/src/libressl/crypto/rsa/rsa_sign.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: rsa_sign.c,v 1.34 2022/01/07 11:13:55 tb Exp $ */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | |
59 | | #include <stdio.h> |
60 | | #include <string.h> |
61 | | |
62 | | #include <openssl/bn.h> |
63 | | #include <openssl/err.h> |
64 | | #include <openssl/objects.h> |
65 | | #include <openssl/rsa.h> |
66 | | #include <openssl/x509.h> |
67 | | |
68 | | #include "asn1_locl.h" |
69 | | #include "rsa_locl.h" |
70 | | #include "x509_lcl.h" |
71 | | |
72 | | /* Size of an SSL signature: MD5+SHA1 */ |
73 | 3 | #define SSL_SIG_LENGTH 36 |
74 | | |
75 | | static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *, |
76 | | unsigned int); |
77 | | |
78 | | /* |
79 | | * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as |
80 | | * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This |
81 | | * encodes the DigestInfo (T and tLen) but does not add the padding. |
82 | | * |
83 | | * On success, it returns one and sets `*out' to a newly allocated buffer |
84 | | * containing the result and `*out_len' to its length. Freeing `*out' is |
85 | | * the caller's responsibility. Failure is indicated by zero. |
86 | | */ |
87 | | static int |
88 | | encode_pkcs1(unsigned char **out, int *out_len, int type, |
89 | | const unsigned char *m, unsigned int m_len) |
90 | 1 | { |
91 | 1 | X509_SIG sig; |
92 | 1 | X509_ALGOR algor; |
93 | 1 | ASN1_TYPE parameter; |
94 | 1 | ASN1_OCTET_STRING digest; |
95 | 1 | uint8_t *der = NULL; |
96 | 1 | int len; |
97 | | |
98 | 1 | sig.algor = &algor; |
99 | 1 | if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) { |
100 | 0 | RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); |
101 | 0 | return 0; |
102 | 0 | } |
103 | 1 | if (sig.algor->algorithm->length == 0) { |
104 | 0 | RSAerror( |
105 | 0 | RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); |
106 | 0 | return 0; |
107 | 0 | } |
108 | 1 | parameter.type = V_ASN1_NULL; |
109 | 1 | parameter.value.ptr = NULL; |
110 | 1 | sig.algor->parameter = ¶meter; |
111 | | |
112 | 1 | sig.digest = &digest; |
113 | 1 | sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */ |
114 | 1 | sig.digest->length = m_len; |
115 | | |
116 | 1 | if ((len = i2d_X509_SIG(&sig, &der)) < 0) |
117 | 0 | return 0; |
118 | | |
119 | 1 | *out = der; |
120 | 1 | *out_len = len; |
121 | | |
122 | 1 | return 1; |
123 | 1 | } |
124 | | |
125 | | int |
126 | | RSA_sign(int type, const unsigned char *m, unsigned int m_len, |
127 | | unsigned char *sigret, unsigned int *siglen, RSA *rsa) |
128 | 0 | { |
129 | 0 | const unsigned char *encoded = NULL; |
130 | 0 | unsigned char *tmps = NULL; |
131 | 0 | int encrypt_len, encoded_len = 0, ret = 0; |
132 | |
|
133 | 0 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign != NULL) |
134 | 0 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); |
135 | | |
136 | | /* Compute the encoded digest. */ |
137 | 0 | if (type == NID_md5_sha1) { |
138 | | /* |
139 | | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in |
140 | | * TLS 1.1 and earlier. It has no DigestInfo wrapper but |
141 | | * otherwise is RSASSA-PKCS-v1.5. |
142 | | */ |
143 | 0 | if (m_len != SSL_SIG_LENGTH) { |
144 | 0 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); |
145 | 0 | return 0; |
146 | 0 | } |
147 | 0 | encoded_len = SSL_SIG_LENGTH; |
148 | 0 | encoded = m; |
149 | 0 | } else { |
150 | 0 | if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) |
151 | 0 | goto err; |
152 | 0 | encoded = tmps; |
153 | 0 | } |
154 | 0 | if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) { |
155 | 0 | RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); |
156 | 0 | goto err; |
157 | 0 | } |
158 | 0 | if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, |
159 | 0 | rsa, RSA_PKCS1_PADDING)) <= 0) |
160 | 0 | goto err; |
161 | | |
162 | 0 | *siglen = encrypt_len; |
163 | 0 | ret = 1; |
164 | |
|
165 | 0 | err: |
166 | 0 | freezero(tmps, (size_t)encoded_len); |
167 | 0 | return (ret); |
168 | 0 | } |
