crypto/rsa/rsa_pss.c

   1 /*
   2  * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * RSA low level APIs are deprecated for public use, but still ok for
  12  * internal use.
  13  */
  14 #include "internal/deprecated.h"
  15
  16 #include <stdio.h>
  17 #include "internal/cryptlib.h"
  18 #include <openssl/bn.h>
  19 #include <openssl/rsa.h>
  20 #include <openssl/evp.h>
  21 #include <openssl/rand.h>
  22 #include <openssl/sha.h>
  23 #include "rsa_local.h"
  24
  25 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
  26
  27 #if defined(_MSC_VER) && defined(_ARM_)
  28 # pragma optimize("g", off)
  29 #endif
  30
  31 int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
  32                          const EVP_MD *Hash, const unsigned char *EM,
  33                          int sLen)
  34 {
  35     return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
  36 }
  37
  38 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
  39                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,
  40                               const unsigned char *EM, int sLen)
  41 {
  42     int i;
  43     int ret = 0;
  44     int hLen, maskedDBLen, MSBits, emLen;
  45     const unsigned char *H;
  46     unsigned char *DB = NULL;
  47     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  48     unsigned char H_[EVP_MAX_MD_SIZE];
  49
  50     if (ctx == NULL)
  51         goto err;
  52
  53     if (mgf1Hash == NULL)
  54         mgf1Hash = Hash;
  55
  56     hLen = EVP_MD_get_size(Hash);
  57     if (hLen < 0)
  58         goto err;
  59     /*-
  60      * Negative sLen has special meanings:
  61      *      -1      sLen == hLen
  62      *      -2      salt length is autorecovered from signature
  63      *      -3      salt length is maximized
  64      *      -4      salt length is autorecovered from signature
  65      *      -N      reserved
  66      */
  67     if (sLen == RSA_PSS_SALTLEN_DIGEST) {
  68         sLen = hLen;
  69     } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
  70         ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
  71         goto err;
  72     }
  73
  74     MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
  75     emLen = RSA_size(rsa);
  76     if (EM[0] & (0xFF << MSBits)) {
  77         ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
  78         goto err;
  79     }
  80     if (MSBits == 0) {
  81         EM++;
  82         emLen--;
  83     }
  84     if (emLen < hLen + 2) {
  85         ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
  86         goto err;
  87     }
  88     if (sLen == RSA_PSS_SALTLEN_MAX) {
  89         sLen = emLen - hLen - 2;
  90     } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
  91         ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
  92         goto err;
  93     }
  94     if (EM[emLen - 1] != 0xbc) {
  95         ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
  96         goto err;
  97     }
  98     maskedDBLen = emLen - hLen - 1;
  99     H = EM + maskedDBLen;
 100     DB = OPENSSL_malloc(maskedDBLen);
 101     if (DB == NULL)
 102         goto err;
 103     if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
 104         goto err;
 105     for (i = 0; i < maskedDBLen; i++)
 106         DB[i] ^= EM[i];
 107     if (MSBits)
 108         DB[0] &= 0xFF >> (8 - MSBits);
 109     for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
 110     if (DB[i++] != 0x1) {
 111         ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
 112         goto err;
 113     }
 114     if (sLen != RSA_PSS_SALTLEN_AUTO
 115             && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
 116             && (maskedDBLen - i) != sLen) {
 117         ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
 118                        "expected: %d retrieved: %d", sLen,
 119                        maskedDBLen - i);
 120         goto err;
 121     }
 122     if (!EVP_DigestInit_ex(ctx, Hash, NULL)
 123         || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
 124         || !EVP_DigestUpdate(ctx, mHash, hLen))
 125         goto err;
 126     if (maskedDBLen - i) {
 127         if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
