1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2005.
3 */
4 /* ====================================================================
5 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/rsa.h>
57
58 #include <assert.h>
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/rand.h>
67 #include <openssl/sha.h>
68
69 #include "internal.h"
70 #include "../service_indicator/internal.h"
71 #include "../../internal.h"
72
73
74 #define RSA_PKCS1_PADDING_SIZE 11
75
RSA_padding_add_PKCS1_type_1(uint8_t * to,size_t to_len,const uint8_t * from,size_t from_len)76 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
77 const uint8_t *from, size_t from_len) {
78 // See RFC 8017, section 9.2.
79 if (to_len < RSA_PKCS1_PADDING_SIZE) {
80 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
81 return 0;
82 }
83
84 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
85 OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
86 return 0;
87 }
88
89 to[0] = 0;
90 to[1] = 1;
91 OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len);
92 to[to_len - from_len - 1] = 0;
93 OPENSSL_memcpy(to + to_len - from_len, from, from_len);
94 return 1;
95 }
96
RSA_padding_check_PKCS1_type_1(uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * from,size_t from_len)97 int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
98 size_t max_out, const uint8_t *from,
99 size_t from_len) {
100 // See RFC 8017, section 9.2. This is part of signature verification and thus
101 // does not need to run in constant-time.
102 if (from_len < 2) {
103 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
104 return 0;
105 }
106
107 // Check the header.
108 if (from[0] != 0 || from[1] != 1) {
109 OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
110 return 0;
111 }
112
113 // Scan over padded data, looking for the 00.
114 size_t pad;
115 for (pad = 2 /* header */; pad < from_len; pad++) {
116 if (from[pad] == 0x00) {
117 break;
118 }
119
120 if (from[pad] != 0xff) {
121 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
122 return 0;
123 }
124 }
125
126 if (pad == from_len) {
127 OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
128 return 0;
129 }
130
131 if (pad < 2 /* header */ + 8) {
132 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
133 return 0;
134 }
135
136 // Skip over the 00.
137 pad++;
138
139 if (from_len - pad > max_out) {
140 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
141 return 0;
142 }
143
144 OPENSSL_memcpy(out, from + pad, from_len - pad);
145 *out_len = from_len - pad;
146 return 1;
147 }
148
rand_nonzero(uint8_t * out,size_t len)149 static void rand_nonzero(uint8_t *out, size_t len) {
150 FIPS_service_indicator_lock_state();
151 RAND_bytes(out, len);
152
153 for (size_t i = 0; i < len; i++) {
154 while (out[i] == 0) {
155 RAND_bytes(out + i, 1);
156 }
157 }
158
159 FIPS_service_indicator_unlock_state();
160 }
161
RSA_padding_add_PKCS1_type_2(uint8_t * to,size_t to_len,const uint8_t * from,size_t from_len)162 int RSA_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,
163 const uint8_t *from, size_t from_len) {
164 // See RFC 8017, section 7.2.1.
165 if (to_len < RSA_PKCS1_PADDING_SIZE) {
166 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
167 return 0;
168 }
169
170 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
171 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
172 return 0;
173 }
174
175 to[0] = 0;
176 to[1] = 2;
177
178 size_t padding_len = to_len - 3 - from_len;
179 rand_nonzero(to + 2, padding_len);
180 to[2 + padding_len] = 0;
181 OPENSSL_memcpy(to + to_len - from_len, from, from_len);
182 return 1;
183 }
184
RSA_padding_check_PKCS1_type_2(uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * from,size_t from_len)185 int RSA_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len,
186 size_t max_out, const uint8_t *from,
187 size_t from_len) {
188 if (from_len == 0) {
189 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
190 return 0;
191 }
192
193 // PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
194 // Standard", section 7.2.2.
195 if (from_len < RSA_PKCS1_PADDING_SIZE) {
196 // |from| is zero-padded to the size of the RSA modulus, a public value, so
197 // this can be rejected in non-constant time.
