]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
3c2bdd7d | 2 | * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. |
d02b48c6 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
d02b48c6 RE |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
d02b48c6 | 16 | #include <stdio.h> |
b39fc560 | 17 | #include "internal/cryptlib.h" |
ec577822 BM |
18 | #include <openssl/bn.h> |
19 | #include <openssl/rsa.h> | |
20 | #include <openssl/objects.h> | |
21 | #include <openssl/x509.h> | |
25f2138b | 22 | #include "crypto/x509.h" |
169e422e SL |
23 | #ifndef OPENSSL_NO_MD2 |
24 | # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ | |
25 | #endif | |
6f4b7663 RL |
26 | #ifndef OPENSSL_NO_MD4 |
27 | # include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ | |
28 | #endif | |
169e422e SL |
29 | #ifndef OPENSSL_NO_MD5 |
30 | # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ | |
31 | #endif | |
32 | #ifndef OPENSSL_NO_MDC2 | |
33 | # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ | |
34 | #endif | |
6f4b7663 RL |
35 | #ifndef OPENSSL_NO_RMD160 |
36 | # include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ | |
37 | #endif | |
169e422e | 38 | #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ |
6f4b7663 | 39 | #include "crypto/rsa.h" |
706457b7 | 40 | #include "rsa_local.h" |
d02b48c6 | 41 | |
169e422e SL |
42 | /* |
43 | * The general purpose ASN1 code is not available inside the FIPS provider. | |
44 | * To remove the dependency RSASSA-PKCS1-v1_5 DigestInfo encodings can be | |
45 | * treated as a special case by pregenerating the required ASN1 encoding. | |
46 | * This encoding will also be shared by the default provider. | |
47 | * | |
48 | * The EMSA-PKCS1-v1_5 encoding method includes an ASN.1 value of type | |
49 | * DigestInfo, where the type DigestInfo has the syntax | |
50 | * | |
51 | * DigestInfo ::= SEQUENCE { | |
52 | * digestAlgorithm DigestAlgorithm, | |
53 | * digest OCTET STRING | |
54 | * } | |
55 | * | |
56 | * DigestAlgorithm ::= AlgorithmIdentifier { | |
57 | * {PKCS1-v1-5DigestAlgorithms} | |
58 | * } | |
59 | * | |
60 | * The AlgorithmIdentifier is a sequence containing the digest OID and | |
61 | * parameters (a value of type NULL). | |
62 | * | |
63 | * The ENCODE_DIGESTINFO_SHA() and ENCODE_DIGESTINFO_MD() macros define an | |
64 | * initialized array containing the DER encoded DigestInfo for the specified | |
65 | * SHA or MD digest. The content of the OCTET STRING is not included. | |
66 | * |name| is the digest name. | |
67 | * |n| is last byte in the encoded OID for the digest. | |
68 | * |sz| is the digest length in bytes. It must not be greater than 110. | |
69 | */ | |
70 | ||
71 | #define ASN1_SEQUENCE 0x30 | |
72 | #define ASN1_OCTET_STRING 0x04 | |
73 | #define ASN1_NULL 0x05 | |
74 | #define ASN1_OID 0x06 | |
75 | ||
76 | /* SHA OIDs are of the form: (2 16 840 1 101 3 4 2 |n|) */ | |
77 | #define ENCODE_DIGESTINFO_SHA(name, n, sz) \ | |
78 | static const unsigned char digestinfo_##name##_der[] = { \ | |
79 | ASN1_SEQUENCE, 0x11 + sz, \ | |
80 | ASN1_SEQUENCE, 0x0d, \ | |
81 | ASN1_OID, 0x09, 2 * 40 + 16, 0x86, 0x48, 1, 101, 3, 4, 2, n, \ | |
82 | ASN1_NULL, 0x00, \ | |
83 | ASN1_OCTET_STRING, sz \ | |
84 | }; | |
85 | ||
6f4b7663 | 86 | /* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ |
169e422e SL |
87 | #define ENCODE_DIGESTINFO_MD(name, n, sz) \ |
88 | static const unsigned char digestinfo_##name##_der[] = { \ | |
89 | ASN1_SEQUENCE, 0x10 + sz, \ | |
90 | ASN1_SEQUENCE, 0x0c, \ | |
91 | ASN1_OID, 0x08, 1 * 40 + 2, 0x86, 0x48, 0x86, 0xf7, 0x0d, 2, n, \ | |
92 | ASN1_NULL, 0x00, \ | |
