->q), t);
  fp_add(t, m2, sig);

  /*
   * Unblind if necessary.
   */
  if (blinding)
    FP_CHECK(fp_mulmod(sig, ubf, unconst_fp_int(key->n), sig));

 fail:
  fp_zero(t);
  fp_zero(m1);
  fp_zero(m2);
  return err;
}

/*
 * Public API for raw RSA encryption and decryption.
 *
 * NB: This does not handle PKCS #1.5 padding, at the moment that's up
 * to the caller.
 */

hal_error_t hal_rsa_encrypt(const hal_core_t *core,
                            const hal_rsa_key_t * const key,
                            const uint8_t * const input,  const size_t input_len,
                            uint8_t * output, const size_t output_len)
{
  hal_error_t err = HAL_OK;

  if (key == NULL || input == NULL || output == NULL || input_len > output_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  fp_int i[1] = INIT_FP_INT;
  fp_int o[1] = INIT_FP_INT;

  fp_read_unsigned_bin(i, unconst_uint8_t(input), input_len);

  if ((err = modexp(core, i, key->e, key->n, o)) != HAL_OK ||
      (err = unpack_fp(o, output, output_len))   != HAL_OK)
    goto fail;

 fail:
  fp_zero(i);
  fp_zero(o);
  return err;
}

hal_error_t hal_rsa_decrypt(const hal_core_t *core,
                            const hal_rsa_key_t * const key,
                            const uint8_t * const input,  const size_t input_len,
                            uint8_t * output, const size_t output_len)
{
  hal_error_t err = HAL_OK;

  if (key == NULL || input == NULL || output == NULL || input_len > output_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  fp_int i[1] = INIT_FP_INT;
  fp_int o[1] = INIT_FP_INT;

  fp_read_unsigned_bin(i, unconst_uint8_t(input), input_len);

  /*
   * Do CRT if we have all the necessary key components, otherwise
   * just do brute force ModExp.
   */

  if (fp_iszero(key->p) || fp_iszero(key->q) || fp_iszero(key->u) || fp_iszero(key->dP) || fp_iszero(key->dQ))
    err = modexp(core, i, key->d, key->n, o);
  else
    err = rsa_crt(core, key, i, o);

  if (err != HAL_OK || (err = unpack_fp(o, output, output_len)) != HAL_OK)
    goto fail;

 fail:
  fp_zero(i);
  fp_zero(o);
  return err;
}

/*
 * Clear a key.  We might want to do something a bit more energetic
 * than plain old memset() eventually.
 */

void hal_rsa_key_clear(hal_rsa_key_t *key)
{
  if (key != NULL)
    memset(key, 0, sizeof(*key));
}

/*
 * Load a key from raw components.  This is a simplistic version: we
 * don't attempt to generate missing private key components, we just
 * reject the key if it doesn't have everything we expect.
 *
 * In theory, the only things we'd really need for the private key if
 * we were being nicer about this would be e, p, and q, as we could
 * calculate everything else from them.
 */

static hal_error_t load_key(const hal_key_type_t type,
                            hal_rsa_key_t **key_,
                            void *keybuf, const size_t keybuf_len,
                            const uint8_t * const n,  const size_t n_len,
                            const uint8_t * const e,  const size_t e_len,
                            const uint8_t * const d,  const size_t d_len,
                            const uint8_t * const p,  const size_t p_len,
                            const uint8_t * const q,  const size_t q_len,
                            const uint8_t * const u,  const size_t u_len,
                            const uint8_t * const dP, const size_t dP_len,
                            const uint8_t * const dQ, const size_t dQ_len)
{
  if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hal_rsa_key_t))
    return HAL_ERROR_BAD_ARGUMENTS;

  memset(keybuf, 0, keybuf_len);

  hal_rsa_key_t *key = keybuf;

  key->type = type;