198 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
199 return 0;
200 }
201
202 crypto_word_t first_byte_is_zero = constant_time_eq_w(from[0], 0);
203 crypto_word_t second_byte_is_two = constant_time_eq_w(from[1], 2);
204
205 crypto_word_t zero_index = 0, looking_for_index = CONSTTIME_TRUE_W;
206 for (size_t i = 2; i < from_len; i++) {
207 crypto_word_t equals0 = constant_time_is_zero_w(from[i]);
208 zero_index =
209 constant_time_select_w(looking_for_index & equals0, i, zero_index);
210 looking_for_index = constant_time_select_w(equals0, 0, looking_for_index);
211 }
212
213 // The input must begin with 00 02.
214 crypto_word_t valid_index = first_byte_is_zero;
215 valid_index &= second_byte_is_two;
216
217 // We must have found the end of PS.
218 valid_index &= ~looking_for_index;
219
220 // PS must be at least 8 bytes long, and it starts two bytes into |from|.
221 valid_index &= constant_time_ge_w(zero_index, 2 + 8);
222
223 // Skip the zero byte.
224 zero_index++;
225
226 // NOTE: Although this logic attempts to be constant time, the API contracts
227 // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
228 // impossible to completely avoid Bleichenbacher's attack. Consumers should
229 // use |RSA_PADDING_NONE| and perform the padding check in constant-time
230 // combined with a swap to a random session key or other mitigation.
231 CONSTTIME_DECLASSIFY(&valid_index, sizeof(valid_index));
232 CONSTTIME_DECLASSIFY(&zero_index, sizeof(zero_index));
233
234 if (!valid_index) {
235 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
236 return 0;
237 }
238
239 const size_t msg_len = from_len - zero_index;
240 if (msg_len > max_out) {
241 // This shouldn't happen because this function is always called with
242 // |max_out| as the key size and |from_len| is bounded by the key size.
243 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
244 return 0;
245 }
246
247 OPENSSL_memcpy(out, &from[zero_index], msg_len);
248 *out_len = msg_len;
249 return 1;
250 }
251
RSA_padding_add_none(uint8_t * to,size_t to_len,const uint8_t * from,size_t from_len)252 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
253 size_t from_len) {
254 if (from_len > to_len) {
255 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
256 return 0;
257 }
258
259 if (from_len < to_len) {
260 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
261 return 0;
262 }
263
264 OPENSSL_memcpy(to, from, from_len);
265 return 1;
266 }
267
PKCS1_MGF1(uint8_t * out,size_t len,const uint8_t * seed,size_t seed_len,const EVP_MD * md)268 static int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed,
269 size_t seed_len, const EVP_MD *md) {
270 int ret = 0;
271 EVP_MD_CTX ctx;
272 EVP_MD_CTX_init(&ctx);
273 FIPS_service_indicator_lock_state();
274
275 size_t md_len = EVP_MD_size(md);
276
277 for (uint32_t i = 0; len > 0; i++) {
278 uint8_t counter[4];
279 counter[0] = (uint8_t)(i >> 24);
280 counter[1] = (uint8_t)(i >> 16);
281 counter[2] = (uint8_t)(i >> 8);
282 counter[3] = (uint8_t)i;
283 if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
284 !EVP_DigestUpdate(&ctx, seed, seed_len) ||
285 !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {
286 goto err;
287 }
288
289 if (md_len <= len) {
290 if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {
291 goto err;
292 }
