rsa_pss.c 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. /* rsa_pss.c */
  2. /*
  3. * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  4. * 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * licensing@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. #include <stdio.h>
  60. #include "cryptlib.h"
  61. #include <openssl/bn.h>
  62. #include <openssl/rsa.h>
  63. #include <openssl/evp.h>
  64. #include <openssl/rand.h>
  65. #include <openssl/sha.h>
  66. static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
  67. #if defined(_MSC_VER) && defined(_ARM_)
  68. # pragma optimize("g", off)
  69. #endif
  70. int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
  71. const EVP_MD *Hash, const unsigned char *EM,
  72. int sLen)
  73. {
  74. int i;
  75. int ret = 0;
  76. int hLen, maskedDBLen, MSBits, emLen;
  77. const unsigned char *H;
  78. unsigned char *DB = NULL;
  79. EVP_MD_CTX ctx;
  80. unsigned char H_[EVP_MAX_MD_SIZE];
  81. hLen = M_EVP_MD_size(Hash);
  82. /*-
  83. * Negative sLen has special meanings:
  84. * -1 sLen == hLen
  85. * -2 salt length is autorecovered from signature
  86. * -N reserved
  87. */
  88. if (sLen == -1)
  89. sLen = hLen;
  90. else if (sLen == -2)
  91. sLen = -2;
  92. else if (sLen < -2) {
  93. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
  94. goto err;
  95. }
  96. MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
  97. emLen = RSA_size(rsa);
  98. if (EM[0] & (0xFF << MSBits)) {
  99. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
  100. goto err;
  101. }
  102. if (MSBits == 0) {
  103. EM++;
  104. emLen--;
  105. }
  106. if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
  107. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
  108. goto err;
  109. }
  110. if (EM[emLen - 1] != 0xbc) {
  111. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
  112. goto err;
  113. }
  114. maskedDBLen = emLen - hLen - 1;
  115. H = EM + maskedDBLen;
  116. DB = OPENSSL_malloc(maskedDBLen);
  117. if (!DB) {
  118. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
  119. goto err;
  120. }
  121. PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
  122. for (i = 0; i < maskedDBLen; i++)
  123. DB[i] ^= EM[i];
  124. if (MSBits)
  125. DB[0] &= 0xFF >> (8 - MSBits);
  126. for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
  127. if (DB[i++] != 0x1) {
  128. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
  129. goto err;
  130. }
  131. if (sLen >= 0 && (maskedDBLen - i) != sLen) {
  132. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
  133. goto err;
  134. }
  135. EVP_MD_CTX_init(&ctx);
  136. EVP_DigestInit_ex(&ctx, Hash, NULL);
  137. EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
  138. EVP_DigestUpdate(&ctx, mHash, hLen);
  139. if (maskedDBLen - i)
  140. EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
  141. EVP_DigestFinal(&ctx, H_, NULL);
  142. EVP_MD_CTX_cleanup(&ctx);
  143. if (memcmp(H_, H, hLen)) {
  144. RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
  145. ret = 0;
  146. } else
  147. ret = 1;
  148. err:
  149. if (DB)
  150. OPENSSL_free(DB);
  151. return ret;
  152. }
  153. int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
  154. const unsigned char *mHash,
  155. const EVP_MD *Hash, int sLen)
  156. {
  157. int i;
  158. int ret = 0;
  159. int hLen, maskedDBLen, MSBits, emLen;
  160. unsigned char *H, *salt = NULL, *p;
  161. EVP_MD_CTX ctx;
  162. hLen = M_EVP_MD_size(Hash);
  163. /*-
  164. * Negative sLen has special meanings:
  165. * -1 sLen == hLen
  166. * -2 salt length is maximized
  167. * -N reserved
  168. */
  169. if (sLen == -1)
  170. sLen = hLen;
  171. else if (sLen == -2)
  172. sLen = -2;
  173. else if (sLen < -2) {
  174. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
  175. goto err;
  176. }
  177. MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
  178. emLen = RSA_size(rsa);
  179. if (MSBits == 0) {
  180. *EM++ = 0;
  181. emLen--;
  182. }
  183. if (sLen == -2) {
  184. sLen = emLen - hLen - 2;
  185. } else if (emLen < (hLen + sLen + 2)) {
  186. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
  187. RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
  188. goto err;
  189. }
  190. if (sLen > 0) {
  191. salt = OPENSSL_malloc(sLen);
  192. if (!salt) {
  193. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
  194. goto err;
  195. }
  196. if (RAND_bytes(salt, sLen) <= 0)
  197. goto err;
  198. }
  199. maskedDBLen = emLen - hLen - 1;
  200. H = EM + maskedDBLen;
  201. EVP_MD_CTX_init(&ctx);
  202. EVP_DigestInit_ex(&ctx, Hash, NULL);
  203. EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
  204. EVP_DigestUpdate(&ctx, mHash, hLen);
  205. if (sLen)
  206. EVP_DigestUpdate(&ctx, salt, sLen);
  207. EVP_DigestFinal(&ctx, H, NULL);
  208. EVP_MD_CTX_cleanup(&ctx);
  209. /* Generate dbMask in place then perform XOR on it */
  210. PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
  211. p = EM;
  212. /*
  213. * Initial PS XORs with all zeroes which is a NOP so just update pointer.
  214. * Note from a test above this value is guaranteed to be non-negative.
  215. */
  216. p += emLen - sLen - hLen - 2;
  217. *p++ ^= 0x1;
  218. if (sLen > 0) {
  219. for (i = 0; i < sLen; i++)
  220. *p++ ^= salt[i];
  221. }
  222. if (MSBits)
  223. EM[0] &= 0xFF >> (8 - MSBits);
  224. /* H is already in place so just set final 0xbc */
  225. EM[emLen - 1] = 0xbc;
  226. ret = 1;
  227. err:
  228. if (salt)
  229. OPENSSL_free(salt);
  230. return ret;
  231. }
  232. #if defined(_MSC_VER)
  233. # pragma optimize("",on)
  234. #endif