93 | ASN1_OCTET_STRING, sz \ | |
94 | }; | |
95 | ||
f844f9eb | 96 | #ifndef FIPS_MODULE |
169e422e SL |
97 | # ifndef OPENSSL_NO_MD2 |
98 | ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) | |
99 | # endif | |
6f4b7663 RL |
100 | # ifndef OPENSSL_NO_MD4 |
101 | ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) | |
102 | # endif | |
169e422e SL |
103 | # ifndef OPENSSL_NO_MD5 |
104 | ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) | |
105 | # endif | |
106 | # ifndef OPENSSL_NO_MDC2 | |
107 | /* MDC-2 (2 5 8 3 101) */ | |
108 | static const unsigned char digestinfo_mdc2_der[] = { | |
109 | ASN1_SEQUENCE, 0x0c + MDC2_DIGEST_LENGTH, | |
110 | ASN1_SEQUENCE, 0x08, | |
111 | ASN1_OID, 0x04, 2 * 40 + 5, 8, 3, 101, | |
112 | ASN1_NULL, 0x00, | |
113 | ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH | |
114 | }; | |
115 | # endif | |
6f4b7663 | 116 | # ifndef OPENSSL_NO_RMD160 |
172daa7f | 117 | /* RIPEMD160 (1 3 36 3 2 1) */ |
6f4b7663 | 118 | static const unsigned char digestinfo_ripemd160_der[] = { |
172daa7f RL |
119 | ASN1_SEQUENCE, 0x0d + RIPEMD160_DIGEST_LENGTH, |
120 | ASN1_SEQUENCE, 0x09, | |
121 | ASN1_OID, 0x05, 1 * 40 + 3, 36, 3, 2, 1, | |
6f4b7663 RL |
122 | ASN1_NULL, 0x00, |
123 | ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH | |
124 | }; | |
125 | # endif | |
f844f9eb | 126 | #endif /* FIPS_MODULE */ |
6f4b7663 | 127 | |
169e422e SL |
128 | /* SHA-1 (1 3 14 3 2 26) */ |
129 | static const unsigned char digestinfo_sha1_der[] = { | |
130 | ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, | |
131 | ASN1_SEQUENCE, 0x09, | |
132 | ASN1_OID, 0x05, 1 * 40 + 3, 14, 3, 2, 26, | |
133 | ASN1_NULL, 0x00, | |
134 | ASN1_OCTET_STRING, SHA_DIGEST_LENGTH | |
135 | }; | |
136 | ||
169e422e SL |
137 | ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) |
138 | ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) | |
139 | ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) | |
140 | ENCODE_DIGESTINFO_SHA(sha224, 0x04, SHA224_DIGEST_LENGTH) | |
141 | ENCODE_DIGESTINFO_SHA(sha512_224, 0x05, SHA224_DIGEST_LENGTH) | |
142 | ENCODE_DIGESTINFO_SHA(sha512_256, 0x06, SHA256_DIGEST_LENGTH) | |
143 | ENCODE_DIGESTINFO_SHA(sha3_224, 0x07, SHA224_DIGEST_LENGTH) | |
144 | ENCODE_DIGESTINFO_SHA(sha3_256, 0x08, SHA256_DIGEST_LENGTH) | |
145 | ENCODE_DIGESTINFO_SHA(sha3_384, 0x09, SHA384_DIGEST_LENGTH) | |
146 | ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) | |
147 | ||
148 | #define MD_CASE(name) \ | |
149 | case NID_##name: \ | |
150 | *len = sizeof(digestinfo_##name##_der); \ | |
151 | return digestinfo_##name##_der; | |
152 | ||
23b2fc0b | 153 | const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len) |
169e422e | 154 | { |
6f4b7663 | 155 | switch (md_nid) { |
f844f9eb | 156 | #ifndef FIPS_MODULE |
169e422e SL |
157 | # ifndef OPENSSL_NO_MDC2 |
158 | MD_CASE(mdc2) | |
159 | # endif | |
160 | # ifndef OPENSSL_NO_MD2 | |
161 | MD_CASE(md2) | |
162 | # endif | |
6f4b7663 RL |
163 | # ifndef OPENSSL_NO_MD4 |
164 | MD_CASE(md4) | |
165 | # endif | |
169e422e SL |
166 | # ifndef OPENSSL_NO_MD5 |
167 | MD_CASE(md5) | |
168 | # endif | |
6f4b7663 RL |
169 | # ifndef OPENSSL_NO_RMD160 |
170 | MD_CASE(ripemd160) | |
171 | # endif | |
f844f9eb | 172 | #endif /* FIPS_MODULE */ |
6f4b7663 | 173 | MD_CASE(sha1) |
169e422e SL |
174 | MD_CASE(sha224) |
175 | MD_CASE(sha256) | |
176 | MD_CASE(sha384) | |
177 | MD_CASE(sha512) | |
178 | MD_CASE(sha512_224) | |
179 | MD_CASE(sha512_256) | |
180 | MD_CASE(sha3_224) | |
181 | MD_CASE(sha3_256) | |
182 | MD_CASE(sha3_384) | |
183 | MD_CASE(sha3_512) | |
184 | default: | |
185 | return NULL; | |
186 | } | |
187 | } | |
