1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2005.
3 */
4 /* ====================================================================
5 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/rsa.h>
57
58 #include <assert.h>
59 #include <string.h>
60
61 #include <openssl/digest.h>
62 #include <openssl/err.h>
63 #include <openssl/mem.h>
64 #include <openssl/rand.h>
65 #include <openssl/sha.h>
66
67 #include "internal.h"
68
69 /* TODO(fork): don't the check functions have to be constant time? */
70
RSA_padding_add_PKCS1_type_1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)71 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,
72 const uint8_t *from, unsigned flen) {
73 unsigned j;
74 uint8_t *p;
75
76 if (tlen < RSA_PKCS1_PADDING_SIZE) {
77 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,
78 RSA_R_KEY_SIZE_TOO_SMALL);
79 return 0;
80 }
81
82 if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
83 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,
84 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
85 return 0;
86 }
87
88 p = (uint8_t *)to;
89
90 *(p++) = 0;
91 *(p++) = 1; /* Private Key BT (Block Type) */
92
93 /* pad out with 0xff data */
94 j = tlen - 3 - flen;
95 memset(p, 0xff, j);
96 p += j;
97 *(p++) = 0;
98 memcpy(p, from, (unsigned int)flen);
99 return 1;
100 }
101
RSA_padding_check_PKCS1_type_1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)102 int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,
103 const uint8_t *from, unsigned flen) {
104 unsigned i, j;
105 const uint8_t *p;
106
107 if (flen < 2) {
108 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
109 RSA_R_DATA_TOO_SMALL);
110 return -1;
111 }
112
113 p = from;
114 if ((*(p++) != 0) || (*(p++) != 1)) {
115 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
116 RSA_R_BLOCK_TYPE_IS_NOT_01);
117 return -1;
118 }
119
120 /* scan over padding data */
121 j = flen - 2; /* one for leading 00, one for type. */
122 for (i = 0; i < j; i++) {
123 /* should decrypt to 0xff */
124 if (*p != 0xff) {
125 if (*p == 0) {
126 p++;
127 break;
128 } else {
129 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
130 RSA_R_BAD_FIXED_HEADER_DECRYPT);
131 return -1;
132 }
133 }
134 p++;
135 }
136
137 if (i == j) {
138 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
139 RSA_R_NULL_BEFORE_BLOCK_MISSING);
140 return -1;
141 }
142
143 if (i < 8) {
144 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
145 RSA_R_BAD_PAD_BYTE_COUNT);
146 return -1;
147 }
148 i++; /* Skip over the '\0' */
149 j -= i;
150 if (j > tlen) {
151 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
152 RSA_R_DATA_TOO_LARGE);
153 return -1;
154 }
155 memcpy(to, p, j);
156
157 return j;
158 }
159
RSA_padding_add_PKCS1_type_2(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)160 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,
161 const uint8_t *from, unsigned flen) {
162 unsigned i, j;
163 uint8_t *p;
164
165 if (tlen < RSA_PKCS1_PADDING_SIZE) {
166 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,
167 RSA_R_KEY_SIZE_TOO_SMALL);
168 return 0;
169 }
170
171 if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
172 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,
173 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
174 return 0;
175 }
176
177 p = (unsigned char *)to;
178
179 *(p++) = 0;
180 *(p++) = 2; /* Public Key BT (Block Type) */
181
182 /* pad out with non-zero random data */
183 j = tlen - 3 - flen;
184
185 if (!RAND_bytes(p, j)) {
186 return 0;
187 }
188
189 for (i = 0; i < j; i++) {
190 while (*p == 0) {
191 if (!RAND_bytes(p, 1)) {
192 return 0;
193 }
194 }
195 p++;
196 }
197
198 *(p++) = 0;
199
200 memcpy(p, from, (unsigned int)flen);
201 return 1;
202 }
203
204 /* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */
constant_time_byte_eq(unsigned char a,unsigned char b)205 static int constant_time_byte_eq(unsigned char a, unsigned char b) {
206 unsigned char z = ~(a ^ b);
207 z &= z >> 4;
208 z &= z >> 2;
209 z &= z >> 1;
210
211 return z;
212 }
213
214 /* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.
