2 * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/rsa.h>
14 #include <openssl/evp.h>
15 #include <openssl/rand.h>
16 #include <openssl/sha.h>
19 static const unsigned char zeroes
[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
21 #if defined(_MSC_VER) && defined(_ARM_)
22 # pragma optimize("g", off)
25 int RSA_verify_PKCS1_PSS(RSA
*rsa
, const unsigned char *mHash
,
26 const EVP_MD
*Hash
, const unsigned char *EM
,
29 return RSA_verify_PKCS1_PSS_mgf1(rsa
, mHash
, Hash
, NULL
, EM
, sLen
);
32 int RSA_verify_PKCS1_PSS_mgf1(RSA
*rsa
, const unsigned char *mHash
,
33 const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
,
34 const unsigned char *EM
, int sLen
)
38 int hLen
, maskedDBLen
, MSBits
, emLen
;
39 const unsigned char *H
;
40 unsigned char *DB
= NULL
;
41 EVP_MD_CTX
*ctx
= EVP_MD_CTX_new();
42 unsigned char H_
[EVP_MAX_MD_SIZE
];
51 hLen
= EVP_MD_size(Hash
);
55 * Negative sLen has special meanings:
57 * -2 salt length is autorecovered from signature
65 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
69 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
70 emLen
= RSA_size(rsa
);
71 if (EM
[0] & (0xFF << MSBits
)) {
72 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_FIRST_OCTET_INVALID
);
79 if (emLen
< hLen
+ 2) {
80 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_DATA_TOO_LARGE
);
83 if (sLen
> emLen
- hLen
- 2) { /* sLen can be small negative */
84 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_DATA_TOO_LARGE
);
87 if (EM
[emLen
- 1] != 0xbc) {
88 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_LAST_OCTET_INVALID
);
91 maskedDBLen
= emLen
- hLen
- 1;
93 DB
= OPENSSL_malloc(maskedDBLen
);
95 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, ERR_R_MALLOC_FAILURE
);
98 if (PKCS1_MGF1(DB
, maskedDBLen
, H
, hLen
, mgf1Hash
) < 0)
100 for (i
= 0; i
< maskedDBLen
; i
++)
103 DB
[0] &= 0xFF >> (8 - MSBits
);
104 for (i
= 0; DB
[i
] == 0 && i
< (maskedDBLen
- 1); i
++) ;
105 if (DB
[i
++] != 0x1) {
106 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_RECOVERY_FAILED
);
109 if (sLen
>= 0 && (maskedDBLen
- i
) != sLen
) {
110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
113 if (!EVP_DigestInit_ex(ctx
, Hash
, NULL
)
114 || !EVP_DigestUpdate(ctx
, zeroes
, sizeof(zeroes
))
115 || !EVP_DigestUpdate(ctx
, mHash
, hLen
))
117 if (maskedDBLen
- i
) {
118 if (!EVP_DigestUpdate(ctx
, DB
+ i
, maskedDBLen
- i
))
121 if (!EVP_DigestFinal_ex(ctx
, H_
, NULL
))
123 if (memcmp(H_
, H
, hLen
)) {
124 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1
, RSA_R_BAD_SIGNATURE
);
131 EVP_MD_CTX_free(ctx
);
137 int RSA_padding_add_PKCS1_PSS(RSA
*rsa
, unsigned char *EM
,
138 const unsigned char *mHash
,
139 const EVP_MD
*Hash
, int sLen
)
141 return RSA_padding_add_PKCS1_PSS_mgf1(rsa
, EM
, mHash
, Hash
, NULL
, sLen
);
144 int RSA_padding_add_PKCS1_PSS_mgf1(RSA
*rsa
, unsigned char *EM
,
145 const unsigned char *mHash
,
146 const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
,
151 int hLen
, maskedDBLen
, MSBits
, emLen
;
152 unsigned char *H
, *salt
= NULL
, *p
;
153 EVP_MD_CTX
*ctx
= NULL
;
155 if (mgf1Hash
== NULL
)
158 hLen
= EVP_MD_size(Hash
);
162 * Negative sLen has special meanings:
164 * -2 salt length is maximized
171 else if (sLen
< -2) {
172 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
, RSA_R_SLEN_CHECK_FAILED
);
176 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
177 emLen
= RSA_size(rsa
);
182 if (emLen
< hLen
+ 2) {
183 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
184 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
188 sLen
= emLen
- hLen
- 2;
189 } else if (sLen
> emLen
- hLen
- 2) {
190 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
191 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
195 salt
= OPENSSL_malloc(sLen
);
197 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1
,
198 ERR_R_MALLOC_FAILURE
);
201 if (RAND_bytes(salt
, sLen
) <= 0)
204 maskedDBLen
= emLen
- hLen
- 1;
205 H
= EM
+ maskedDBLen
;
206 ctx
= EVP_MD_CTX_new();
209 if (!EVP_DigestInit_ex(ctx
, Hash
, NULL
)
210 || !EVP_DigestUpdate(ctx
, zeroes
, sizeof(zeroes
))
211 || !EVP_DigestUpdate(ctx
, mHash
, hLen
))
213 if (sLen
&& !EVP_DigestUpdate(ctx
, salt
, sLen
))
215 if (!EVP_DigestFinal_ex(ctx
, H
, NULL
))
218 /* Generate dbMask in place then perform XOR on it */
219 if (PKCS1_MGF1(EM
, maskedDBLen
, H
, hLen
, mgf1Hash
))
225 * Initial PS XORs with all zeroes which is a NOP so just update pointer.
226 * Note from a test above this value is guaranteed to be non-negative.
228 p
+= emLen
- sLen
- hLen
- 2;
231 for (i
= 0; i
< sLen
; i
++)
235 EM
[0] &= 0xFF >> (8 - MSBits
);
237 /* H is already in place so just set final 0xbc */
239 EM
[emLen
- 1] = 0xbc;
244 EVP_MD_CTX_free(ctx
);
245 OPENSSL_clear_free(salt
, sLen
);
251 #if defined(_MSC_VER)
252 # pragma optimize("",on)