[thirdparty/openssl.git] / crypto / rsa / rsa_pss.c

/*
 * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
                   ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes(salt, sLen) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif
Commit	Line	Data
0f113f3e	1	/*
82eba370	2	* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
429168e7	3	*
2a7b6f39	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
429168e7 DSH	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
429168e7 DSH	12	#include <openssl/bn.h>
	13	#include <openssl/rsa.h>
	14	#include <openssl/evp.h>
	15	#include <openssl/rand.h>
	16	#include <openssl/sha.h>
706457b7	17	#include "rsa_local.h"
429168e7	18
0f113f3e	19	static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
429168e7	20
0491e058	21	#if defined(_MSC_VER) && defined(_ARM_)
0f113f3e	22	# pragma optimize("g", off)
0491e058 AP	23	#endif
0491e058 AP	24
429168e7	25	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
0f113f3e MC	26	const EVP_MD Hash, const unsigned char EM,
	27	int sLen)
	28	{
	29	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
	30	}
e8254d40 DSH	31
e8254d40 DSH	32	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
0f113f3e MC	33	const EVP_MD Hash, const EVP_MD mgf1Hash,
	34	const unsigned char *EM, int sLen)
	35	{
	36	int i;
	37	int ret = 0;
	38	int hLen, maskedDBLen, MSBits, emLen;
	39	const unsigned char *H;
	40	unsigned char *DB = NULL;
bfb0641f	41	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
0f113f3e	42	unsigned char H_[EVP_MAX_MD_SIZE];
6e59a892	43
6e59a892 RL	44	if (ctx == NULL)
6e59a892 RL	45	goto err;
d51204f1	46
0f113f3e MC	47	if (mgf1Hash == NULL)
0f113f3e MC	48	mgf1Hash = Hash;
e8254d40	49
6e59a892	50	hLen = EVP_MD_size(Hash);
0f113f3e MC	51	if (hLen < 0)
0f113f3e MC	52	goto err;
50e735f9 MC	53	/*-
	54	* Negative sLen has special meanings:
	55	* -1 sLen == hLen
	56	* -2 salt length is autorecovered from signature
108909d3	57	* -3 salt length is maximized
50e735f9 MC	58	* -N reserved
50e735f9 MC	59	*/
90862ab4	60	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
0f113f3e	61	sLen = hLen;
90862ab4	62	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
0f113f3e MC	63	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	64	goto err;
	65	}
d51204f1	66
0f113f3e MC	67	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	68	emLen = RSA_size(rsa);
	69	if (EM[0] & (0xFF << MSBits)) {
	70	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
	71	goto err;
	72	}
	73	if (MSBits == 0) {
	74	EM++;
	75	emLen--;
	76	}
108909d3 BE	77	if (emLen < hLen + 2) {
	78	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
	79	goto err;
	80	}
137096a7 DSH	81	if (sLen == RSA_PSS_SALTLEN_MAX) {
137096a7 DSH	82	sLen = emLen - hLen - 2;
108909d3	83	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
0f113f3e MC	84	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
	85	goto err;
	86	}
	87	if (EM[emLen - 1] != 0xbc) {
	88	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
	89	goto err;
	90	}
	91	maskedDBLen = emLen - hLen - 1;
	92	H = EM + maskedDBLen;
	93	DB = OPENSSL_malloc(maskedDBLen);
90945fa3	94	if (DB == NULL) {
0f113f3e MC	95	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
	96	goto err;
	97	}
	98	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
	99	goto err;
	100	for (i = 0; i < maskedDBLen; i++)
	101	DB[i] ^= EM[i];
	102	if (MSBits)
	103	DB[0] &= 0xFF >> (8 - MSBits);
	104	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
	105	if (DB[i++] != 0x1) {
	106	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
	107	goto err;
	108	}
137096a7	109	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
0f113f3e MC	110	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	111	goto err;
	112	}
6e59a892	113	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
cbe29648	114	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
6e59a892	115	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e MC	116	goto err;
0f113f3e MC	117	if (maskedDBLen - i) {
6e59a892	118	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
0f113f3e MC	119	goto err;
0f113f3e MC	120	}
6e59a892	121	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
