1 /* 2 * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/bn.h> 13 #include <openssl/rsa.h> 14 #include <openssl/evp.h> 15 #include <openssl/rand.h> 16 #include <openssl/sha.h> 17 #include "rsa_locl.h" 18 19 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 20 21 #if defined(_MSC_VER) && defined(_ARM_) 22 # pragma optimize("g", off) 23 #endif 24 25 int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 26 const EVP_MD *Hash, const unsigned char *EM, 27 int sLen) 28 { 29 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); 30 } 31 32 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, 33 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 34 const unsigned char *EM, int sLen) 35 { 36 int i; 37 int ret = 0; 38 int hLen, maskedDBLen, MSBits, emLen; 39 const unsigned char *H; 40 unsigned char *DB = NULL; 41 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 42 unsigned char H_[EVP_MAX_MD_SIZE]; 43 44 if (ctx == NULL) 45 goto err; 46 47 if (mgf1Hash == NULL) 48 mgf1Hash = Hash; 49 50 hLen = EVP_MD_size(Hash); 51 if (hLen < 0) 52 goto err; 53 /*- 54 * Negative sLen has special meanings: 55 * -1 sLen == hLen 56 * -2 salt length is autorecovered from signature 57 * -3 salt length is maximized 58 * -N reserved 59 */ 60 if (sLen == RSA_PSS_SALTLEN_DIGEST) { 61 sLen = hLen; 62 } else if (sLen < RSA_PSS_SALTLEN_MAX) { 63 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 64 goto err; 65 } 66 67 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 68 emLen = RSA_size(rsa); 69 if (EM[0] & (0xFF << MSBits)) { 70 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID); 71 goto err; 72 } 73 if (MSBits == 0) { 74 EM++; 75 emLen--; 76 } 77 if (emLen < hLen + 2) { 78 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); 79 goto err; 80 } 81 if (sLen == RSA_PSS_SALTLEN_MAX) { 82 sLen = emLen - hLen - 2; 83 } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */ 84 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); 85 goto err; 86 } 87 if (EM[emLen - 1] != 0xbc) { 88 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID); 89 goto err; 90 } 91 maskedDBLen = emLen - hLen - 1; 92 H = EM + maskedDBLen; 93 DB = OPENSSL_malloc(maskedDBLen); 94 if (DB == NULL) { 95 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); 96 goto err; 97 } 98 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) 99 goto err; 100 for (i = 0; i < maskedDBLen; i++) 101 DB[i] ^= EM[i]; 102 if (MSBits) 103 DB[0] &= 0xFF >> (8 - MSBits); 104 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ; 105 if (DB[i++] != 0x1) { 106 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED); 107 goto err; 108 } 109 if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { 110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 111 goto err; 112 } 113 if (!EVP_DigestInit_ex(ctx, Hash, NULL) 114 || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) 115 || !EVP_DigestUpdate(ctx, mHash, hLen)) 116 goto err; 117 if (maskedDBLen - i) { 118 if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i)) 119 goto err; 120 } 121 if (!EVP_DigestFinal_ex(ctx, H_, NULL)) 122 goto err; 123 if (memcmp(H_, H, hLen)) { 124 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); 125 ret = 0; 126 } else { 127 ret = 1; 128 } 129 130 err: 131 OPENSSL_free(DB); 132 EVP_MD_CTX_free(ctx); 133 134 return ret; 135 136 } 137 138 int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, 139 const unsigned char *mHash, 140 const EVP_MD *Hash, int sLen) 141 { 142 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); 143 } 144 145 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, 146 const unsigned char *mHash, 147 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 148 int sLen) 149 { 150 int i; 151 int ret = 0; 152 int hLen, maskedDBLen, MSBits, emLen; 153 unsigned char *H, *salt = NULL, *p; 154 EVP_MD_CTX *ctx = NULL; 155 156 if (mgf1Hash == NULL) 157 mgf1Hash = Hash; 158 159 hLen = EVP_MD_size(Hash); 160 if (hLen < 0) 161 goto err; 162 /*- 163 * Negative sLen has special meanings: 164 * -1 sLen == hLen 165 * -2 salt length is maximized 166 * -3 same as above (on signing) 167 * -N reserved 168 */ 169 if (sLen == RSA_PSS_SALTLEN_DIGEST) { 170 sLen = hLen; 171 } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) { 172 sLen = RSA_PSS_SALTLEN_MAX; 173 } else if (sLen < RSA_PSS_SALTLEN_MAX) { 174 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 175 goto err; 176 } 177 178 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 179 emLen = RSA_size(rsa); 180 if (MSBits == 0) { 181 *EM++ = 0; 182 emLen--; 183 } 184 if (emLen < hLen + 2) { 185 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 186 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 187 goto err; 188 } 189 if (sLen == RSA_PSS_SALTLEN_MAX) { 190 sLen = emLen - hLen - 2; 191 } else if (sLen > emLen - hLen - 2) { 192 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 193 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 194 goto err; 195 } 196 if (sLen > 0) { 197 salt = OPENSSL_malloc(sLen); 198 if (salt == NULL) { 199 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 200 ERR_R_MALLOC_FAILURE); 201 goto err; 202 } 203 if (RAND_bytes(salt, sLen) <= 0) 204 goto err; 205 } 206 maskedDBLen = emLen - hLen - 1; 207 H = EM + maskedDBLen; 208 ctx = EVP_MD_CTX_new(); 209 if (ctx == NULL) 210 goto err; 211 if (!EVP_DigestInit_ex(ctx, Hash, NULL) 212 || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) 213 || !EVP_DigestUpdate(ctx, mHash, hLen)) 214 goto err; 215 if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) 216 goto err; 217 if (!EVP_DigestFinal_ex(ctx, H, NULL)) 218 goto err; 219 220 /* Generate dbMask in place then perform XOR on it */ 221 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) 222 goto err; 223 224 p = EM; 225 226 /* 227 * Initial PS XORs with all zeroes which is a NOP so just update pointer. 228 * Note from a test above this value is guaranteed to be non-negative. 229 */ 230 p += emLen - sLen - hLen - 2; 231 *p++ ^= 0x1; 232 if (sLen > 0) { 233 for (i = 0; i < sLen; i++) 234 *p++ ^= salt[i]; 235 } 236 if (MSBits) 237 EM[0] &= 0xFF >> (8 - MSBits); 238 239 /* H is already in place so just set final 0xbc */ 240 241 EM[emLen - 1] = 0xbc; 242 243 ret = 1; 244 245 err: 246 EVP_MD_CTX_free(ctx); 247 OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */ 248 249 return ret; 250 251 } 252 253 #if defined(_MSC_VER) 254 # pragma optimize("",on) 255 #endif 256