Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/rsa/padding.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2
 * project 2005.
3
 */
4
/* ====================================================================
5
 * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 *
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in
16
 *    the documentation and/or other materials provided with the
17
 *    distribution.
18
 *
19
 * 3. All advertising materials mentioning features or use of this
20
 *    software must display the following acknowledgment:
21
 *    "This product includes software developed by the OpenSSL Project
22
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23
 *
24
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25
 *    endorse or promote products derived from this software without
26
 *    prior written permission. For written permission, please contact
27
 *    licensing@OpenSSL.org.
28
 *
29
 * 5. Products derived from this software may not be called "OpenSSL"
30
 *    nor may "OpenSSL" appear in their names without prior written
31
 *    permission of the OpenSSL Project.
32
 *
33
 * 6. Redistributions of any form whatsoever must retain the following
34
 *    acknowledgment:
35
 *    "This product includes software developed by the OpenSSL Project
36
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37
 *
38
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49
 * OF THE POSSIBILITY OF SUCH DAMAGE.
50
 * ====================================================================
51
 *
52
 * This product includes cryptographic software written by Eric Young
53
 * (eay@cryptsoft.com).  This product includes software written by Tim
54
 * Hudson (tjh@cryptsoft.com). */
55
56
#include <openssl/rsa.h>
57
58
#include <assert.h>
59
#include <limits.h>
60
#include <string.h>
61
62
#include <openssl/bn.h>
63
#include <openssl/digest.h>
64
#include <openssl/err.h>
65
#include <openssl/mem.h>
66
67
#include "internal.h"
68
#include "../service_indicator/internal.h"
69
#include "../bcm_interface.h"
70
#include "../../internal.h"
71
72
73
int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
74
0
                                 const uint8_t *from, size_t from_len) {
75
  // See RFC 8017, section 9.2.
76
0
  if (to_len < RSA_PKCS1_PADDING_SIZE) {
77
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
78
0
    return 0;
79
0
  }
80
81
0
  if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
82
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83
0
    return 0;
84
0
  }
85
86
0
  to[0] = 0;
87
0
  to[1] = 1;
88
0
  OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len);
89
0
  to[to_len - from_len - 1] = 0;
90
0
  OPENSSL_memcpy(to + to_len - from_len, from, from_len);
91
0
  return 1;
92
0
}
93
94
int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
95
                                   size_t max_out, const uint8_t *from,
96
0
                                   size_t from_len) {
97
  // See RFC 8017, section 9.2. This is part of signature verification and thus
98
  // does not need to run in constant-time.
99
0
  if (from_len < 2) {
100
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
101
0
    return 0;
102
0
  }
103
104
  // Check the header.
105
0
  if (from[0] != 0 || from[1] != 1) {
106
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
107
0
    return 0;
108
0
  }
109
110
  // Scan over padded data, looking for the 00.
111
0
  size_t pad;
112
0
  for (pad = 2 /* header */; pad < from_len; pad++) {
113
0
    if (from[pad] == 0x00) {
114
0
      break;
115
0
    }
116
117
0
    if (from[pad] != 0xff) {
118
0
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
119
0
      return 0;
120
0
    }
121
0
  }
122
123
0
  if (pad == from_len) {
124
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
125
0
    return 0;
126
0
  }
127
128
0
  if (pad < 2 /* header */ + 8) {
129
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
130
0
    return 0;
131
0
  }
132
133
  // Skip over the 00.
