1/* rsa_pss.c */ 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59#include <stdio.h> 60#include "cryptlib.h" 61#include <openssl/bn.h> 62#include <openssl/rsa.h> 63#include <openssl/evp.h> 64#include <openssl/rand.h> 65#include <openssl/sha.h> 66 67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 68 69#if defined(_MSC_VER) && defined(_ARM_) 70#pragma optimize("g", off) 71#endif 72 73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 74 const EVP_MD *Hash, const unsigned char *EM, int sLen) 75 { 76 int i; 77 int ret = 0; 78 int hLen, maskedDBLen, MSBits, emLen; 79 const unsigned char *H; 80 unsigned char *DB = NULL; 81 EVP_MD_CTX ctx; 82 unsigned char H_[EVP_MAX_MD_SIZE]; 83 84 hLen = M_EVP_MD_size(Hash); 85 /* 86 * Negative sLen has special meanings: 87 * -1 sLen == hLen 88 * -2 salt length is autorecovered from signature 89 * -N reserved 90 */ 91 if (sLen == -1) sLen = hLen; 92 else if (sLen == -2) sLen = -2; 93 else if (sLen < -2) 94 { 95 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 96 goto err; 97 } 98 99 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 100 emLen = RSA_size(rsa); 101 if (EM[0] & (0xFF << MSBits)) 102 { 103 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); 104 goto err; 105 } 106 if (MSBits == 0) 107 { 108 EM++; 109 emLen--; 110 } 111 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 112 { 113 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); 114 goto err; 115 } 116 if (EM[emLen - 1] != 0xbc) 117 { 118 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); 119 goto err; 120 } 121 maskedDBLen = emLen - hLen - 1; 122 H = EM + maskedDBLen; 123 DB = OPENSSL_malloc(maskedDBLen); 124 if (!DB) 125 { 126 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); 127 goto err; 128 } 129 PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash); 130 for (i = 0; i < maskedDBLen; i++) 131 DB[i] ^= EM[i]; 132 if (MSBits) 133 DB[0] &= 0xFF >> (8 - MSBits); 134 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 135 if (DB[i++] != 0x1) 136 { 137 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); 138 goto err; 139 } 140 if (sLen >= 0 && (maskedDBLen - i) != sLen) 141 { 142 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 143 goto err; 144 } 145 EVP_MD_CTX_init(&ctx); 146 EVP_DigestInit_ex(&ctx, Hash, NULL); 147 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 148 EVP_DigestUpdate(&ctx, mHash, hLen); 149 if (maskedDBLen - i) 150 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); 151 EVP_DigestFinal(&ctx, H_, NULL); 152 EVP_MD_CTX_cleanup(&ctx); 153 if (memcmp(H_, H, hLen)) 154 { 155 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); 156 ret = 0; 157 } 158 else 159 ret = 1; 160 161 err: 162 if (DB) 163 OPENSSL_free(DB); 164 165 return ret; 166 167 } 168 169int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, 170 const unsigned char *mHash, 171 const EVP_MD *Hash, int sLen) 172 { 173 int i; 174 int ret = 0; 175 int hLen, maskedDBLen, MSBits, emLen; 176 unsigned char *H, *salt = NULL, *p; 177 EVP_MD_CTX ctx; 178 179 hLen = M_EVP_MD_size(Hash); 180 /* 181 * Negative sLen has special meanings: 182 * -1 sLen == hLen 183 * -2 salt length is maximized 184 * -N reserved 185 */ 186 if (sLen == -1) sLen = hLen; 187 else if (sLen == -2) sLen = -2; 188 else if (sLen < -2) 189 { 190 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 191 goto err; 192 } 193 194 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 195 emLen = RSA_size(rsa); 196 if (MSBits == 0) 197 { 198 *EM++ = 0; 199 emLen--; 200 } 201 if (sLen == -2) 202 { 203 sLen = emLen - hLen - 2; 204 } 205 else if (emLen < (hLen + sLen + 2)) 206 { 207 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 208 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 209 goto err; 210 } 211 if (sLen > 0) 212 { 213 salt = OPENSSL_malloc(sLen); 214 if (!salt) 215 { 216 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 217 ERR_R_MALLOC_FAILURE); 218 goto err; 219 } 220 if (RAND_bytes(salt, sLen) <= 0) 221 goto err; 222 } 223 maskedDBLen = emLen - hLen - 1; 224 H = EM + maskedDBLen; 225 EVP_MD_CTX_init(&ctx); 226 EVP_DigestInit_ex(&ctx, Hash, NULL); 227 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 228 EVP_DigestUpdate(&ctx, mHash, hLen); 229 if (sLen) 230 EVP_DigestUpdate(&ctx, salt, sLen); 231 EVP_DigestFinal(&ctx, H, NULL); 232 EVP_MD_CTX_cleanup(&ctx); 233 234 /* Generate dbMask in place then perform XOR on it */ 235 PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash); 236 237 p = EM; 238 239 /* Initial PS XORs with all zeroes which is a NOP so just update 240 * pointer. Note from a test above this value is guaranteed to 241 * be non-negative. 242 */ 243 p += emLen - sLen - hLen - 2; 244 *p++ ^= 0x1; 245 if (sLen > 0) 246 { 247 for (i = 0; i < sLen; i++) 248 *p++ ^= salt[i]; 249 } 250 if (MSBits) 251 EM[0] &= 0xFF >> (8 - MSBits); 252 253 /* H is already in place so just set final 0xbc */ 254 255 EM[emLen - 1] = 0xbc; 256 257 ret = 1; 258 259 err: 260 if (salt) 261 OPENSSL_free(salt); 262 263 return ret; 264 265 } 266 267#if defined(_MSC_VER) 268#pragma optimize("",on) 269#endif 270