#define _(x) do { fp_init(key->x); if (x == NULL) goto fail; fp_read_unsigned_bin(key->x, unconst_uint8_t(x), x##_len); } while (0)
  switch (type) {
  case HAL_KEY_TYPE_RSA_PRIVATE:
    _(d); _(p); _(q); _(u); _(dP); _(dQ);
  case HAL_KEY_TYPE_RSA_PUBLIC:
    _(n); _(e);
    *key_ = key;
    return HAL_OK;
  default:
    goto fail;
  }
#undef _

 fail:
  memset(key, 0, sizeof(*key));
  return HAL_ERROR_BAD_ARGUMENTS;
}

/*
 * Public API to load_key().
 */

hal_error_t hal_rsa_key_load_private(hal_rsa_key_t **key_,
                                     void *keybuf, const size_t keybuf_len,
                                     const uint8_t * const n,  const size_t n_len,
                                     const uint8_t * const e,  const size_t e_len,
                                     const uint8_t * const d,  const size_t d_len,
                                     const uint8_t * const p,  const size_t p_len,
                                     const uint8_t * const q,  const size_t q_len,
                                     const uint8_t * const u,  const size_t u_len,
                                     const uint8_t * const dP, const size_t dP_len,
                                     const uint8_t * const dQ, const size_t dQ_len)
{
  return load_key(HAL_KEY_TYPE_RSA_PRIVATE, key_, keybuf, keybuf_len,
                  n, n_len, e, e_len,
                  d, d_len, p, p_len, q, q_len, u, u_len, dP, dP_len, dQ, dQ_len);
}

hal_error_t hal_rsa_key_load_public(hal_rsa_key_t **key_,
                                    void *keybuf, const size_t keybuf_len,
          <style>pre { line-height: 125%; }
td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .ges { font-weight: bold; font-style: italic } /* Generic.EmphStrong */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */</style><div class="highlight"><pre><span></span><span class="cm">/*</span>
<span class="cm"> * asn1.c</span>
<span class="cm"> * ------</span>
<span class="cm"> * Minimal ASN.1 implementation in support of Cryptech libhal.</span>
<span class="cm"> *</span>
<span class="cm"> * The functions in this module are not intended to be part of the</span>
<span class="cm"> * public API.  Rather, these are utility functions used by more than</span>
<span class="cm"> * one module within the library, which would otherwise have to be</span>
<span class="cm"> * duplicated.  The main reason for keeping these private is to avoid</span>
<span class="cm"> * having the public API depend on any details of the underlying</span>
<span class="cm"> * bignum implementation (currently libtfm, but that might change).</span>
<span class="cm"> *</span>
<span class="cm"> * As of this writing, the ASN.1 support we need is quite minimal, so,</span>
<span class="cm"> * rather than attempting to clean all the unecessary cruft out of a</span>
<span class="cm"> * general purpose ASN.1 implementation, we hand code the very small</span>
<span class="cm"> * number of data types we need.  At some point this will probably</span>
<span class="cm"> * become impractical, at which point we might want to look into using</span>
<span class="cm"> * something like the asn1c compiler.</span>
<span class="cm"> *</span>
<span class="cm"> * Authors: Rob Austein</span>
<span class="cm"> * Copyright (c) 2015, NORDUnet A/S</span>
<span class="cm"> * All rights reserved.</span>
<span class="cm"> *</span>
<span class="cm"> * Redistribution and use in source and binary forms, with or without</span>
<span class="cm"> * modification, are permitted provided that the following conditions are</span>
<span class="cm"> * met:</span>
<span class="cm"> * - Redistributions of source code must retain the above copyright notice,</span>
<span class="cm"> *   this list of conditions and the following disclaimer.</span>
<span class="cm"> *</span>
<span class="cm"> * - Redistributions in binary form must reproduce the above copyright</span>
<span class="cm"> *   notice, this list of conditions and the following disclaimer in the</span>
<span class="cm"> *   documentation and/or other materials provided with the distribution.</span>
<span class="cm"> *</span>
<span class="cm"> * - Neither the name of the NORDUnet nor the names of its contributors may</span>
<span class="cm"> *   be used to endorse or promote products derived from this software</span>
<span class="cm"> *   without specific prior written permission.</span>
<span class="cm"> *</span>
<span class="cm"> * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS</span>
<span class="cm"> * IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED</span>
<span class="cm"> * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A</span>
<span class="cm"> * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT</span>
<span class="cm"> * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,</span>
<span class="cm"> * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED</span>
<span class="cm"> * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR</span>
<span class="cm"> * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF</span>
<span class="cm"> * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING</span>
<span class="cm"> * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS</span>
<span class="cm"> * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</span>
<span class="cm"> */</span>