188 | ||
d16d0b71 SL |
189 | #define MD_NID_CASE(name, sz) \ |
190 | case NID_##name: \ | |
191 | return sz; | |
192 | ||
193 | static int digest_sz_from_nid(int nid) | |
194 | { | |
195 | switch (nid) { | |
f844f9eb | 196 | #ifndef FIPS_MODULE |
d16d0b71 SL |
197 | # ifndef OPENSSL_NO_MDC2 |
198 | MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH) | |
199 | # endif | |
200 | # ifndef OPENSSL_NO_MD2 | |
201 | MD_NID_CASE(md2, MD2_DIGEST_LENGTH) | |
202 | # endif | |
203 | # ifndef OPENSSL_NO_MD4 | |
204 | MD_NID_CASE(md4, MD4_DIGEST_LENGTH) | |
205 | # endif | |
206 | # ifndef OPENSSL_NO_MD5 | |
207 | MD_NID_CASE(md5, MD5_DIGEST_LENGTH) | |
208 | # endif | |
209 | # ifndef OPENSSL_NO_RMD160 | |
210 | MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH) | |
211 | # endif | |
f844f9eb | 212 | #endif /* FIPS_MODULE */ |
d16d0b71 SL |
213 | MD_NID_CASE(sha1, SHA_DIGEST_LENGTH) |
214 | MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH) | |
215 | MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH) | |
216 | MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH) | |
217 | MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH) | |
218 | MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH) | |
219 | MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH) | |
220 | MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH) | |
221 | MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH) | |
222 | MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH) | |
223 | MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH) | |
224 | default: | |
225 | return 0; | |
226 | } | |
227 | } | |
228 | ||
229 | ||
1c80019a | 230 | /* Size of an SSL signature: MD5+SHA1 */ |
0f113f3e | 231 | #define SSL_SIG_LENGTH 36 |
1c80019a | 232 | |
608a0264 | 233 | /* |
169e422e | 234 | * Encodes a DigestInfo prefix of hash |type| and digest |m|, as |
608a0264 DB |
235 | * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This |
236 | * encodes the DigestInfo (T and tLen) but does not add the padding. | |
237 | * | |
238 | * On success, it returns one and sets |*out| to a newly allocated buffer | |
239 | * containing the result and |*out_len| to its length. The caller must free | |
169e422e | 240 | * |*out| with OPENSSL_free(). Otherwise, it returns zero. |
608a0264 | 241 | */ |
169e422e SL |
242 | static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, |
243 | const unsigned char *m, size_t m_len) | |
0f113f3e | 244 | { |
169e422e SL |
245 | size_t di_prefix_len, dig_info_len; |
246 | const unsigned char *di_prefix; | |
247 | unsigned char *dig_info; | |
248 | ||
249 | if (type == NID_undef) { | |
9311d0c4 | 250 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
608a0264 DB |
251 | return 0; |
252 | } | |
23b2fc0b | 253 | di_prefix = ossl_rsa_digestinfo_encoding(type, &di_prefix_len); |
169e422e | 254 | if (di_prefix == NULL) { |
9311d0c4 RL |
255 | ERR_raise(ERR_LIB_RSA, |
256 | RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); | |
608a0264 DB |
257 | return 0; |
258 | } | |
169e422e SL |
259 | dig_info_len = di_prefix_len + m_len; |
260 | dig_info = OPENSSL_malloc(dig_info_len); | |
261 | if (dig_info == NULL) { | |
9311d0c4 | 262 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
608a0264 | 263 | return 0; |
169e422e SL |
264 | } |
265 | memcpy(dig_info, di_prefix, di_prefix_len); | |
266 | memcpy(dig_info + di_prefix_len, m, m_len); | |
608a0264 | 267 | |
169e422e SL |
268 | *out = dig_info; |
269 | *out_len = dig_info_len; | |
608a0264 DB |
270 | return 1; |
271 | } | |
272 | ||
273 | int RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |
