2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/rsa.h>
14 #include <openssl/objects.h>
15 #include <openssl/x509.h>
16 #include "internal/x509_int.h"
19 /* Size of an SSL signature: MD5+SHA1 */
20 #define SSL_SIG_LENGTH 36
22 int RSA_sign(int type
, const unsigned char *m
, unsigned int m_len
,
23 unsigned char *sigret
, unsigned int *siglen
, RSA
*rsa
)
28 unsigned char *p
, *tmps
= NULL
;
29 const unsigned char *s
= NULL
;
31 ASN1_OCTET_STRING digest
;
32 if (rsa
->meth
->rsa_sign
) {
33 return rsa
->meth
->rsa_sign(type
, m
, m_len
, sigret
, siglen
, rsa
);
35 /* Special case: SSL signature, just check the length */
36 if (type
== NID_md5_sha1
) {
37 if (m_len
!= SSL_SIG_LENGTH
) {
38 RSAerr(RSA_F_RSA_SIGN
, RSA_R_INVALID_MESSAGE_LENGTH
);
45 sig
.algor
->algorithm
= OBJ_nid2obj(type
);
46 if (sig
.algor
->algorithm
== NULL
) {
47 RSAerr(RSA_F_RSA_SIGN
, RSA_R_UNKNOWN_ALGORITHM_TYPE
);
50 if (OBJ_length(sig
.algor
->algorithm
) == 0) {
51 RSAerr(RSA_F_RSA_SIGN
,
52 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD
);
55 parameter
.type
= V_ASN1_NULL
;
56 parameter
.value
.ptr
= NULL
;
57 sig
.algor
->parameter
= ¶meter
;
60 sig
.digest
->data
= (unsigned char *)m
; /* TMP UGLY CAST */
61 sig
.digest
->length
= m_len
;
63 i
= i2d_X509_SIG(&sig
, NULL
);
66 if (i
> (j
- RSA_PKCS1_PADDING_SIZE
)) {
67 RSAerr(RSA_F_RSA_SIGN
, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
);
70 if (type
!= NID_md5_sha1
) {
71 tmps
= OPENSSL_malloc((unsigned int)j
+ 1);
73 RSAerr(RSA_F_RSA_SIGN
, ERR_R_MALLOC_FAILURE
);
77 i2d_X509_SIG(&sig
, &p
);
80 i
= RSA_private_encrypt(i
, s
, sigret
, rsa
, RSA_PKCS1_PADDING
);
86 if (type
!= NID_md5_sha1
)
87 OPENSSL_clear_free(tmps
, (unsigned int)j
+ 1);
92 * Check DigestInfo structure does not contain extraneous data by reencoding
93 * using DER and checking encoding against original.
95 static int rsa_check_digestinfo(X509_SIG
*sig
, const unsigned char *dinfo
,
98 unsigned char *der
= NULL
;
101 derlen
= i2d_X509_SIG(sig
, &der
);
104 if (derlen
== dinfolen
&& !memcmp(dinfo
, der
, derlen
))
106 OPENSSL_clear_free(der
, derlen
);
110 int int_rsa_verify(int dtype
, const unsigned char *m
,
112 unsigned char *rm
, size_t *prm_len
,
113 const unsigned char *sigbuf
, size_t siglen
, RSA
*rsa
)
115 int i
, ret
= 0, sigtype
;
117 X509_SIG
*sig
= NULL
;
119 if (siglen
!= (unsigned int)RSA_size(rsa
)) {
120 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_WRONG_SIGNATURE_LENGTH
);
124 if ((dtype
== NID_md5_sha1
) && rm
) {
125 i
= RSA_public_decrypt((int)siglen
,
126 sigbuf
, rm
, rsa
, RSA_PKCS1_PADDING
);
133 s
= OPENSSL_malloc((unsigned int)siglen
);
135 RSAerr(RSA_F_INT_RSA_VERIFY
, ERR_R_MALLOC_FAILURE
);
138 if ((dtype
== NID_md5_sha1
) && (m_len
!= SSL_SIG_LENGTH
)) {
139 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_INVALID_MESSAGE_LENGTH
);
142 i
= RSA_public_decrypt((int)siglen
, sigbuf
, s
, rsa
, RSA_PKCS1_PADDING
);
147 * Oddball MDC2 case: signature can be OCTET STRING. check for correct
148 * tag and length octets.
150 if (dtype
== NID_mdc2
&& i
== 18 && s
[0] == 0x04 && s
[1] == 0x10) {
152 memcpy(rm
, s
+ 2, 16);
155 } else if (memcmp(m
, s
+ 2, 16)) {
156 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
160 } else if (dtype
== NID_md5_sha1
) {
161 /* Special case: SSL signature */
162 if ((i
!= SSL_SIG_LENGTH
) || memcmp(s
, m
, SSL_SIG_LENGTH
))
163 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
167 const unsigned char *p
= s
;
168 sig
= d2i_X509_SIG(NULL
, &p
, (long)i
);
173 /* Excess data can be used to create forgeries */
174 if (p
!= s
+ i
|| !rsa_check_digestinfo(sig
, s
, i
)) {
175 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
180 * Parameters to the signature algorithm can also be used to create
183 if (sig
->algor
->parameter
184 && ASN1_TYPE_get(sig
->algor
->parameter
) != V_ASN1_NULL
) {
185 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
189 sigtype
= OBJ_obj2nid(sig
->algor
->algorithm
);
191 if (sigtype
!= dtype
) {
192 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_ALGORITHM_MISMATCH
);
197 md
= EVP_get_digestbynid(dtype
);
198 if (md
&& (EVP_MD_size(md
) != sig
->digest
->length
))
199 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_INVALID_DIGEST_LENGTH
);
201 memcpy(rm
, sig
->digest
->data
, sig
->digest
->length
);
202 *prm_len
= sig
->digest
->length
;
205 } else if (((unsigned int)sig
->digest
->length
!= m_len
) ||
206 (memcmp(m
, sig
->digest
->data
, m_len
) != 0)) {
207 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
213 OPENSSL_clear_free(s
, (unsigned int)siglen
);
217 int RSA_verify(int dtype
, const unsigned char *m
, unsigned int m_len
,
218 const unsigned char *sigbuf
, unsigned int siglen
, RSA
*rsa
)
221 if (rsa
->meth
->rsa_verify
) {
222 return rsa
->meth
->rsa_verify(dtype
, m
, m_len
, sigbuf
, siglen
, rsa
);
225 return int_rsa_verify(dtype
, m
, m_len
, NULL
, NULL
, sigbuf
, siglen
, rsa
);