<span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdint.h&gt;</span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;assert.h&gt;</span>

<span class="cp">#include</span><span class="w"> </span><span class="cpf">&quot;hal.h&quot;</span>

<span class="cp">#include</span><span class="w"> </span><span class="cpf">&quot;asn1_internal.h&quot;</span>

<span class="cm">/*</span>
<span class="cm"> * Encode tag and length fields of an ASN.1 object.</span>
<span class="cm"> *</span>
<span class="cm"> * Sets *der_len to the size of of the ASN.1 header (tag and length</span>
<span class="cm"> * fields); caller supplied length of value field, so presumably</span>
<span class="cm"> * already knows it.</span>
<span class="cm"> *</span>
<span class="cm"> * If der is NULL, just return the size of the header that would be</span>
<span class="cm"> * encoded and returns HAL_OK.</span>
<span class="cm"> *</span>
<span class="cm"> * If der isn&#39;t NULL, returns HAL_ERROR_RESULT_TOO_LONG unless full</span>
<span class="cm"> * header plus value will fit; this is a bit weird, but is useful when</span>
<span class="cm"> * using this to construct encoders for complte ASN.1 objects.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_encode_header</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">tag</span><span class="p">,</span>
<span class="w">				   </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">value_len</span><span class="p">,</span>
<span class="w">				   </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">der_len</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="kt">size_t</span><span class="w"> </span><span class="n">header_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span><span class="w">	</span><span class="cm">/* Shortest encoding is one octet each for tag and length */</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">value_len</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">128</span><span class="p">)</span><span class="w">		</span><span class="cm">/* Add octets for longer length encoding as needed */</span>
<span class="w">    </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">value_len</span><span class="p">;</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">&gt;&gt;=</span><span class="w"> </span><span class="mi">8</span><span class="p">)</span>
<span class="w">      </span><span class="o">++</span><span class="n">header_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der_len</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="o">*</span><span class="n">der_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">header_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w">		</span><span class="cm">/* If caller just wanted the length, we&#39;re done */</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>

<span class="w">  </span><span class="cm">/*</span>
<span class="cm">   * Make sure there&#39;s enough room for header + value, then encode.</span>
<span class="cm">   */</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">value_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">header_len</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_RESULT_TOO_LONG</span><span class="p">;</span>

<span class="w">  </span><span class="o">*</span><span class="n">der</span><span class="o">++</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tag</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">value_len</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">128</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="o">*</span><span class="n">der</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)</span><span class="w"> </span><span class="n">value_len</span><span class="p">;</span>
<span class="w">  </span><span class="p">}</span>

<span class="w">  </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="o">*</span><span class="n">der</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x80</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">header_len</span><span class="w"> </span><span class="o">-=</span><span class="w"> </span><span class="mi">2</span><span class="p">);</span>
<span class="w">    </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">value_len</span><span class="p">;</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">header_len</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">&gt;&gt;=</span><span class="w"> </span><span class="mi">8</span><span class="p">)</span>
<span class="w">      </span><span class="n">der</span><span class="p">[</span><span class="n">header_len</span><span class="o">--</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">n</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0xFF</span><span class="p">);</span>
<span class="w">  </span><span class="p">}</span>

<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Encode an unsigned ASN.1 INTEGER from a libtfm bignum.  If der is</span>
<span class="cm"> * NULL, just return the length of what we would have encoded.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_encode_integer</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="n">fp_int</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">bn</span><span class="p">,</span>
<span class="w">				    </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">der_len</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bn</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_BAD_ARGUMENTS</span><span class="p">;</span>