293 out += md_len;
294 len -= md_len;
295 } else {
296 uint8_t digest[EVP_MAX_MD_SIZE];
297 if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {
298 goto err;
299 }
300 OPENSSL_memcpy(out, digest, len);
301 len = 0;
302 }
303 }
304
305 ret = 1;
306
307 err:
308 EVP_MD_CTX_cleanup(&ctx);
309 FIPS_service_indicator_unlock_state();
310 return ret;
311 }
312
RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t * to,size_t to_len,const uint8_t * from,size_t from_len,const uint8_t * param,size_t param_len,const EVP_MD * md,const EVP_MD * mgf1md)313 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, size_t to_len,
314 const uint8_t *from, size_t from_len,
315 const uint8_t *param, size_t param_len,
316 const EVP_MD *md, const EVP_MD *mgf1md) {
317 if (md == NULL) {
318 md = EVP_sha1();
319 }
320 if (mgf1md == NULL) {
321 mgf1md = md;
322 }
323
324 size_t mdlen = EVP_MD_size(md);
325
326 if (to_len < 2 * mdlen + 2) {
327 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
328 return 0;
329 }
330
331 size_t emlen = to_len - 1;
332 if (from_len > emlen - 2 * mdlen - 1) {
333 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
334 return 0;
335 }
336
337 if (emlen < 2 * mdlen + 1) {
338 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
339 return 0;
340 }
341
342 to[0] = 0;
343 uint8_t *seed = to + 1;
344 uint8_t *db = to + mdlen + 1;
345
346 uint8_t *dbmask = NULL;
347 int ret = 0;
348 FIPS_service_indicator_lock_state();
349 if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {
350 goto out;
351 }
352 OPENSSL_memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
353 db[emlen - from_len - mdlen - 1] = 0x01;
354 OPENSSL_memcpy(db + emlen - from_len - mdlen, from, from_len);
355 if (!RAND_bytes(seed, mdlen)) {
356 goto out;
357 }
358
359 dbmask = OPENSSL_malloc(emlen - mdlen);
360 if (dbmask == NULL) {
361 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
362 goto out;
363 }
364
365 if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {
366 goto out;
367 }
368 for (size_t i = 0; i < emlen - mdlen; i++) {
369 db[i] ^= dbmask[i];
370 }
371
372 uint8_t seedmask[EVP_MAX_MD_SIZE];
373 if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) {
374 goto out;
375 }
376 for (size_t i = 0; i < mdlen; i++) {
377 seed[i] ^= seedmask[i];
378 }
379 ret = 1;
380
381 out:
382 OPENSSL_free(dbmask);
383 FIPS_service_indicator_unlock_state();
384 return ret;
385 }
386
RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * from,size_t from_len,const uint8_t * param,size_t param_len,const EVP_MD * md,const EVP_MD * mgf1md)387 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,
388 size_t max_out, const uint8_t *from,
389 size_t from_len, const uint8_t *param,
390 size_t param_len, const EVP_MD *md,
391 const EVP_MD *mgf1md) {
392 uint8_t *db = NULL;
393
394 if (md == NULL) {
395 md = EVP_sha1();
396 }
397 if (mgf1md == NULL) {
398 mgf1md = md;
399 }
400
401 size_t mdlen = EVP_MD_size(md);
402
403 // The encoded message is one byte smaller than the modulus to ensure that it
404 // doesn't end up greater than the modulus. Thus there's an extra "+1" here
405 // compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2.
406 if (from_len < 1 + 2*mdlen + 1) {
407 // 'from_len' is the length of the modulus, i.e. does not depend on the
408 // particular ciphertext.
