2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/rsa.h>
14 #include <openssl/objects.h>
15 #include <openssl/x509.h>
16 #include "internal/x509_int.h"
19 /* Size of an SSL signature: MD5+SHA1 */
20 #define SSL_SIG_LENGTH 36
23 * encode_pkcs1 encodes a DigestInfo prefix of hash |type| and digest |m|, as
24 * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This
25 * encodes the DigestInfo (T and tLen) but does not add the padding.
27 * On success, it returns one and sets |*out| to a newly allocated buffer
28 * containing the result and |*out_len| to its length. The caller must free
29 * |*out| with |OPENSSL_free|. Otherwise, it returns zero.
31 static int encode_pkcs1(unsigned char **out
, int *out_len
, int type
,
32 const unsigned char *m
, unsigned int m_len
)
37 ASN1_OCTET_STRING digest
;
42 sig
.algor
->algorithm
= OBJ_nid2obj(type
);
43 if (sig
.algor
->algorithm
== NULL
) {
44 RSAerr(RSA_F_ENCODE_PKCS1
, RSA_R_UNKNOWN_ALGORITHM_TYPE
);
47 if (OBJ_length(sig
.algor
->algorithm
) == 0) {
48 RSAerr(RSA_F_ENCODE_PKCS1
,
49 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD
);
52 parameter
.type
= V_ASN1_NULL
;
53 parameter
.value
.ptr
= NULL
;
54 sig
.algor
->parameter
= ¶meter
;
57 sig
.digest
->data
= (unsigned char *)m
;
58 sig
.digest
->length
= m_len
;
60 len
= i2d_X509_SIG(&sig
, &der
);
69 int RSA_sign(int type
, const unsigned char *m
, unsigned int m_len
,
70 unsigned char *sigret
, unsigned int *siglen
, RSA
*rsa
)
72 int encrypt_len
, encoded_len
= 0, ret
= 0;
73 unsigned char *tmps
= NULL
;
74 const unsigned char *encoded
= NULL
;
76 if (rsa
->meth
->rsa_sign
) {
77 return rsa
->meth
->rsa_sign(type
, m
, m_len
, sigret
, siglen
, rsa
);
80 /* Compute the encoded digest. */
81 if (type
== NID_md5_sha1
) {
83 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and
84 * earlier. It has no DigestInfo wrapper but otherwise is
87 if (m_len
!= SSL_SIG_LENGTH
) {
88 RSAerr(RSA_F_RSA_SIGN
, RSA_R_INVALID_MESSAGE_LENGTH
);
91 encoded_len
= SSL_SIG_LENGTH
;
94 if (!encode_pkcs1(&tmps
, &encoded_len
, type
, m
, m_len
))
99 if (encoded_len
> RSA_size(rsa
) - RSA_PKCS1_PADDING_SIZE
) {
100 RSAerr(RSA_F_RSA_SIGN
, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
);
103 encrypt_len
= RSA_private_encrypt(encoded_len
, encoded
, sigret
, rsa
,
105 if (encrypt_len
<= 0)
108 *siglen
= encrypt_len
;
112 OPENSSL_clear_free(tmps
, (size_t)encoded_len
);
117 * int_rsa_verify verifies an RSA signature in |sigbuf| using |rsa|. It may be
118 * called in two modes. If |rm| is NULL, it verifies the signature for digest
119 * |m|. Otherwise, it recovers the digest from the signature, writing the digest
120 * to |rm| and the length to |*prm_len|. |type| is the NID of the digest
121 * algorithm to use. It returns one on successful verification and zero
124 int int_rsa_verify(int type
, const unsigned char *m
, unsigned int m_len
,
125 unsigned char *rm
, size_t *prm_len
,
126 const unsigned char *sigbuf
, size_t siglen
, RSA
*rsa
)
128 int decrypt_len
, ret
= 0, encoded_len
= 0;
129 unsigned char *decrypt_buf
= NULL
, *encoded
= NULL
;
131 if (siglen
!= (size_t)RSA_size(rsa
)) {
132 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_WRONG_SIGNATURE_LENGTH
);
136 /* Recover the encoded digest. */
137 decrypt_buf
= OPENSSL_malloc(siglen
);
138 if (decrypt_buf
== NULL
) {
139 RSAerr(RSA_F_INT_RSA_VERIFY
, ERR_R_MALLOC_FAILURE
);
143 decrypt_len
= RSA_public_decrypt((int)siglen
, sigbuf
, decrypt_buf
, rsa
,
145 if (decrypt_len
<= 0)
148 if (type
== NID_md5_sha1
) {
150 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and
151 * earlier. It has no DigestInfo wrapper but otherwise is
154 if (decrypt_len
!= SSL_SIG_LENGTH
) {
155 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
160 memcpy(rm
, decrypt_buf
, SSL_SIG_LENGTH
);
161 *prm_len
= SSL_SIG_LENGTH
;
163 if (m_len
!= SSL_SIG_LENGTH
) {
164 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_INVALID_MESSAGE_LENGTH
);
168 if (memcmp(decrypt_buf
, m
, SSL_SIG_LENGTH
) != 0) {
169 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
173 } else if (type
== NID_mdc2
&& decrypt_len
== 2 + 16
174 && decrypt_buf
[0] == 0x04 && decrypt_buf
[1] == 0x10) {
176 * Oddball MDC2 case: signature can be OCTET STRING. check for correct
177 * tag and length octets.
180 memcpy(rm
, decrypt_buf
+ 2, 16);
184 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_INVALID_MESSAGE_LENGTH
);
188 if (memcmp(m
, decrypt_buf
+ 2, 16) != 0) {
189 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
195 * If recovering the digest, extract a digest-sized output from the end
196 * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption
197 * output as in a standard verification.
200 const EVP_MD
*md
= EVP_get_digestbynid(type
);
202 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_UNKNOWN_ALGORITHM_TYPE
);
206 m_len
= EVP_MD_size(md
);
207 if (m_len
> (size_t)decrypt_len
) {
208 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_INVALID_DIGEST_LENGTH
);
211 m
= decrypt_buf
+ decrypt_len
- m_len
;
214 /* Construct the encoded digest and ensure it matches. */
215 if (!encode_pkcs1(&encoded
, &encoded_len
, type
, m
, m_len
))
218 if (encoded_len
!= decrypt_len
219 || memcmp(encoded
, decrypt_buf
, encoded_len
) != 0) {
220 RSAerr(RSA_F_INT_RSA_VERIFY
, RSA_R_BAD_SIGNATURE
);
224 /* Output the recovered digest. */
226 memcpy(rm
, m
, m_len
);
234 OPENSSL_clear_free(encoded
, (size_t)encoded_len
);
235 OPENSSL_clear_free(decrypt_buf
, siglen
);
239 int RSA_verify(int type
, const unsigned char *m
, unsigned int m_len
,
240 const unsigned char *sigbuf
, unsigned int siglen
, RSA
*rsa
)
243 if (rsa
->meth
->rsa_verify
) {
244 return rsa
->meth
->rsa_verify(type
, m
, m_len
, sigbuf
, siglen
, rsa
);
247 return int_rsa_verify(type
, m
, m_len
, NULL
, NULL
, sigbuf
, siglen
, rsa
);