<span class="w">  </span><span class="cm">/*</span>
<span class="cm">   * We only handle unsigned INTEGERs, so we need to pad data with a</span>
<span class="cm">   * leading zero if the most significant bit is set, to avoid</span>
<span class="cm">   * flipping the ASN.1 sign bit.  Conveniently, this also handles the</span>
<span class="cm">   * difference between libtfm&#39;s and ASN.1&#39;s encoding of zero.</span>
<span class="cm">   */</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">fp_cmp_d</span><span class="p">(</span><span class="n">unconst_fp_int</span><span class="p">(</span><span class="n">bn</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">FP_LT</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_BAD_ARGUMENTS</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">leading_zero</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fp_iszero</span><span class="p">(</span><span class="n">bn</span><span class="p">)</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="p">(</span><span class="n">fp_count_bits</span><span class="p">(</span><span class="n">unconst_fp_int</span><span class="p">(</span><span class="n">bn</span><span class="p">))</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mi">7</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fp_unsigned_bin_size</span><span class="p">(</span><span class="n">unconst_fp_int</span><span class="p">(</span><span class="n">bn</span><span class="p">))</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">leading_zero</span><span class="p">;</span>
<span class="w">  </span><span class="n">hal_error_t</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="kt">size_t</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>

<span class="w">  </span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_INTEGER</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der_max</span><span class="p">);</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der_len</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="o">*</span><span class="n">der_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hlen</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="n">assert</span><span class="p">(</span><span class="n">hlen</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">&lt;=</span><span class="w"> </span><span class="n">der_max</span><span class="p">);</span>

<span class="w">  </span><span class="n">der</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">leading_zero</span><span class="p">)</span>
<span class="w">    </span><span class="o">*</span><span class="n">der</span><span class="o">++</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x00</span><span class="p">;</span>
<span class="w">  </span><span class="n">fp_to_unsigned_bin</span><span class="p">(</span><span class="n">unconst_fp_int</span><span class="p">(</span><span class="n">bn</span><span class="p">),</span><span class="w"> </span><span class="n">der</span><span class="p">);</span>

<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Encode a public key into an RFC 5280 SubjectPublicKeyInfo.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_encode_spki</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">alg_oid</span><span class="p">,</span><span class="w">   </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">curve_oid</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">pubkey</span><span class="p">,</span><span class="w">    </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">der_len</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">alg_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">pubkey_len</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">||</span>
<span class="w">      </span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">pubkey</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="p">(</span><span class="n">curve_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">))</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_BAD_ARGUMENTS</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">curve_oid_tag</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">curve_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="n">ASN1_NULL</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">ASN1_OBJECT_IDENTIFIER</span><span class="p">;</span>

<span class="w">  </span><span class="n">hal_error_t</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="kt">size_t</span><span class="w"> </span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">hlen_spki</span><span class="p">,</span><span class="w"> </span><span class="n">hlen_algid</span><span class="p">,</span><span class="w"> </span><span class="n">hlen_alg</span><span class="p">,</span><span class="w"> </span><span class="n">hlen_curve</span><span class="p">,</span><span class="w"> </span><span class="n">hlen_bit</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_OBJECT_IDENTIFIER</span><span class="p">,</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="p">,</span><span class="w">    </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen_alg</span><span class="p">,</span><span class="w">   </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="w"> </span><span class="o">||</span>
<span class="w">      </span><span class="p">(</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">curve_oid_tag</span><span class="p">,</span><span class="w">          </span><span class="n">curve_oid_len</span><span class="p">,</span><span class="w">  </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen_curve</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="w"> </span><span class="o">||</span>
<span class="w">      </span><span class="p">(</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_BIT_STRING</span><span class="p">,</span><span class="w">        </span><span class="mi">1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen_bit</span><span class="p">,</span><span class="w">   </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">algid_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hlen_alg</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_curve</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w">          </span><span class="n">algid_len</span><span class="p">,</span><span class="w">     </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen_algid</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hlen_algid</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_alg</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_curve</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_bit</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w">          </span><span class="n">vlen</span><span class="p">,</span><span class="w">          </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen_spki</span><span class="p">,</span><span class="w">  </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="cm">/*</span>
<span class="cm">   * Handle pubkey early, in case it was staged into our output buffer.</span>
<span class="cm">   */</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">hlen_spki</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">&lt;=</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="w">    </span><span class="n">memmove</span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_spki</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">,</span><span class="w"> </span><span class="n">pubkey</span><span class="p">,</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">);</span>

