crypto/rsa/rsa_sign.c

   1 /*
   2  * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include "internal/cryptlib.h"
  12 #include <openssl/bn.h>
  13 #include <openssl/rsa.h>
  14 #include <openssl/objects.h>
  15 #include <openssl/x509.h>
  16 #include "internal/x509_int.h"
  17 #include "rsa_locl.h"
  18
  19 /* Size of an SSL signature: MD5+SHA1 */
  20 #define SSL_SIG_LENGTH  36
  21
  22 int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
  23              unsigned char *sigret, unsigned int *siglen, RSA *rsa)
  24 {
  25     X509_SIG sig;
  26     ASN1_TYPE parameter;
  27     int i, j, ret = 1;
  28     unsigned char *p, *tmps = NULL;
  29     const unsigned char *s = NULL;
  30     X509_ALGOR algor;
  31     ASN1_OCTET_STRING digest;
  32     if (rsa->meth->rsa_sign) {
  33         return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
  34     }
  35     /* Special case: SSL signature, just check the length */
  36     if (type == NID_md5_sha1) {
  37         if (m_len != SSL_SIG_LENGTH) {
  38             RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
  39             return (0);
  40         }
  41         i = SSL_SIG_LENGTH;
  42         s = m;
  43     } else {
  44         sig.algor = &algor;
  45         sig.algor->algorithm = OBJ_nid2obj(type);
  46         if (sig.algor->algorithm == NULL) {
  47             RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
  48             return (0);
  49         }
  50         if (OBJ_length(sig.algor->algorithm) == 0) {
  51             RSAerr(RSA_F_RSA_SIGN,
  52                    RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
  53             return (0);
  54         }
  55         parameter.type = V_ASN1_NULL;
  56         parameter.value.ptr = NULL;
  57         sig.algor->parameter = &parameter;
  58
  59         sig.digest = &digest;
  60         sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
  61         sig.digest->length = m_len;
  62
  63         i = i2d_X509_SIG(&sig, NULL);
  64     }
  65     j = RSA_size(rsa);
  66     if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
  67         RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
  68         return (0);
  69     }
  70     if (type != NID_md5_sha1) {
  71         tmps = OPENSSL_malloc((unsigned int)j + 1);
  72         if (tmps == NULL) {
  73             RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
  74             return (0);
  75         }
  76         p = tmps;
  77         i2d_X509_SIG(&sig, &p);
  78         s = tmps;
  79     }
  80     i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
  81     if (i <= 0)
  82         ret = 0;
  83     else
  84         *siglen = i;
  85
  86     if (type != NID_md5_sha1)
  87         OPENSSL_clear_free(tmps, (unsigned int)j + 1);
  88     return (ret);
  89 }
  90
  91 /*
  92  * Check DigestInfo structure does not contain extraneous data by reencoding
  93  * using DER and checking encoding against original.
  94  */
  95 static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo,
  96                                 int dinfolen)
  97 {
  98     unsigned char *der = NULL;
  99     int derlen;
 100     int ret = 0;
 101     derlen = i2d_X509_SIG(sig, &der);
 102     if (derlen <= 0)
 103         return 0;
 104     if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
 105         ret = 1;
 106     OPENSSL_clear_free(der, derlen);
 107     return ret;
 108 }
 109
 110 int int_rsa_verify(int dtype, const unsigned char *m,
 111                    unsigned int m_len,
 112                    unsigned char *rm, size_t *prm_len,
 113                    const unsigned char *sigbuf, size_t siglen, RSA *rsa)
 114 {
 115     int i, ret = 0, sigtype;
 116     unsigned char *s;
 117     X509_SIG *sig = NULL;
 118
 119     if (siglen != (unsigned int)RSA_size(rsa)) {
 120         RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
 121         return (0);
 122     }
 123
 124     if ((dtype == NID_md5_sha1) && rm) {
 125         i = RSA_public_decrypt((int)siglen,
 126                                sigbuf, rm, rsa, RSA_PKCS1_PADDING);
 127         if (i <= 0)
 128             return 0;
 129         *prm_len = i;
 130         return 1;
 131     }
 132
 133     s = OPENSSL_malloc((unsigned int)siglen);
 134     if (s == NULL) {
 135         RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
 136         goto err;
 137     }
 138     if ((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH)) {
 139         RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
 140         goto err;
 141     }
 142     i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
 143
 144     if (i <= 0)
 145         goto err;
 146     /*
 147      * Oddball MDC2 case: signature can be OCTET STRING. check for correct
 148      * tag and length octets.
 149      */
 150     if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
 151         if (rm) {
 152             memcpy(rm, s + 2, 16);
 153             *prm_len = 16;
 154             ret = 1;
 155         } else if (memcmp(m, s + 2, 16)) {
 156             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
 157         } else {
 158             ret = 1;
 159         }
 160     } else if (dtype == NID_md5_sha1) {
 161         /* Special case: SSL signature */
 162         if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
 163             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
 164         else
 165             ret = 1;
 166     } else {
 167         const unsigned char *p = s;
 168         sig = d2i_X509_SIG(NULL, &p, (long)i);
 169
 170         if (sig == NULL)
 171             goto err;
 172
 173         /* Excess data can be used to create forgeries */
 174         if (p != s + i || !rsa_check_digestinfo(sig, s, i)) {
 175             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
 176             goto err;
 177         }
 178
 179         /*
 180          * Parameters to the signature algorithm can also be used to create
 181          * forgeries
 182          */
 183         if (sig->algor->parameter
 184             && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
 185             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
 186             goto err;
 187         }
 188
 189         sigtype = OBJ_obj2nid(sig->algor->algorithm);
 190
 191         if (sigtype != dtype) {
 192             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
 193             goto err;
 194         }
 195         if (rm) {
 196             const EVP_MD *md;
 197             md = EVP_get_digestbynid(dtype);
 198             if (md && (EVP_MD_size(md) != sig->digest->length))
 199                 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
 200             else {
 201                 memcpy(rm, sig->digest->data, sig->digest->length);
 202                 *prm_len = sig->digest->length;
 203                 ret = 1;
 204             }
 205         } else if (((unsigned int)sig->digest->length != m_len) ||
 206                    (memcmp(m, sig->digest->data, m_len) != 0)) {
 207             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
 208         } else
 209             ret = 1;
 210     }
 211  err:
 212     X509_SIG_free(sig);
 213     OPENSSL_clear_free(s, (unsigned int)siglen);
 214     return (ret);
 215 }
 216
 217 int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 218                const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 219 {
 220
 221     if (rsa->meth->rsa_verify) {
 222         return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
 223     }
 224
 225     return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
 226 }