2 * Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/rsa.h>
14 #include <openssl/evp.h>
15 #include <openssl/rand.h>
16 #include <openssl/sha.h>
19 static const unsigned char zeroes
[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
21 #if defined(_MSC_VER) && defined(_ARM_)
22 # pragma optimize("g", off)
25 int RSA_verify_PKCS1_PSS(RSA
*rsa
, const unsigned char *mHash
,
26 const EVP_MD
*Hash
, const unsigned char *EM
,
29 return RSA_verify_PKCS1_PSS_mgf1(rsa
, mHash
, Hash
, NULL
, EM
, sLen
);
32 int RSA_verify_PKCS1_PSS_mgf1(RSA
*rsa
, const unsigned char *mHash
,
33 const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
,
34 const unsigned char *EM
, int sLen
)
38 int hLen
, maskedDBLen
, MSBits
, emLen
;
39 const unsigned char *H
;
40 unsigned char *DB
= NULL
;
41 EVP_MD_CTX
*ctx
= EVP_MD_CTX_new();
42 unsigned char H_
[EVP_MAX_MD_SIZE
];
50 hLen
= EVP_MD_size(Hash
);
54 * Negative sLen has special meanings:
56 * -2 salt length is autorecovered from signature
57 * -3 salt length is maximized
60 if (sLen
== RSA_PSS_SALTLEN_DIGEST
) {
62 } else if (sLen
< RSA_PSS_SALTLEN_MAX
) {
63 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
67 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
68 emLen
= RSA_size(rsa
);
69 if (EM
[0] & (0xFF << MSBits
)) {
70 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_FIRST_OCTET_INVALID
);
77 if (emLen
< hLen
+ 2) {
78 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_DATA_TOO_LARGE
);
81 if (sLen
== RSA_PSS_SALTLEN_MAX
) {
82 sLen
= emLen
- hLen
- 2;
83 } else if (sLen
> emLen
- hLen
- 2) { /* sLen can be small negative */
84 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_DATA_TOO_LARGE
);
87 if (EM
[emLen
- 1] != 0xbc) {
88 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_LAST_OCTET_INVALID
);
91 maskedDBLen
= emLen
- hLen
- 1;
93 DB
= OPENSSL_malloc(maskedDBLen
);
95 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, ERR_R_MALLOC_FAILURE
);
98 if (PKCS1_MGF1(DB
, maskedDBLen
, H
, hLen
, mgf1Hash
) < 0)
100 for (i
= 0; i
< maskedDBLen
; i
++)
103 DB
[0] &= 0xFF >> (8 - MSBits
);
104 for (i
= 0; DB
[i
] == 0 && i
< (maskedDBLen
- 1); i
++) ;
105 if (DB
[i
++] != 0x1) {
106 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_RECOVERY_FAILED
);
109 if (sLen
!= RSA_PSS_SALTLEN_AUTO
&& (maskedDBLen
- i
) != sLen
) {
110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
113 if (!EVP_DigestInit_ex(ctx
, Hash
, NULL
)
114 || !EVP_DigestUpdate(ctx
, zeroes
, sizeof(zeroes
))
115 || !EVP_DigestUpdate(ctx
, mHash
, hLen
))
117 if (maskedDBLen
- i
) {
118 if (!EVP_DigestUpdate(ctx
, DB
+ i
, maskedDBLen
- i
))
121 if (!EVP_DigestFinal_ex(ctx
, H_
, NULL
))
123 if (memcmp(H_
, H
, hLen
)) {
124 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_BAD_SIGNATURE
);
132 EVP_MD_CTX_free(ctx
);
138 int RSA_padding_add_PKCS1_PSS(RSA
*rsa
, unsigned char *EM
,
139 const unsigned char *mHash
,
140 const EVP_MD
*Hash
, int sLen
)
142 return RSA_padding_add_PKCS1_PSS_mgf1(rsa
, EM
, mHash
, Hash
, NULL
, sLen
);
145 int RSA_padding_add_PKCS1_PSS_mgf1(RSA
*rsa
, unsigned char *EM
,
146 const unsigned char *mHash
,
147 const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
,
152 int hLen
, maskedDBLen
, MSBits
, emLen
;
153 unsigned char *H
, *salt
= NULL
, *p
;
154 EVP_MD_CTX
*ctx
= NULL
;
156 if (mgf1Hash
== NULL
)
159 hLen
= EVP_MD_size(Hash
);
163 * Negative sLen has special meanings:
165 * -2 salt length is maximized
166 * -3 same as above (on signing)
169 if (sLen
== RSA_PSS_SALTLEN_DIGEST
) {
171 } else if (sLen
== RSA_PSS_SALTLEN_MAX_SIGN
) {
172 sLen
= RSA_PSS_SALTLEN_MAX
;
173 } else if (sLen
< RSA_PSS_SALTLEN_MAX
) {
174 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
178 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
179 emLen
= RSA_size(rsa
);
184 if (emLen
< hLen
+ 2) {
185 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
186 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
189 if (sLen
== RSA_PSS_SALTLEN_MAX
) {
190 sLen
= emLen
- hLen
- 2;
191 } else if (sLen
> emLen
- hLen
- 2) {
192 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
193 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
197 salt
= OPENSSL_malloc(sLen
);
199 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
200 ERR_R_MALLOC_FAILURE
);
203 if (RAND_bytes(salt
, sLen
) <= 0)
206 maskedDBLen
= emLen
- hLen
- 1;
207 H
= EM
+ maskedDBLen
;
208 ctx
= EVP_MD_CTX_new();
211 if (!EVP_DigestInit_ex(ctx
, Hash
, NULL
)
212 || !EVP_DigestUpdate(ctx
, zeroes
, sizeof(zeroes
))
213 || !EVP_DigestUpdate(ctx
, mHash
, hLen
))
215 if (sLen
&& !EVP_DigestUpdate(ctx
, salt
, sLen
))
217 if (!EVP_DigestFinal_ex(ctx
, H
, NULL
))
220 /* Generate dbMask in place then perform XOR on it */
221 if (PKCS1_MGF1(EM
, maskedDBLen
, H
, hLen
, mgf1Hash
))
227 * Initial PS XORs with all zeroes which is a NOP so just update pointer.
228 * Note from a test above this value is guaranteed to be non-negative.
230 p
+= emLen
- sLen
- hLen
- 2;
233 for (i
= 0; i
< sLen
; i
++)
237 EM
[0] &= 0xFF >> (8 - MSBits
);
239 /* H is already in place so just set final 0xbc */
241 EM
[emLen
- 1] = 0xbc;
246 EVP_MD_CTX_free(ctx
);
253 #if defined(_MSC_VER)
254 # pragma optimize("",on)