<span class="w">  </span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der_max</span><span class="p">);</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der_len</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="o">*</span><span class="n">der_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hlen</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="n">d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="n">memset</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">);</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w"> </span><span class="n">algid_len</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_max</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_OBJECT_IDENTIFIER</span><span class="p">,</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_max</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="n">memcpy</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">alg_oid</span><span class="p">,</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="p">);</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">curve_oid_tag</span><span class="p">,</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_max</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">curve_oid</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="n">memcpy</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">curve_oid</span><span class="p">,</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="p">);</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_encode_header</span><span class="p">(</span><span class="n">ASN1_BIT_STRING</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_max</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">d</span><span class="o">++</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x00</span><span class="p">;</span>

<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">pubkey_len</span><span class="p">;</span><span class="w">              </span><span class="cm">/* pubkey handled early, above. */</span>

<span class="w">  </span><span class="n">assert</span><span class="p">(</span><span class="n">d</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen_spki</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="p">);</span>
<span class="w">  </span><span class="n">assert</span><span class="p">(</span><span class="n">d</span><span class="w"> </span><span class="o">&lt;=</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_max</span><span class="p">);</span>

<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Parse tag and length of an ASN.1 object.  Tag must match value</span>
<span class="cm"> * specified by the caller.  On success, sets hlen and vlen to lengths</span>
<span class="cm"> * of header and value, respectively.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_decode_header</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">tag</span><span class="p">,</span>
<span class="w">				   </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_max</span><span class="p">,</span>
<span class="w">				   </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">vlen</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="n">assert</span><span class="p">(</span><span class="n">der</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">hlen</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der_max</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">der</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">tag</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">der</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0x80</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="o">*</span><span class="n">hlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span>
<span class="w">    </span><span class="o">*</span><span class="n">vlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">der</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="w">  </span><span class="p">}</span>

<span class="w">  </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="o">*</span><span class="n">hlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0x7F</span><span class="p">);</span>
<span class="w">    </span><span class="o">*</span><span class="n">vlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>

<span class="w">    </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">hlen</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="w">      </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">    </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="o">*</span><span class="n">hlen</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">++</span><span class="p">)</span>
<span class="w">      </span><span class="o">*</span><span class="n">vlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">vlen</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">8</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der</span><span class="p">[</span><span class="n">i</span><span class="p">];</span>
<span class="w">  </span><span class="p">}</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">hlen</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="o">*</span><span class="n">vlen</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Decode an ASN.1 INTEGER into a libtfm bignum.  Since we only</span>
<span class="cm"> * support (or need to support, or expect to see) unsigned integers,</span>
<span class="cm"> * we return failure if the sign bit is set in the ASN.1 INTEGER.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_decode_integer</span><span class="p">(</span><span class="n">fp_int</span><span class="w"> </span><span class="o">*</span><span class="n">bn</span><span class="p">,</span>
<span class="w">				    </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">der_len</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_max</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bn</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_BAD_ARGUMENTS</span><span class="p">;</span>

<span class="w">  </span><span class="n">hal_error_t</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="kt">size_t</span><span class="w"> </span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_INTEGER</span><span class="p">,</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w"> </span><span class="n">der_max</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">der_len</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="o">*</span><span class="n">der_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hlen</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">vlen</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="p">(</span><span class="n">der</span><span class="p">[</span><span class="n">hlen</span><span class="p">]</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0x80</span><span class="p">)</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mh">0x00</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">  </span><span class="n">fp_init</span><span class="p">(</span><span class="n">bn</span><span class="p">);</span>
<span class="w">  </span><span class="n">fp_read_unsigned_bin</span><span class="p">(</span><span class="n">bn</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="p">);</span>
<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Decode a public key from an RFC 5280 SubjectPublicKeyInfo.</span>
<span class="cm"> */</span>