134
0
  pad++;
135
136
0
  if (from_len - pad > max_out) {
137
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
138
0
    return 0;
139
0
  }
140
141
0
  OPENSSL_memcpy(out, from + pad, from_len - pad);
142
0
  *out_len = from_len - pad;
143
0
  return 1;
144
0
}
145
146
int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
147
0
                         size_t from_len) {
148
0
  if (from_len > to_len) {
149
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
150
0
    return 0;
151
0
  }
152
153
0
  if (from_len < to_len) {
154
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
155
0
    return 0;
156
0
  }
157
158
0
  OPENSSL_memcpy(to, from, from_len);
159
0
  return 1;
160
0
}
161
162
int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,
163
0
               const EVP_MD *md) {
164
0
  int ret = 0;
165
0
  EVP_MD_CTX ctx;
166
0
  EVP_MD_CTX_init(&ctx);
167
0
  FIPS_service_indicator_lock_state();
168
169
0
  size_t md_len = EVP_MD_size(md);
170
171
0
  for (uint32_t i = 0; len > 0; i++) {
172
0
    uint8_t counter[4];
173
0
    counter[0] = (uint8_t)(i >> 24);
174
0
    counter[1] = (uint8_t)(i >> 16);
175
0
    counter[2] = (uint8_t)(i >> 8);
176
0
    counter[3] = (uint8_t)i;
177
0
    if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
178
0
        !EVP_DigestUpdate(&ctx, seed, seed_len) ||
179
0
        !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {
180
0
      goto err;
181
0
    }
182
183
0
    if (md_len <= len) {
184
0
      if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {
185
0
        goto err;
186
0
      }
187
0
      out += md_len;
188
0
      len -= md_len;
189
0
    } else {
190
0
      uint8_t digest[EVP_MAX_MD_SIZE];
191
0
      if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {
192
0
        goto err;
193
0
      }
194
0
      OPENSSL_memcpy(out, digest, len);
195
0
      len = 0;
196
0
    }
197
0
  }
198
199
0
  ret = 1;
200
201
0
err:
202
0
  EVP_MD_CTX_cleanup(&ctx);
203
0
  FIPS_service_indicator_unlock_state();
204
0
  return ret;
205
0
}
206
207
static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
208
209
int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,
210
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
211
0
                              const uint8_t *EM, int sLen) {
212
0
  if (mgf1Hash == NULL) {
213
0
    mgf1Hash = Hash;
214
0
  }
215
216
0
  int ret = 0;
217
0
  uint8_t *DB = NULL;
218
0
  EVP_MD_CTX ctx;
219
0
  EVP_MD_CTX_init(&ctx);
220
0
  FIPS_service_indicator_lock_state();
221
222
  // Negative sLen has special meanings:
223
  //   -1      sLen == hLen
224
  //   -2      salt length is autorecovered from signature
225
  //   -N      reserved
226
0
  size_t hLen = EVP_MD_size(Hash);
227
0
  if (sLen == -1) {
228
0
    sLen = (int)hLen;
229
0
  } else if (sLen == -2) {
230
0
    sLen = -2;
231
0
  } else if (sLen < -2) {
232
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
233
0
    goto err;
234
0
  }
235
236
0
  unsigned MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
237
0
  size_t emLen = RSA_size(rsa);
238
0
  if (EM[0] & (0xFF << MSBits)) {
239
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
240
0
    goto err;
241
0
  }
242
0
  if (MSBits == 0) {
243
0
    EM++;
244
0
    emLen--;
245
0
  }
246
  // |sLen| may be -2 for the non-standard salt length recovery mode.
247
0
  if (emLen < hLen + 2 ||
248
0
      (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) {
249
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
250
0
    goto err;
251
0
  }
252
0
  if (EM[emLen - 1] != 0xbc) {
253
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
254
0
    goto err;
255
0
  }
256
0
  size_t maskedDBLen = emLen - hLen - 1;
257
0
  const uint8_t *H = EM + maskedDBLen;
258
0
  DB = OPENSSL_malloc(maskedDBLen);
259
0
  if (!DB) {
260
0
    goto err;
261
0
  }
262
0
  if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {
263
0
    goto err;
264
0
  }
265
0
  for (size_t i = 0; i < maskedDBLen; i++) {
266
0
    DB[i] ^= EM[i];
267
0
  }
268
0
  if (MSBits) {
269
0
    DB[0] &= 0xFF >> (8 - MSBits);
270
0
  }
271
  // This step differs slightly from EMSA-PSS-VERIFY (RFC 8017) step 10 because
272
  // it accepts a non-standard salt recovery flow. DB should be some number of
273
  // zeros, a one, then the salt.
274
0
  size_t salt_start;
275
0
  for (salt_start = 0; DB[salt_start] == 0 && salt_start < maskedDBLen - 1;
276
0
       salt_start++) {
277
0
    ;
278
0
  }
279
0
  if (DB[salt_start] != 0x1) {
280
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
281
0
    goto err;
282
0
  }
283
0
  salt_start++;
284
  // If a salt length was specified, check it matches.
