1/* rsa_pss.c */ 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59#include <stdio.h> 60#include "cryptlib.h" 61#include <openssl/bn.h> 62#include <openssl/rsa.h> 63#include <openssl/evp.h> 64#include <openssl/rand.h> 65#include <openssl/sha.h> 66 67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 68 69#if defined(_MSC_VER) && defined(_ARM_) 70#pragma optimize("g", off) 71#endif 72 73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 74 const EVP_MD *Hash, const unsigned char *EM, int sLen) 75 { 76 int i; 77 int ret = 0; 78 int hLen, maskedDBLen, MSBits, emLen; 79 const unsigned char *H; 80 unsigned char *DB = NULL; 81 EVP_MD_CTX ctx; 82 unsigned char H_[EVP_MAX_MD_SIZE]; 83 84 hLen = EVP_MD_size(Hash); 85 if (hLen < 0) 86 goto err; 87 /* 88 * Negative sLen has special meanings: 89 * -1 sLen == hLen 90 * -2 salt length is autorecovered from signature 91 * -N reserved 92 */ 93 if (sLen == -1) sLen = hLen; 94 else if (sLen == -2) sLen = -2; 95 else if (sLen < -2) 96 { 97 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 98 goto err; 99 } 100 101 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 102 emLen = RSA_size(rsa); 103 if (EM[0] & (0xFF << MSBits)) 104 { 105 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); 106 goto err; 107 } 108 if (MSBits == 0) 109 { 110 EM++; 111 emLen--; 112 } 113 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 114 { 115 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); 116 goto err; 117 } 118 if (EM[emLen - 1] != 0xbc) 119 { 120 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); 121 goto err; 122 } 123 maskedDBLen = emLen - hLen - 1; 124 H = EM + maskedDBLen; 125 DB = OPENSSL_malloc(maskedDBLen); 126 if (!DB) 127 { 128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); 129 goto err; 130 } 131 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) 132 goto err; 133 for (i = 0; i < maskedDBLen; i++) 134 DB[i] ^= EM[i]; 135 if (MSBits) 136 DB[0] &= 0xFF >> (8 - MSBits); 137 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 138 if (DB[i++] != 0x1) 139 { 140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); 141 goto err; 142 } 143 if (sLen >= 0 && (maskedDBLen - i) != sLen) 144 { 145 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 146 goto err; 147 } 148 EVP_MD_CTX_init(&ctx); 149 EVP_DigestInit_ex(&ctx, Hash, NULL); 150 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 151 EVP_DigestUpdate(&ctx, mHash, hLen); 152 if (maskedDBLen - i) 153 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); 154 EVP_DigestFinal(&ctx, H_, NULL); 155 EVP_MD_CTX_cleanup(&ctx); 156 if (memcmp(H_, H, hLen)) 157 { 158 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); 159 ret = 0; 160 } 161 else 162 ret = 1; 163 164 err: 165 if (DB) 166 OPENSSL_free(DB); 167 168 return ret; 169 170 } 171 172int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, 173 const unsigned char *mHash, 174 const EVP_MD *Hash, int sLen) 175 { 176 int i; 177 int ret = 0; 178 int hLen, maskedDBLen, MSBits, emLen; 179 unsigned char *H, *salt = NULL, *p; 180 EVP_MD_CTX ctx; 181 182 hLen = EVP_MD_size(Hash); 183 if (hLen < 0) 184 goto err; 185 /* 186 * Negative sLen has special meanings: 187 * -1 sLen == hLen 188 * -2 salt length is maximized 189 * -N reserved 190 */ 191 if (sLen == -1) sLen = hLen; 192 else if (sLen == -2) sLen = -2; 193 else if (sLen < -2) 194 { 195 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 196 goto err; 197 } 198 199 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 200 emLen = RSA_size(rsa); 201 if (MSBits == 0) 202 { 203 *EM++ = 0; 204 emLen--; 205 } 206 if (sLen == -2) 207 { 208 sLen = emLen - hLen - 2; 209 } 210 else if (emLen < (hLen + sLen + 2)) 211 { 212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 213 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 214 goto err; 215 } 216 if (sLen > 0) 217 { 218 salt = OPENSSL_malloc(sLen); 219 if (!salt) 220 { 221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 222 ERR_R_MALLOC_FAILURE); 223 goto err; 224 } 225 if (RAND_bytes(salt, sLen) <= 0) 226 goto err; 227 } 228 maskedDBLen = emLen - hLen - 1; 229 H = EM + maskedDBLen; 230 EVP_MD_CTX_init(&ctx); 231 EVP_DigestInit_ex(&ctx, Hash, NULL); 232 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 233 EVP_DigestUpdate(&ctx, mHash, hLen); 234 if (sLen) 235 EVP_DigestUpdate(&ctx, salt, sLen); 236 EVP_DigestFinal(&ctx, H, NULL); 237 EVP_MD_CTX_cleanup(&ctx); 238 239 /* Generate dbMask in place then perform XOR on it */ 240 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) 241 goto err; 242 243 p = EM; 244 245 /* Initial PS XORs with all zeroes which is a NOP so just update 246 * pointer. Note from a test above this value is guaranteed to 247 * be non-negative. 248 */ 249 p += emLen - sLen - hLen - 2; 250 *p++ ^= 0x1; 251 if (sLen > 0) 252 { 253 for (i = 0; i < sLen; i++) 254 *p++ ^= salt[i]; 255 } 256 if (MSBits) 257 EM[0] &= 0xFF >> (8 - MSBits); 258 259 /* H is already in place so just set final 0xbc */ 260 261 EM[emLen - 1] = 0xbc; 262 263 ret = 1; 264 265 err: 266 if (salt) 267 OPENSSL_free(salt); 268 269 return ret; 270 271 } 272 273#if defined(_MSC_VER) 274#pragma optimize("",on) 275#endif 276