<span class="n">hal_error_t</span><span class="w"> </span><span class="nf">hal_asn1_decode_spki</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">**</span><span class="n">alg_oid</span><span class="p">,</span><span class="w">   </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">alg_oid_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">**</span><span class="n">curve_oid</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">curve_oid_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">**</span><span class="n">pubkey</span><span class="p">,</span><span class="w">    </span><span class="kt">size_t</span><span class="w"> </span><span class="o">*</span><span class="n">pubkey_len</span><span class="p">,</span>
<span class="w">                                 </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">der</span><span class="p">,</span><span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">der_len</span><span class="p">)</span>
<span class="p">{</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">alg_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">alg_oid_len</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">curve_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">curve_oid_len</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span>
<span class="w">      </span><span class="n">pubkey</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">pubkey_len</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_BAD_ARGUMENTS</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">der_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">der</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">der_len</span><span class="p">;</span>
<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="n">d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">der</span><span class="p">;</span>

<span class="w">  </span><span class="kt">size_t</span><span class="w"> </span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>
<span class="w">  </span><span class="n">hal_error_t</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">der_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_SEQUENCE</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">der_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">const</span><span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">d</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_OBJECT_IDENTIFIER</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">vlen</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">alg_oid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">d</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">alg_oid_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="o">*</span><span class="n">curve_oid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">curve_oid_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">d</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">algid_end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="k">switch</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">d</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>

<span class="w">    </span><span class="k">case</span><span class="w"> </span><span class="no">ASN1_OBJECT_IDENTIFIER</span><span class="p">:</span>
<span class="w">      </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_OBJECT_IDENTIFIER</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">        </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">      </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">      </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">vlen</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">)</span>
<span class="w">        </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>
<span class="w">      </span><span class="o">*</span><span class="n">curve_oid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">d</span><span class="p">;</span>
<span class="w">      </span><span class="o">*</span><span class="n">curve_oid_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>
<span class="w">      </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>
<span class="w">      </span><span class="k">break</span><span class="p">;</span>

<span class="w">    </span><span class="k">case</span><span class="w"> </span><span class="no">ASN1_NULL</span><span class="p">:</span>
<span class="w">      </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_NULL</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">        </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">      </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">      </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">vlen</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span>
<span class="w">        </span><span class="k">break</span><span class="p">;</span>

<span class="w">    </span><span class="k">default</span><span class="o">:</span>
<span class="w">      </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>
<span class="w">    </span><span class="p">}</span>
<span class="w">  </span><span class="p">}</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">d</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">algid_end</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">hal_asn1_decode_header</span><span class="p">(</span><span class="n">ASN1_BIT_STRING</span><span class="p">,</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="n">der_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hlen</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">vlen</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">err</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">hlen</span><span class="p">;</span>
<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">vlen</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="n">algid_end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">vlen</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="o">*</span><span class="n">d</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mh">0x00</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">pubkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">++</span><span class="n">d</span><span class="p">;</span>
<span class="w">  </span><span class="o">*</span><span class="n">pubkey_len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">--</span><span class="n">vlen</span><span class="p">;</span>
<span class="w">  </span><span class="n">d</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">vlen</span><span class="p">;</span>

<span class="w">  </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">d</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">der_end</span><span class="p">)</span>
<span class="w">    </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_ERROR_ASN1_PARSE_FAILED</span><span class="p">;</span>

<span class="w">  </span><span class="k">return</span><span class="w"> </span><span class="n">HAL_OK</span><span class="p">;</span>
<span class="p">}</span>

<span class="cm">/*</span>
<span class="cm"> * Local variables:</span>
<span class="cm"> * indent-tabs-mode: nil</span>
<span class="cm"> * End:</span>
<span class="cm"> */</span>
</pre></div>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.2.3</a> (<a href='https://git-scm.com/'>git 2.25.1</a>) at 2024-10-01 13:37:39 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>