 128             goto err;
 129     }
 130     if (!EVP_DigestFinal_ex(ctx, H_, NULL))
 131         goto err;
 132     if (memcmp(H_, H, hLen)) {
 133         ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
 134         ret = 0;
 135     } else {
 136         ret = 1;
 137     }
 138
 139  err:
 140     OPENSSL_free(DB);
 141     EVP_MD_CTX_free(ctx);
 142
 143     return ret;
 144
 145 }
 146
 147 int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
 148                               const unsigned char *mHash,
 149                               const EVP_MD *Hash, int sLen)
 150 {
 151     return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
 152 }
 153
 154 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
 155                                    const unsigned char *mHash,
 156                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
 157                                    int sLen)
 158 {
 159     int i;
 160     int ret = 0;
 161     int hLen, maskedDBLen, MSBits, emLen;
 162     unsigned char *H, *salt = NULL, *p;
 163     EVP_MD_CTX *ctx = NULL;
 164     int sLenMax = -1;
 165
 166     if (mgf1Hash == NULL)
 167         mgf1Hash = Hash;
 168
 169     hLen = EVP_MD_get_size(Hash);
 170     if (hLen < 0)
 171         goto err;
 172     /*-
 173      * Negative sLen has special meanings:
 174      *      -1      sLen == hLen
 175      *      -2      salt length is maximized
 176      *      -3      same as above (on signing)
 177      *      -4      salt length is min(hLen, maximum salt length)
 178      *      -N      reserved
 179      */
 180     /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
 181      * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
 182      * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
 183      * the hash function output block (in bytes)."
 184      *
 185      * Provide a way to use at most the digest length, so that the default does
 186      * not violate FIPS 186-4. */
 187     if (sLen == RSA_PSS_SALTLEN_DIGEST) {
 188         sLen = hLen;
 189     } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
 190             || sLen == RSA_PSS_SALTLEN_AUTO) {
 191         sLen = RSA_PSS_SALTLEN_MAX;
 192     } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
 193         sLen = RSA_PSS_SALTLEN_MAX;
 194         sLenMax = hLen;
 195     } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
 196         ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
 197         goto err;
 198     }
 199
 200     MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
 201     emLen = RSA_size(rsa);
 202     if (MSBits == 0) {
 203         *EM++ = 0;
 204         emLen--;
 205     }
 206     if (emLen < hLen + 2) {
 207         ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 208         goto err;
 209     }
 210     if (sLen == RSA_PSS_SALTLEN_MAX) {
 211         sLen = emLen - hLen - 2;
 212         if (sLenMax >= 0 && sLen > sLenMax)
 213             sLen = sLenMax;
 214     } else if (sLen > emLen - hLen - 2) {
 215         ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 216         goto err;
 217     }
 218     if (sLen > 0) {
 219         salt = OPENSSL_malloc(sLen);
 220         if (salt == NULL)
 221             goto err;
 222         if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
 223             goto err;
 224     }
 225     maskedDBLen = emLen - hLen - 1;
 226     H = EM + maskedDBLen;
 227     ctx = EVP_MD_CTX_new();
 228     if (ctx == NULL)
 229         goto err;
 230     if (!EVP_DigestInit_ex(ctx, Hash, NULL)
 231         || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
 232         || !EVP_DigestUpdate(ctx, mHash, hLen))
 233         goto err;
 234     if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
 235         goto err;
 236     if (!EVP_DigestFinal_ex(ctx, H, NULL))
 237         goto err;
 238
 239     /* Generate dbMask in place then perform XOR on it */
 240     if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
 241         goto err;
 242
 243     p = EM;
 244
 245     /*
 246      * Initial PS XORs with all zeroes which is a NOP so just update pointer.
 247      * Note from a test above this value is guaranteed to be non-negative.