215 * Its behavior is undefined if |v| takes any other value. */
constant_time_select(int v,int x,int y)216 static int constant_time_select(int v, int x, int y) {
217 return ((~(v - 1)) & x) | ((v - 1) & y);
218 }
219
220 /* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.
221 * |x| and |y| must be positive. */
constant_time_le(int x,int y)222 static int constant_time_le(int x, int y) {
223 return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;
224 }
225
RSA_message_index_PKCS1_type_2(const uint8_t * from,size_t from_len,size_t * out_index)226 int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,
227 size_t *out_index) {
228 size_t i;
229 int first_byte_is_zero, second_byte_is_two, looking_for_index;
230 int valid_index, zero_index = 0;
231
232 /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
233 * Standard", section 7.2.2. */
234 if (from_len < RSA_PKCS1_PADDING_SIZE) {
235 /* |from| is zero-padded to the size of the RSA modulus, a public value, so
236 * this can be rejected in non-constant time. */
237 *out_index = 0;
238 return 0;
239 }
240
241 first_byte_is_zero = constant_time_byte_eq(from[0], 0);
242 second_byte_is_two = constant_time_byte_eq(from[1], 2);
243
244 looking_for_index = 1;
245 for (i = 2; i < from_len; i++) {
246 int equals0 = constant_time_byte_eq(from[i], 0);
247 zero_index =
248 constant_time_select(looking_for_index & equals0, i, zero_index);
249 looking_for_index = constant_time_select(equals0, 0, looking_for_index);
250 }
251
252 /* The input must begin with 00 02. */
253 valid_index = first_byte_is_zero;
254 valid_index &= second_byte_is_two;
255
256 /* We must have found the end of PS. */
257 valid_index &= ~looking_for_index;
258
259 /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
260 valid_index &= constant_time_le(2 + 8, zero_index);
261
262 /* Skip the zero byte. */
263 zero_index++;
264
265 *out_index = constant_time_select(valid_index, zero_index, 0);
266 return valid_index;
267 }
268
RSA_padding_check_PKCS1_type_2(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)269 int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,
270 const uint8_t *from, unsigned flen) {
271 size_t msg_index, msg_len;
272
273 if (flen == 0) {
274 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
275 RSA_R_EMPTY_PUBLIC_KEY);
276 return -1;
277 }
278
279 /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,
280 * the API contracts of this function and |RSA_decrypt| with
281 * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's
282 * attack. */
283 if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {
284 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
285 RSA_R_PKCS_DECODING_ERROR);
286 return -1;
287 }
288
289 msg_len = flen - msg_index;
290 if (msg_len > tlen) {
291 /* This shouldn't happen because this function is always called with |tlen|
292 * the key size and |flen| is bounded by the key size. */
293 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
294 RSA_R_PKCS_DECODING_ERROR);
295 return -1;
296 }
297 memcpy(to, &from[msg_index], msg_len);
298 return msg_len;
299 }
300
RSA_padding_add_none(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)301 int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {
302 if (flen > tlen) {
303 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,
304 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
305 return 0;
306 }
307
308 if (flen < tlen) {
309 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,
310 RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
311 return 0;
312 }
313
314 memcpy(to, from, (unsigned int)flen);
315 return 1;
316 }
317
RSA_padding_check_none(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)318 int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,
319 unsigned flen) {
320 if (flen > tlen) {
321 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_none, RSA_R_DATA_TOO_LARGE);
322 return -1;
323 }
324
325 memcpy(to, from, flen);
