1 /* rsa_pss.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 2005.
4  */
5 /* ====================================================================
6  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/bn.h>
62 #include <openssl/rsa.h>
63 #include <openssl/evp.h>
64 #include <openssl/rand.h>
65 #include <openssl/sha.h>
66 
67 const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68 
RSA_verify_PKCS1_PSS(RSA * rsa,const unsigned char * mHash,const EVP_MD * Hash,const unsigned char * EM,int sLen)69 int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
70 			const EVP_MD *Hash, const unsigned char *EM, int sLen)
71 	{
72 	int i;
73 	int ret = 0;
74 	int hLen, maskedDBLen, MSBits, emLen;
75 	const unsigned char *H;
76 	unsigned char *DB = NULL;
77 	EVP_MD_CTX ctx;
78 	unsigned char H_[EVP_MAX_MD_SIZE];
79 
80 	hLen = EVP_MD_size(Hash);
81 	/*
82 	 * Negative sLen has special meanings:
83 	 *	-1	sLen == hLen
84 	 *	-2	salt length is autorecovered from signature
85 	 *	-N	reserved
86 	 */
87 	if      (sLen == -1)	sLen = hLen;
88 	else if (sLen == -2)	sLen = -2;
89 	else if (sLen < -2)
90 		{
91 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
92 		goto err;
93 		}
94 
95 	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
96 	emLen = RSA_size(rsa);
97 	if (EM[0] & (0xFF << MSBits))
98 		{
99 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
100 		goto err;
101 		}
102 	if (MSBits == 0)
103 		{
104 		EM++;
105 		emLen--;
106 		}
107 	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
108 		{
109 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
110 		goto err;
111 		}
112 	if (EM[emLen - 1] != 0xbc)
113 		{
114 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
115 		goto err;
116 		}
117 	maskedDBLen = emLen - hLen - 1;
118 	H = EM + maskedDBLen;
119 	DB = OPENSSL_malloc(maskedDBLen);
120 	if (!DB)
121 		{
122 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
123 		goto err;
124 		}
125 	PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
126 	for (i = 0; i < maskedDBLen; i++)
127 		DB[i] ^= EM[i];
128 	if (MSBits)
129 		DB[0] &= 0xFF >> (8 - MSBits);
130 	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
131 	if (DB[i++] != 0x1)
132 		{
133 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
134 		goto err;
135 		}
136 	if (sLen >= 0 && (maskedDBLen - i) != sLen)
137 		{
138 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
139 		goto err;
140 		}
141 	EVP_MD_CTX_init(&ctx);
142 	EVP_DigestInit_ex(&ctx, Hash, NULL);
143 	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
144 	EVP_DigestUpdate(&ctx, mHash, hLen);
145 	if (maskedDBLen - i)
146 		EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
147 	EVP_DigestFinal(&ctx, H_, NULL);
148 	EVP_MD_CTX_cleanup(&ctx);
149 	if (memcmp(H_, H, hLen))
150 		{
151 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
152 		ret = 0;
153 		}
154 	else
155 		ret = 1;
156 
157 	err:
158 	if (DB)
159 		OPENSSL_free(DB);
160 
161 	return ret;
162 
163 	}
164 
RSA_padding_add_PKCS1_PSS(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,int sLen)165 int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
166 			const unsigned char *mHash,
167 			const EVP_MD *Hash, int sLen)
168 	{
169 	int i;
170 	int ret = 0;
171 	int hLen, maskedDBLen, MSBits, emLen;
172 	unsigned char *H, *salt = NULL, *p;
173 	EVP_MD_CTX ctx;
174 
175 	hLen = EVP_MD_size(Hash);
176 	/*
177 	 * Negative sLen has special meanings:
178 	 *	-1	sLen == hLen
179 	 *	-2	salt length is maximized
180 	 *	-N	reserved
181 	 */
182 	if      (sLen == -1)	sLen = hLen;
183 	else if (sLen == -2)	sLen = -2;
184 	else if (sLen < -2)
185 		{
186 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
187 		goto err;
188 		}
189 
190 	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
191 	emLen = RSA_size(rsa);
192 	if (MSBits == 0)
193 		{
194 		*EM++ = 0;
195 		emLen--;
196 		}
197 	if (sLen == -2)
198 		{
199 		sLen = emLen - hLen - 2;
200 		}
201 	else if (emLen < (hLen + sLen + 2))
202 		{
203 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
204 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
205 		goto err;
206 		}
207 	if (sLen > 0)
208 		{
209 		salt = OPENSSL_malloc(sLen);
210 		if (!salt)
211 			{
212 			RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
213 		   		ERR_R_MALLOC_FAILURE);
214 			goto err;
215 			}
216 		if (!RAND_bytes(salt, sLen))
217 			goto err;
218 		}
219 	maskedDBLen = emLen - hLen - 1;
220 	H = EM + maskedDBLen;
221 	EVP_MD_CTX_init(&ctx);
222 	EVP_DigestInit_ex(&ctx, Hash, NULL);
223 	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
224 	EVP_DigestUpdate(&ctx, mHash, hLen);
225 	if (sLen)
226 		EVP_DigestUpdate(&ctx, salt, sLen);
227 	EVP_DigestFinal(&ctx, H, NULL);
228 	EVP_MD_CTX_cleanup(&ctx);
229 
230 	/* Generate dbMask in place then perform XOR on it */
231 	PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
232 
233 	p = EM;
234 
235 	/* Initial PS XORs with all zeroes which is a NOP so just update
236 	 * pointer. Note from a test above this value is guaranteed to
237 	 * be non-negative.
238 	 */
239 	p += emLen - sLen - hLen - 2;
240 	*p++ ^= 0x1;
241 	if (sLen > 0)
242 		{
243 		for (i = 0; i < sLen; i++)
244 			*p++ ^= salt[i];
245 		}
246 	if (MSBits)
247 		EM[0] &= 0xFF >> (8 - MSBits);
248 
249 	/* H is already in place so just set final 0xbc */
250 
251 	EM[emLen - 1] = 0xbc;
252 
253 	ret = 1;
254 
255 	err:
256 	if (salt)
257 		OPENSSL_free(salt);
258 
259 	return ret;
260 
261 	}
262