274 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) | |
275 | { | |
169e422e SL |
276 | int encrypt_len, ret = 0; |
277 | size_t encoded_len = 0; | |
608a0264 DB |
278 | unsigned char *tmps = NULL; |
279 | const unsigned char *encoded = NULL; | |
280 | ||
f844f9eb | 281 | #ifndef FIPS_MODULE |
169e422e | 282 | if (rsa->meth->rsa_sign != NULL) |
0f113f3e | 283 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); |
f844f9eb | 284 | #endif /* FIPS_MODULE */ |
608a0264 DB |
285 | |
286 | /* Compute the encoded digest. */ | |
0f113f3e | 287 | if (type == NID_md5_sha1) { |
608a0264 DB |
288 | /* |
289 | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and | |
290 | * earlier. It has no DigestInfo wrapper but otherwise is | |
291 | * RSASSA-PKCS1-v1_5. | |
292 | */ | |
0f113f3e | 293 | if (m_len != SSL_SIG_LENGTH) { |
9311d0c4 | 294 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
608a0264 | 295 | return 0; |
0f113f3e | 296 | } |
608a0264 DB |
297 | encoded_len = SSL_SIG_LENGTH; |
298 | encoded = m; | |
0f113f3e | 299 | } else { |
608a0264 DB |
300 | if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) |
301 | goto err; | |
302 | encoded = tmps; | |
0f113f3e | 303 | } |
608a0264 | 304 | |
169e422e | 305 | if (encoded_len + RSA_PKCS1_PADDING_SIZE > (size_t)RSA_size(rsa)) { |
9311d0c4 | 306 | ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); |
608a0264 | 307 | goto err; |
0f113f3e | 308 | } |
169e422e | 309 | encrypt_len = RSA_private_encrypt((int)encoded_len, encoded, sigret, rsa, |
608a0264 DB |
310 | RSA_PKCS1_PADDING); |
311 | if (encrypt_len <= 0) | |
312 | goto err; | |
d02b48c6 | 313 | |
608a0264 DB |
314 | *siglen = encrypt_len; |
315 | ret = 1; | |
316 | ||
317 | err: | |
169e422e | 318 | OPENSSL_clear_free(tmps, encoded_len); |
0f113f3e MC |
319 | return ret; |
320 | } | |
1cfd255c | 321 | |
608a0264 | 322 | /* |
169e422e SL |
323 | * Verify an RSA signature in |sigbuf| using |rsa|. |
324 | * |type| is the NID of the digest algorithm to use. | |
325 | * If |rm| is NULL, it verifies the signature for digest |m|, otherwise | |
326 | * it recovers the digest from the signature, writing the digest to |rm| and | |
327 | * the length to |*prm_len|. | |
328 | * | |
329 | * It returns one on successful verification or zero otherwise. | |
608a0264 | 330 | */ |
4158b0dc SL |
331 | int ossl_rsa_verify(int type, const unsigned char *m, unsigned int m_len, |
332 | unsigned char *rm, size_t *prm_len, | |
333 | const unsigned char *sigbuf, size_t siglen, RSA *rsa) | |
0f113f3e | 334 | { |
169e422e SL |
335 | int len, ret = 0; |
336 | size_t decrypt_len, encoded_len = 0; | |
608a0264 | 337 | unsigned char *decrypt_buf = NULL, *encoded = NULL; |
d02b48c6 | 338 | |
608a0264 | 339 | if (siglen != (size_t)RSA_size(rsa)) { |
9311d0c4 | 340 | ERR_raise(ERR_LIB_RSA, RSA_R_WRONG_SIGNATURE_LENGTH); |
608a0264 | 341 | return 0; |
0f113f3e | 342 | } |
d02b48c6 | 343 | |
608a0264 DB |
344 | /* Recover the encoded digest. */ |
345 | decrypt_buf = OPENSSL_malloc(siglen); | |
346 | if (decrypt_buf == NULL) { | |
9311d0c4 | 347 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
348 | goto err; |
349 | } | |
d02b48c6 | 350 | |
169e422e SL |
351 | len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, |
352 | RSA_PKCS1_PADDING); | |
353 | if (len <= 0) | |
0f113f3e | 354 | goto err; |
169e422e | 355 | decrypt_len = len; |
608a0264 | 356 | |
f844f9eb | 357 | #ifndef FIPS_MODULE |
608a0264 DB |
358 | if (type == NID_md5_sha1) { |
359 | /* | |
360 | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and | |
361 | * earlier. It has no DigestInfo wrapper but otherwise is | |