326 return flen;
327 }
328
PKCS1_MGF1(uint8_t * mask,unsigned len,const uint8_t * seed,unsigned seedlen,const EVP_MD * dgst)329 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
330 unsigned seedlen, const EVP_MD *dgst) {
331 unsigned outlen = 0;
332 uint32_t i;
333 uint8_t cnt[4];
334 EVP_MD_CTX c;
335 uint8_t md[EVP_MAX_MD_SIZE];
336 unsigned mdlen;
337 int ret = -1;
338
339 EVP_MD_CTX_init(&c);
340 mdlen = EVP_MD_size(dgst);
341
342 for (i = 0; outlen < len; i++) {
343 cnt[0] = (uint8_t)((i >> 24) & 255);
344 cnt[1] = (uint8_t)((i >> 16) & 255);
345 cnt[2] = (uint8_t)((i >> 8)) & 255;
346 cnt[3] = (uint8_t)(i & 255);
347 if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
348 !EVP_DigestUpdate(&c, seed, seedlen) || !EVP_DigestUpdate(&c, cnt, 4)) {
349 goto err;
350 }
351
352 if (outlen + mdlen <= len) {
353 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {
354 goto err;
355 }
356 outlen += mdlen;
357 } else {
358 if (!EVP_DigestFinal_ex(&c, md, NULL)) {
359 goto err;
360 }
361 memcpy(mask + outlen, md, len - outlen);
362 outlen = len;
363 }
364 }
365 ret = 0;
366
367 err:
368 EVP_MD_CTX_cleanup(&c);
369 return ret;
370 }
371
RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen,const uint8_t * param,unsigned plen,const EVP_MD * md,const EVP_MD * mgf1md)372 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
373 const uint8_t *from, unsigned flen,
374 const uint8_t *param, unsigned plen,
375 const EVP_MD *md, const EVP_MD *mgf1md) {
376 unsigned i, emlen, mdlen;
377 uint8_t *db, *seed;
378 uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];
379 int ret = 0;
380
381 if (md == NULL) {
382 md = EVP_sha1();
383 }
384 if (mgf1md == NULL) {
385 mgf1md = md;
386 }
387
388 mdlen = EVP_MD_size(md);
389
390 if (tlen < 2 * mdlen + 2) {
391 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
392 RSA_R_KEY_SIZE_TOO_SMALL);
393 return 0;
394 }
395
396 emlen = tlen - 1;
397 if (flen > emlen - 2 * mdlen - 1) {
398 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
399 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
400 return 0;
401 }
402
403 if (emlen < 2 * mdlen + 1) {
404 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
405 RSA_R_KEY_SIZE_TOO_SMALL);
406 return 0;
407 }
408
409 to[0] = 0;
410 seed = to + 1;
411 db = to + mdlen + 1;
412
413 if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {
414 return 0;
415 }
416 memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
417 db[emlen - flen - mdlen - 1] = 0x01;
418 memcpy(db + emlen - flen - mdlen, from, flen);
419 if (!RAND_bytes(seed, mdlen)) {
420 return 0;
421 }
422
423 dbmask = OPENSSL_malloc(emlen - mdlen);
424 if (dbmask == NULL) {
425 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
426 ERR_R_MALLOC_FAILURE);
427 return 0;
428 }
429
430 if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
431 goto out;
432 }
433 for (i = 0; i < emlen - mdlen; i++) {
434 db[i] ^= dbmask[i];
435 }
436
437 if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
438 goto out;
439 }
440 for (i = 0; i < mdlen; i++) {
441 seed[i] ^= seedmask[i];
442 }
443 ret = 1;
444
445 out:
446 OPENSSL_free(dbmask);
447 return ret;
448 }
449
RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen,const uint8_t * param,unsigned plen,const EVP_MD * md,const EVP_MD * mgf1md)450 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
451 const uint8_t *from, unsigned flen,
452 const uint8_t *param, unsigned plen,
453 const EVP_MD *md, const EVP_MD *mgf1md) {
454 unsigned i, dblen, mlen = -1, mdlen;
455 const uint8_t *maskeddb, *maskedseed;
456 uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
457 int bad, looking_for_one_byte, one_index = 0;
458
459 if (md == NULL) {
460 md = EVP_sha1();
461 }
462 if (mgf1md == NULL) {
463 mgf1md = md;
464 }
465
466 mdlen = EVP_MD_size(md);
467
468 /* The encoded message is one byte smaller than the modulus to ensure that it
469 * doesn't end up greater than the modulus. Thus there's an extra "+1" here