285
0
  if (sLen >= 0 && maskedDBLen - salt_start != (size_t)sLen) {
286
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
287
0
    goto err;
288
0
  }
289
0
  uint8_t H_[EVP_MAX_MD_SIZE];
290
0
  if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
291
0
      !EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) ||
292
0
      !EVP_DigestUpdate(&ctx, mHash, hLen) ||
293
0
      !EVP_DigestUpdate(&ctx, DB + salt_start, maskedDBLen - salt_start) ||
294
0
      !EVP_DigestFinal_ex(&ctx, H_, NULL)) {
295
0
    goto err;
296
0
  }
297
0
  if (OPENSSL_memcmp(H_, H, hLen) != 0) {
298
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
299
0
    goto err;
300
0
  }
301
302
0
  ret = 1;
303
304
0
err:
305
0
  OPENSSL_free(DB);
306
0
  EVP_MD_CTX_cleanup(&ctx);
307
0
  FIPS_service_indicator_unlock_state();
308
0
  return ret;
309
0
}
310
311
int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM,
312
                                   const unsigned char *mHash,
313
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
314
0
                                   int sLenRequested) {
315
0
  int ret = 0;
316
0
  size_t maskedDBLen, MSBits, emLen;
317
0
  size_t hLen;
318
0
  unsigned char *H, *salt = NULL, *p;
319
320
0
  if (mgf1Hash == NULL) {
321
0
    mgf1Hash = Hash;
322
0
  }
323
324
0
  FIPS_service_indicator_lock_state();
325
0
  hLen = EVP_MD_size(Hash);
326
327
0
  if (BN_is_zero(rsa->n)) {
328
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
329
0
    goto err;
330
0
  }
331
332
0
  MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
333
0
  emLen = RSA_size(rsa);
334
0
  if (MSBits == 0) {
335
0
    assert(emLen >= 1);
336
0
    *EM++ = 0;
337
0
    emLen--;
338
0
  }
339
340
0
  if (emLen < hLen + 2) {
341
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
342
0
    goto err;
343
0
  }
344
345
  // Negative sLenRequested has special meanings:
346
  //   -1  sLen == hLen
347
  //   -2  salt length is maximized
348
  //   -N  reserved
349
0
  size_t sLen;
350
0
  if (sLenRequested == -1) {
351
0
    sLen = hLen;
352
0
  } else if (sLenRequested == -2) {
353
0
    sLen = emLen - hLen - 2;
354
0
  } else if (sLenRequested < 0) {
355
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
356
0
    goto err;
357
0
  } else {
358
0
    sLen = (size_t)sLenRequested;
359
0
  }
360
361
0
  if (emLen - hLen - 2 < sLen) {
362
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
363
0
    goto err;
364
0
  }
365
366
0
  if (sLen > 0) {
367
0
    salt = OPENSSL_malloc(sLen);
368
0
    if (!salt) {
369
0
      goto err;
370
0
    }
371
0
    BCM_rand_bytes(salt, sLen);
372
0
  }
373
0
  maskedDBLen = emLen - hLen - 1;
374
0
  H = EM + maskedDBLen;
375
376
0
  EVP_MD_CTX ctx;
377
0
  EVP_MD_CTX_init(&ctx);
378
0
  int digest_ok = EVP_DigestInit_ex(&ctx, Hash, NULL) &&
379
0
                  EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) &&
380
0
                  EVP_DigestUpdate(&ctx, mHash, hLen) &&
381
0
                  EVP_DigestUpdate(&ctx, salt, sLen) &&
382
0
                  EVP_DigestFinal_ex(&ctx, H, NULL);
383
0
  EVP_MD_CTX_cleanup(&ctx);
384
0
  if (!digest_ok) {
385
0
    goto err;
386
0
  }
387
388
  // Generate dbMask in place then perform XOR on it
389
0
  if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
390
0
    goto err;
391
0
  }
392
393
0
  p = EM;
394
  // Initial PS XORs with all zeroes which is a NOP so just update
395
  // pointer. Note from a test above this value is guaranteed to
396
  // be non-negative.
397
0
  p += emLen - sLen - hLen - 2;
398
0
  *p++ ^= 0x1;
399
0
  if (sLen > 0) {
400
0
    for (size_t i = 0; i < sLen; i++) {
401
0
      *p++ ^= salt[i];
402
0
    }
403
0
  }
404
0
  if (MSBits) {
405
0
    EM[0] &= 0xFF >> (8 - MSBits);
406
0
  }
407
408
  // H is already in place so just set final 0xbc
409
410
0
  EM[emLen - 1] = 0xbc;
411
412
0
  ret = 1;
413
414
0
err:
415
0
  OPENSSL_free(salt);
416
0
  FIPS_service_indicator_unlock_state();
417
418
0
  return ret;
419
0
}