362 | * RSASSA-PKCS1-v1_5. | |
363 | */ | |
364 | if (decrypt_len != SSL_SIG_LENGTH) { | |
9311d0c4 | 365 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
608a0264 | 366 | goto err; |
dffe5109 | 367 | } |
b79aa05e | 368 | |
608a0264 DB |
369 | if (rm != NULL) { |
370 | memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); | |
371 | *prm_len = SSL_SIG_LENGTH; | |
372 | } else { | |
373 | if (m_len != SSL_SIG_LENGTH) { | |
9311d0c4 | 374 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
608a0264 DB |
375 | goto err; |
376 | } | |
b79aa05e | 377 | |
608a0264 | 378 | if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { |
9311d0c4 | 379 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
608a0264 DB |
380 | goto err; |
381 | } | |
0f113f3e | 382 | } |
608a0264 DB |
383 | } else if (type == NID_mdc2 && decrypt_len == 2 + 16 |
384 | && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) { | |
385 | /* | |
386 | * Oddball MDC2 case: signature can be OCTET STRING. check for correct | |
387 | * tag and length octets. | |
388 | */ | |
389 | if (rm != NULL) { | |
390 | memcpy(rm, decrypt_buf + 2, 16); | |
391 | *prm_len = 16; | |
392 | } else { | |
393 | if (m_len != 16) { | |
9311d0c4 | 394 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
608a0264 DB |
395 | goto err; |
396 | } | |
b79aa05e | 397 | |
608a0264 | 398 | if (memcmp(m, decrypt_buf + 2, 16) != 0) { |
9311d0c4 | 399 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
608a0264 DB |
400 | goto err; |
401 | } | |
402 | } | |
d16d0b71 | 403 | } else |
f844f9eb | 404 | #endif /* FIPS_MODULE */ |
d16d0b71 | 405 | { |
0f113f3e | 406 | /* |
608a0264 DB |
407 | * If recovering the digest, extract a digest-sized output from the end |
408 | * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption | |
409 | * output as in a standard verification. | |
0f113f3e | 410 | */ |
608a0264 | 411 | if (rm != NULL) { |
d16d0b71 | 412 | len = digest_sz_from_nid(type); |
608a0264 | 413 | |
169e422e SL |
414 | if (len <= 0) |
415 | goto err; | |
416 | m_len = (unsigned int)len; | |
417 | if (m_len > decrypt_len) { | |
9311d0c4 | 418 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); |
608a0264 DB |
419 | goto err; |
420 | } | |
421 | m = decrypt_buf + decrypt_len - m_len; | |
0f113f3e | 422 | } |
d02b48c6 | 423 | |
608a0264 DB |
424 | /* Construct the encoded digest and ensure it matches. */ |
425 | if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) | |
426 | goto err; | |
dfeab068 | 427 | |
608a0264 | 428 | if (encoded_len != decrypt_len |
169e422e | 429 | || memcmp(encoded, decrypt_buf, encoded_len) != 0) { |
9311d0c4 | 430 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
3d0cf918 | 431 | goto err; |
0f113f3e | 432 | } |
608a0264 DB |
433 | |
434 | /* Output the recovered digest. */ | |
435 | if (rm != NULL) { | |
436 | memcpy(rm, m, m_len); | |
437 | *prm_len = m_len; | |
438 | } | |
0f113f3e | 439 | } |
608a0264 DB |
440 | |
441 | ret = 1; | |
442 | ||
443 | err: | |
169e422e | 444 | OPENSSL_clear_free(encoded, encoded_len); |
608a0264 DB |
445 | OPENSSL_clear_free(decrypt_buf, siglen); |
446 | return ret; | |
0f113f3e | 447 | } |
d02b48c6 | 448 | |
608a0264 | 449 | int RSA_verify(int type, const unsigned char *m, unsigned int m_len, |
0f113f3e MC |
450 | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) |
451 | { | |
b2a97be7 | 452 | |
169e422e | 453 | if (rsa->meth->rsa_verify != NULL) |
608a0264 | 454 | return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa); |
b2a97be7 | 455 | |
4158b0dc | 456 | return ossl_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa); |
0f113f3e | 457 | } |