0f113f3e MC	122	goto err;
	123	if (memcmp(H_, H, hLen)) {
	124	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
	125	ret = 0;
90862ab4	126	} else {
0f113f3e	127	ret = 1;
90862ab4	128	}
429168e7	129
0f113f3e	130	err:
b548a1f1	131	OPENSSL_free(DB);
bfb0641f	132	EVP_MD_CTX_free(ctx);
429168e7	133
0f113f3e	134	return ret;
429168e7	135
0f113f3e	136	}
429168e7 DSH	137
429168e7 DSH	138	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
0f113f3e MC	139	const unsigned char *mHash,
	140	const EVP_MD *Hash, int sLen)
	141	{
	142	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
	143	}
e8254d40 DSH	144
e8254d40 DSH	145	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
0f113f3e MC	146	const unsigned char *mHash,
	147	const EVP_MD Hash, const EVP_MD mgf1Hash,
	148	int sLen)
	149	{
	150	int i;
	151	int ret = 0;
	152	int hLen, maskedDBLen, MSBits, emLen;
	153	unsigned char H, salt = NULL, *p;
6e59a892	154	EVP_MD_CTX *ctx = NULL;
d51204f1	155
0f113f3e MC	156	if (mgf1Hash == NULL)
0f113f3e MC	157	mgf1Hash = Hash;
e8254d40	158
6e59a892	159	hLen = EVP_MD_size(Hash);
0f113f3e MC	160	if (hLen < 0)
0f113f3e MC	161	goto err;
50e735f9 MC	162	/*-
	163	* Negative sLen has special meanings:
	164	* -1 sLen == hLen
	165	* -2 salt length is maximized
108909d3	166	* -3 same as above (on signing)
50e735f9 MC	167	* -N reserved
50e735f9 MC	168	*/
90862ab4	169	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
0f113f3e	170	sLen = hLen;
90862ab4	171	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
137096a7	172	sLen = RSA_PSS_SALTLEN_MAX;
90862ab4	173	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
0f113f3e MC	174	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	175	goto err;
	176	}
d51204f1	177
0f113f3e MC	178	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	179	emLen = RSA_size(rsa);
	180	if (MSBits == 0) {
	181	*EM++ = 0;
	182	emLen--;
	183	}
108909d3 BE	184	if (emLen < hLen + 2) {
	185	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
	186	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
	187	goto err;
	188	}
137096a7	189	if (sLen == RSA_PSS_SALTLEN_MAX) {
0f113f3e	190	sLen = emLen - hLen - 2;
108909d3	191	} else if (sLen > emLen - hLen - 2) {
0f113f3e MC	192	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
	193	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
	194	goto err;
	195	}
	196	if (sLen > 0) {
	197	salt = OPENSSL_malloc(sLen);
90945fa3	198	if (salt == NULL) {
0f113f3e MC	199	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
	200	ERR_R_MALLOC_FAILURE);
	201	goto err;
	202	}
	203	if (RAND_bytes(salt, sLen) <= 0)
	204	goto err;
	205	}
	206	maskedDBLen = emLen - hLen - 1;
	207	H = EM + maskedDBLen;
bfb0641f	208	ctx = EVP_MD_CTX_new();
6e59a892 RL	209	if (ctx == NULL)
	210	goto err;
	211	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
cbe29648	212	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
6e59a892	213	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e	214	goto err;
6e59a892	215	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
0f113f3e	216	goto err;
6e59a892	217	if (!EVP_DigestFinal_ex(ctx, H, NULL))
0f113f3e	218	goto err;
429168e7	219
0f113f3e MC	220	/* Generate dbMask in place then perform XOR on it */
	221	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
	222	goto err;
429168e7	223
0f113f3e	224	p = EM;
429168e7	225
0f113f3e MC	226	/*
	227	* Initial PS XORs with all zeroes which is a NOP so just update pointer.
	228	* Note from a test above this value is guaranteed to be non-negative.
	229	*/
	230	p += emLen - sLen - hLen - 2;
	231	*p++ ^= 0x1;
	232	if (sLen > 0) {
	233	for (i = 0; i < sLen; i++)
	234	*p++ ^= salt[i];
	235	}
	236	if (MSBits)
	237	EM[0] &= 0xFF >> (8 - MSBits);
429168e7	238
0f113f3e	239	/* H is already in place so just set final 0xbc */
429168e7	240
0f113f3e	241	EM[emLen - 1] = 0xbc;
429168e7	242
0f113f3e	243	ret = 1;
429168e7	244
0f113f3e	245	err:
bfb0641f	246	EVP_MD_CTX_free(ctx);
427e91d9	247	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
429168e7	248
0f113f3e	249	return ret;
429168e7	250
0f113f3e	251	}
0491e058 AP	252
0491e058 AP	253	#if defined(_MSC_VER)
0f113f3e	254	# pragma optimize("",on)
0491e058	255	#endif