169 | | |
170 | | /* |
171 | | * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be |
172 | | * called in two modes. If `rm' is NULL, it verifies the signature for the |
173 | | * digest `m'. Otherwise, it recovers the digest from the signature, writing the |
174 | | * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest |
175 | | * algorithm to use. It returns one on successful verification and zero |
176 | | * otherwise. |
177 | | */ |
178 | | int |
179 | | int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, |
180 | | unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, |
181 | | size_t siglen, RSA *rsa) |
182 | 19 | { |
183 | 19 | unsigned char *decrypt_buf, *encoded = NULL; |
184 | 19 | int decrypt_len, encoded_len = 0, ret = 0; |
185 | | |
186 | 19 | if (siglen != (size_t)RSA_size(rsa)) { |
187 | 6 | RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH); |
188 | 6 | return 0; |
189 | 6 | } |
190 | | |
191 | | /* Recover the encoded digest. */ |
192 | 13 | if ((decrypt_buf = malloc(siglen)) == NULL) { |
193 | 0 | RSAerror(ERR_R_MALLOC_FAILURE); |
194 | 0 | goto err; |
195 | 0 | } |
196 | 13 | if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, |
197 | 13 | rsa, RSA_PKCS1_PADDING)) <= 0) |
198 | 11 | goto err; |
199 | | |
200 | 2 | if (type == NID_md5_sha1) { |
201 | | /* |
202 | | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in |
203 | | * TLS 1.1 and earlier. It has no DigestInfo wrapper but |
204 | | * otherwise is RSASSA-PKCS1-v1_5. |
205 | | */ |
206 | 1 | if (decrypt_len != SSL_SIG_LENGTH) { |
207 | 0 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); |
208 | 0 | goto err; |
209 | 0 | } |
210 | | |
211 | 1 | if (rm != NULL) { |
212 | 0 | memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); |
213 | 0 | *prm_len = SSL_SIG_LENGTH; |
214 | 1 | } else { |
215 | 1 | if (m_len != SSL_SIG_LENGTH) { |
216 | 0 | RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); |
217 | 0 | goto err; |
218 | 0 | } |
219 | 1 | if (timingsafe_bcmp(decrypt_buf, |
220 | 1 | m, SSL_SIG_LENGTH) != 0) { |
221 | 1 | RSAerror(RSA_R_BAD_SIGNATURE); |
222 | 1 | goto err; |
223 | 1 | } |
224 | 1 | } |
225 | 1 | } else { |
226 | | /* |
227 | | * If recovering the digest, extract a digest-sized output from |
228 | | * the end of `decrypt_buf' for `encode_pkcs1', then compare the |
229 | | * decryption output as in a standard verification. |
230 | | */ |
231 | 1 | if (rm != NULL) { |
232 | 0 | const EVP_MD *md; |
233 | |
|
234 | 0 | if ((md = EVP_get_digestbynid(type)) == NULL) { |
235 | 0 | RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); |
236 | 0 | goto err; |
237 | 0 | } |
238 | 0 | if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) { |
239 | 0 | RSAerror(RSA_R_INVALID_DIGEST_LENGTH); |
240 | 0 | goto err; |
241 | 0 | } |
242 | 0 | m = decrypt_buf + decrypt_len - m_len; |
243 | 0 | } |
244 | | |
245 | | /* Construct the encoded digest and ensure it matches */ |
246 | 1 | if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) |
247 | 0 | goto err; |
248 | | |
249 | 1 | if (encoded_len != decrypt_len || |
250 | 1 | timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) { |
251 | 1 | RSAerror(RSA_R_BAD_SIGNATURE); |
252 | 1 | goto err; |
253 | 1 | } |
254 | | |
255 | | /* Output the recovered digest. */ |
256 | 0 | if (rm != NULL) { |
257 | 0 | memcpy(rm, m, m_len); |
258 | 0 | *prm_len = m_len; |
259 | 0 | } |
260 | 0 | } |
261 | | |
262 | 0 | ret = 1; |
263 | 13 | err: |
264 | 13 | freezero(encoded, (size_t)encoded_len); |
265 | 13 | freezero(decrypt_buf, siglen); |
266 | 13 | return ret; |
267 | 0 | } |
268 | | |
269 | | int |
270 | | RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, |
271 | | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) |
272 | 19 | { |
273 | 19 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) |
274 | 0 | return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, |
275 | 0 | rsa); |
276 | | |
277 | 19 | return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa); |
278 | 19 | } |