409 goto decoding_err;
410 }
411
412 size_t dblen = from_len - mdlen - 1;
413 FIPS_service_indicator_lock_state();
414 db = OPENSSL_malloc(dblen);
415 if (db == NULL) {
416 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419
420 const uint8_t *maskedseed = from + 1;
421 const uint8_t *maskeddb = from + 1 + mdlen;
422
423 uint8_t seed[EVP_MAX_MD_SIZE];
424 if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
425 goto err;
426 }
427 for (size_t i = 0; i < mdlen; i++) {
428 seed[i] ^= maskedseed[i];
429 }
430
431 if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
432 goto err;
433 }
434 for (size_t i = 0; i < dblen; i++) {
435 db[i] ^= maskeddb[i];
436 }
437
438 uint8_t phash[EVP_MAX_MD_SIZE];
439 if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {
440 goto err;
441 }
442
443 crypto_word_t bad = ~constant_time_is_zero_w(CRYPTO_memcmp(db, phash, mdlen));
444 bad |= ~constant_time_is_zero_w(from[0]);
445
446 crypto_word_t looking_for_one_byte = CONSTTIME_TRUE_W;
447 size_t one_index = 0;
448 for (size_t i = mdlen; i < dblen; i++) {
449 crypto_word_t equals1 = constant_time_eq_w(db[i], 1);
450 crypto_word_t equals0 = constant_time_eq_w(db[i], 0);
451 one_index =
452 constant_time_select_w(looking_for_one_byte & equals1, i, one_index);
453 looking_for_one_byte =
454 constant_time_select_w(equals1, 0, looking_for_one_byte);
455 bad |= looking_for_one_byte & ~equals0;
456 }
457
458 bad |= looking_for_one_byte;
459
460 if (bad) {
461 goto decoding_err;
462 }
463
464 one_index++;
465 size_t mlen = dblen - one_index;
466 if (max_out < mlen) {
467 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
468 goto err;
469 }
470
471 OPENSSL_memcpy(out, db + one_index, mlen);
472 *out_len = mlen;
473 OPENSSL_free(db);
474 FIPS_service_indicator_unlock_state();
475 return 1;
476
477 decoding_err:
478 // to avoid chosen ciphertext attacks, the error message should not reveal
479 // which kind of decoding error happened
480 OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
481 err:
482 OPENSSL_free(db);
483 FIPS_service_indicator_unlock_state();
484 return 0;
485 }
486
487 static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
488
RSA_verify_PKCS1_PSS_mgf1(const RSA * rsa,const uint8_t * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const uint8_t * EM,int sLen)489 int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,
490 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
491 const uint8_t *EM, int sLen) {
492 int i;
493 int ret = 0;
494 int maskedDBLen, MSBits, emLen;
495 size_t hLen;
496 const uint8_t *H;
497 uint8_t *DB = NULL;
498 EVP_MD_CTX ctx;
499 uint8_t H_[EVP_MAX_MD_SIZE];
500 EVP_MD_CTX_init(&ctx);
501
502 if (mgf1Hash == NULL) {
503 mgf1Hash = Hash;
504 }
505
506 hLen = EVP_MD_size(Hash);
507 FIPS_service_indicator_lock_state();
508
509 // Negative sLen has special meanings:
510 // -1 sLen == hLen
511 // -2 salt length is autorecovered from signature
512 // -N reserved
513 if (sLen == -1) {
514 sLen = hLen;
515 } else if (sLen == -2) {
516 sLen = -2;
517 } else if (sLen < -2) {
518 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
519 goto err;
520 }
521
522 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
523 emLen = RSA_size(rsa);
524 if (EM[0] & (0xFF << MSBits)) {
525 OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
526 goto err;
527 }
528 if (MSBits == 0) {
529 EM++;
530 emLen--;
531 }
532 if (emLen < (int)hLen + 2 || emLen < ((int)hLen + sLen + 2)) {
533 // sLen can be small negative
534 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
535 goto err;
536 }
537 if (EM[emLen - 1] != 0xbc) {
538 OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
539 goto err;
540 }
541 maskedDBLen = emLen - hLen - 1;
542 H = EM + maskedDBLen;
543 DB = OPENSSL_malloc(maskedDBLen);
544 if (!DB) {
545 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
546 goto err;
547 }