470 * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
471 if (flen < 1 + 2*mdlen + 1) {
472 /* 'flen' is the length of the modulus, i.e. does not depend on the
473 * particular ciphertext. */
474 goto decoding_err;
475 }
476
477 dblen = flen - mdlen - 1;
478 db = OPENSSL_malloc(dblen);
479 if (db == NULL) {
480 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
481 ERR_R_MALLOC_FAILURE);
482 goto err;
483 }
484
485 maskedseed = from + 1;
486 maskeddb = from + 1 + mdlen;
487
488 if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
489 goto err;
490 }
491 for (i = 0; i < mdlen; i++) {
492 seed[i] ^= maskedseed[i];
493 }
494
495 if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
496 goto err;
497 }
498 for (i = 0; i < dblen; i++) {
499 db[i] ^= maskeddb[i];
500 }
501
502 if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {
503 goto err;
504 }
505
506 bad = CRYPTO_memcmp(db, phash, mdlen);
507 bad |= from[0];
508
509 looking_for_one_byte = 1;
510 for (i = mdlen; i < dblen; i++) {
511 int equals1 = constant_time_byte_eq(db[i], 1);
512 int equals0 = constant_time_byte_eq(db[i], 0);
513 one_index =
514 constant_time_select(looking_for_one_byte & equals1, i, one_index);
515 looking_for_one_byte =
516 constant_time_select(equals1, 0, looking_for_one_byte);
517 bad |= looking_for_one_byte & ~equals0;
518 }
519
520 bad |= looking_for_one_byte;
521
522 if (bad) {
523 goto decoding_err;
524 }
525
526 one_index++;
527 mlen = dblen - one_index;
528 if (tlen < mlen) {
529 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
530 RSA_R_DATA_TOO_LARGE);
531 mlen = -1;
532 } else {
533 memcpy(to, db + one_index, mlen);
534 }
535
536 OPENSSL_free(db);
537 return mlen;
538
539 decoding_err:
540 /* to avoid chosen ciphertext attacks, the error message should not reveal
541 * which kind of decoding error happened */
542 OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
543 RSA_R_OAEP_DECODING_ERROR);
544 err:
545 OPENSSL_free(db);
546 return -1;
547 }
548
549 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
550
RSA_verify_PKCS1_PSS_mgf1(RSA * rsa,const uint8_t * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const uint8_t * EM,int sLen)551 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
552 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
553 const uint8_t *EM, int sLen) {
554 int i;
555 int ret = 0;
556 int maskedDBLen, MSBits, emLen;
557 size_t hLen;
558 const uint8_t *H;
559 uint8_t *DB = NULL;
560 EVP_MD_CTX ctx;
561 uint8_t H_[EVP_MAX_MD_SIZE];
562 EVP_MD_CTX_init(&ctx);
563
564 if (mgf1Hash == NULL) {
565 mgf1Hash = Hash;
566 }
567
568 hLen = EVP_MD_size(Hash);
569
570 /* Negative sLen has special meanings:
571 * -1 sLen == hLen
572 * -2 salt length is autorecovered from signature
573 * -N reserved */
574 if (sLen == -1) {
575 sLen = hLen;
576 } else if (sLen == -2) {
577 sLen = -2;
578 } else if (sLen < -2) {
579 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
580 goto err;
581 }
582
583 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
584 emLen = RSA_size(rsa);
585 if (EM[0] & (0xFF << MSBits)) {
586 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
587 RSA_R_FIRST_OCTET_INVALID);
588 goto err;
589 }
590 if (MSBits == 0) {
591 EM++;
592 emLen--;
593 }
594 if (emLen < ((int)hLen + sLen + 2)) {
595 /* sLen can be small negative */
596 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_DATA_TOO_LARGE);
597 goto err;
598 }
599 if (EM[emLen - 1] != 0xbc) {
600 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_LAST_OCTET_INVALID);
601 goto err;
602 }
603 maskedDBLen = emLen - hLen - 1;
604 H = EM + maskedDBLen;
605 DB = OPENSSL_malloc(maskedDBLen);
606 if (!DB) {
607 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, ERR_R_MALLOC_FAILURE);
608 goto err;
609 }
610 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
611 goto err;
612 }
613 for (i = 0; i < maskedDBLen; i++) {
614 DB[i] ^= EM[i];