 248      */
 249     p += emLen - sLen - hLen - 2;
 250     *p++ ^= 0x1;
 251     if (sLen > 0) {
 252         for (i = 0; i < sLen; i++)
 253             *p++ ^= salt[i];
 254     }
 255     if (MSBits)
 256         EM[0] &= 0xFF >> (8 - MSBits);
 257
 258     /* H is already in place so just set final 0xbc */
 259
 260     EM[emLen - 1] = 0xbc;
 261
 262     ret = 1;
 263
 264  err:
 265     EVP_MD_CTX_free(ctx);
 266     OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
 267
 268     return ret;
 269
 270 }
 271
 272 /*
 273  * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 274  * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 275  *
 276  * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 277  * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 278  * identifier will have the following value:
 279  *
 280  *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 281  *         algorithm   id-RSASSA-PSS,
 282  *         parameters  RSASSA-PSS-params : {
 283  *             hashAlgorithm       sha1,
 284  *             maskGenAlgorithm    mgf1SHA1,
 285  *             saltLength          20,
 286  *             trailerField        trailerFieldBC
 287  *         }
 288  *     }
 289  *
 290  *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 291  *         {PKCS1Algorithms}
 292  *     }
 293  */
 294 static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
 295     NID_sha1,                    /* default hashAlgorithm */
 296     {
 297         NID_mgf1,                /* default maskGenAlgorithm */
 298         NID_sha1                 /* default MGF1 hash */
 299     },
 300     20,                          /* default saltLength */
 301     1                            /* default trailerField (0xBC) */
 302 };
 303
 304 int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
 305 {
 306     if (rsa_pss_params == NULL)
 307         return 0;
 308     *rsa_pss_params = default_RSASSA_PSS_params;
 309     return 1;
 310 }
 311
 312 int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 313 {
 314     static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };
 315
 316     return rsa_pss_params == NULL
 317         || memcmp(rsa_pss_params, &pss_params_cmp,
 318                   sizeof(*rsa_pss_params)) == 0;
 319 }
 320
 321 int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
 322                                 const RSA_PSS_PARAMS_30 *from)
 323 {
 324     memcpy(to, from, sizeof(*to));
 325     return 1;
 326 }
 327
 328 int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
 329                                        int hashalg_nid)
 330 {
 331     if (rsa_pss_params == NULL)
 332         return 0;
 333     rsa_pss_params->hash_algorithm_nid = hashalg_nid;
 334     return 1;
 335 }
 336
 337 int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
 338                                               int maskgenhashalg_nid)
 339 {
 340     if (rsa_pss_params == NULL)
 341         return 0;
 342     rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
 343     return 1;
 344 }
 345
 346 int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
 347                                        int saltlen)
 348 {
 349     if (rsa_pss_params == NULL)
 350         return 0;
 351     rsa_pss_params->salt_len = saltlen;
 352     return 1;
 353 }
 354
 355 int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
 356                                             int trailerfield)
 357 {
 358     if (rsa_pss_params == NULL)
 359         return 0;
 360     rsa_pss_params->trailer_field = trailerfield;
 361     return 1;
 362 }
 363
 364 int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 365 {
 366     if (rsa_pss_params == NULL)
 367         return default_RSASSA_PSS_params.hash_algorithm_nid;
 368     return rsa_pss_params->hash_algorithm_nid;
 369 }
 370
 371 int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 372 {
 373     if (rsa_pss_params == NULL)
 374         return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
 375     return rsa_pss_params->mask_gen.algorithm_nid;
 376 }
 377
 378 int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 379 {
 380     if (rsa_pss_params == NULL)
 381         return default_RSASSA_PSS_params.hash_algorithm_nid;
 382     return rsa_pss_params->mask_gen.hash_algorithm_nid;
 383 }
 384
 385 int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 386 {
 387     if (rsa_pss_params == NULL)
 388         return default_RSASSA_PSS_params.salt_len;
 389     return rsa_pss_params->salt_len;
 390 }
 391
 392 int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
 393 {
 394     if (rsa_pss_params == NULL)
 395         return default_RSASSA_PSS_params.trailer_field;
 396     return rsa_pss_params->trailer_field;
 397 }
 398
 399 #if defined(_MSC_VER)
 400 # pragma optimize("",on)
 401 #endif