548 if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {
549 goto err;
550 }
551 for (i = 0; i < maskedDBLen; i++) {
552 DB[i] ^= EM[i];
553 }
554 if (MSBits) {
555 DB[0] &= 0xFF >> (8 - MSBits);
556 }
557 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
558 ;
559 }
560 if (DB[i++] != 0x1) {
561 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
562 goto err;
563 }
564 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
565 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
566 goto err;
567 }
568 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
569 !EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) ||
570 !EVP_DigestUpdate(&ctx, mHash, hLen) ||
571 !EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i) ||
572 !EVP_DigestFinal_ex(&ctx, H_, NULL)) {
573 goto err;
574 }
575 if (OPENSSL_memcmp(H_, H, hLen)) {
576 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
577 ret = 0;
578 } else {
579 ret = 1;
580 }
581
582 err:
583 OPENSSL_free(DB);
584 EVP_MD_CTX_cleanup(&ctx);
585 FIPS_service_indicator_unlock_state();
586
587 return ret;
588 }
589
RSA_padding_add_PKCS1_PSS_mgf1(const RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLenRequested)590 int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM,
591 const unsigned char *mHash,
592 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
593 int sLenRequested) {
594 int ret = 0;
595 size_t maskedDBLen, MSBits, emLen;
596 size_t hLen;
597 unsigned char *H, *salt = NULL, *p;
598
599 if (mgf1Hash == NULL) {
600 mgf1Hash = Hash;
601 }
602
603 FIPS_service_indicator_lock_state();
604 hLen = EVP_MD_size(Hash);
605
606 if (BN_is_zero(rsa->n)) {
607 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
608 goto err;
609 }
610
611 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
612 emLen = RSA_size(rsa);
613 if (MSBits == 0) {
614 assert(emLen >= 1);
615 *EM++ = 0;
616 emLen--;
617 }
618
619 if (emLen < hLen + 2) {
620 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
621 goto err;
622 }
623
624 // Negative sLenRequested has special meanings:
625 // -1 sLen == hLen
626 // -2 salt length is maximized
627 // -N reserved
628 size_t sLen;
629 if (sLenRequested == -1) {
630 sLen = hLen;
631 } else if (sLenRequested == -2) {
632 sLen = emLen - hLen - 2;
633 } else if (sLenRequested < 0) {
634 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
635 goto err;
636 } else {
637 sLen = (size_t)sLenRequested;
638 }
639
640 if (emLen - hLen - 2 < sLen) {
641 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
642 goto err;
643 }
644
645 if (sLen > 0) {
646 salt = OPENSSL_malloc(sLen);
647 if (!salt) {
648 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
649 goto err;
650 }
651 if (!RAND_bytes(salt, sLen)) {
652 goto err;
653 }
654 }
655 maskedDBLen = emLen - hLen - 1;
656 H = EM + maskedDBLen;
657
658 EVP_MD_CTX ctx;
659 EVP_MD_CTX_init(&ctx);
660 int digest_ok = EVP_DigestInit_ex(&ctx, Hash, NULL) &&
661 EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) &&
662 EVP_DigestUpdate(&ctx, mHash, hLen) &&
663 EVP_DigestUpdate(&ctx, salt, sLen) &&
664 EVP_DigestFinal_ex(&ctx, H, NULL);
665 EVP_MD_CTX_cleanup(&ctx);
666 if (!digest_ok) {
667 goto err;
668 }
669
670 // Generate dbMask in place then perform XOR on it
671 if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
672 goto err;
673 }
674
675 p = EM;
676
677 // Initial PS XORs with all zeroes which is a NOP so just update
678 // pointer. Note from a test above this value is guaranteed to
679 // be non-negative.
680 p += emLen - sLen - hLen - 2;
681 *p++ ^= 0x1;
682 if (sLen > 0) {
683 for (size_t i = 0; i < sLen; i++) {
684 *p++ ^= salt[i];
685 }
686 }
687 if (MSBits) {
688 EM[0] &= 0xFF >> (8 - MSBits);
689 }
690
691 // H is already in place so just set final 0xbc
692
693 EM[emLen - 1] = 0xbc;
694
695 ret = 1;
696
697 err:
698 OPENSSL_free(salt);
699 FIPS_service_indicator_unlock_state();
700
701 return ret;
702 }
703