615 }
616 if (MSBits) {
617 DB[0] &= 0xFF >> (8 - MSBits);
618 }
619 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
620 ;
621 }
622 if (DB[i++] != 0x1) {
623 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
624 RSA_R_SLEN_RECOVERY_FAILED);
625 goto err;
626 }
627 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
628 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
629 goto err;
630 }
631 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
632 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
633 !EVP_DigestUpdate(&ctx, mHash, hLen)) {
634 goto err;
635 }
636 if (maskedDBLen - i) {
637 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {
638 goto err;
639 }
640 }
641 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
642 goto err;
643 }
644 if (memcmp(H_, H, hLen)) {
645 OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_BAD_SIGNATURE);
646 ret = 0;
647 } else {
648 ret = 1;
649 }
650
651 err:
652 OPENSSL_free(DB);
653 EVP_MD_CTX_cleanup(&ctx);
654
655 return ret;
656 }
657
RSA_padding_add_PKCS1_PSS_mgf1(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLen)658 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
659 const unsigned char *mHash,
660 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
661 int sLen) {
662 int i;
663 int ret = 0;
664 size_t maskedDBLen, MSBits, emLen;
665 size_t hLen;
666 unsigned char *H, *salt = NULL, *p;
667 EVP_MD_CTX ctx;
668
669 if (mgf1Hash == NULL) {
670 mgf1Hash = Hash;
671 }
672
673 hLen = EVP_MD_size(Hash);
674
675 /* Negative sLen has special meanings:
676 * -1 sLen == hLen
677 * -2 salt length is maximized
678 * -N reserved */
679 if (sLen == -1) {
680 sLen = hLen;
681 } else if (sLen == -2) {
682 sLen = -2;
683 } else if (sLen < -2) {
684 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
685 RSA_R_SLEN_CHECK_FAILED);
686 goto err;
687 }
688
689 if (BN_is_zero(rsa->n)) {
690 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
691 RSA_R_EMPTY_PUBLIC_KEY);
692 goto err;
693 }
694
695 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
696 emLen = RSA_size(rsa);
697 if (MSBits == 0) {
698 assert(emLen >= 1);
699 *EM++ = 0;
700 emLen--;
701 }
702 if (sLen == -2) {
703 if (emLen < hLen + 2) {
704 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
705 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
706 goto err;
707 }
708 sLen = emLen - hLen - 2;
709 } else if (emLen < hLen + sLen + 2) {
710 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
711 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
712 goto err;
713 }
714 if (sLen > 0) {
715 salt = OPENSSL_malloc(sLen);
716 if (!salt) {
717 OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
718 ERR_R_MALLOC_FAILURE);
719 goto err;
720 }
721 if (!RAND_bytes(salt, sLen)) {
722 goto err;
723 }
724 }
725 maskedDBLen = emLen - hLen - 1;
726 H = EM + maskedDBLen;
727 EVP_MD_CTX_init(&ctx);
728 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
729 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
730 !EVP_DigestUpdate(&ctx, mHash, hLen)) {
731 goto err;
732 }
733 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {
734 goto err;
735 }
736 if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {
737 goto err;
738 }
739 EVP_MD_CTX_cleanup(&ctx);
740
741 /* Generate dbMask in place then perform XOR on it */
742 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
743 goto err;
744 }
745
746 p = EM;
747
748 /* Initial PS XORs with all zeroes which is a NOP so just update
749 * pointer. Note from a test above this value is guaranteed to
750 * be non-negative. */
751 p += emLen - sLen - hLen - 2;
752 *p++ ^= 0x1;
753 if (sLen > 0) {
754 for (i = 0; i < sLen; i++) {
755 *p++ ^= salt[i];
756 }
757 }
758 if (MSBits) {
759 EM[0] &= 0xFF >> (8 - MSBits);
760 }
761
762 /* H is already in place so just set final 0xbc */
763
764 EM[emLen - 1] = 0xbc;
765
766 ret = 1;
767
768 err:
769 OPENSSL_free(salt);
770
771 return ret;
772 }
773