/src/openssl/crypto/rsa/rsa_pss.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * RSA low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <stdio.h> |
17 | | #include "internal/cryptlib.h" |
18 | | #include <openssl/bn.h> |
19 | | #include <openssl/rsa.h> |
20 | | #include <openssl/evp.h> |
21 | | #include <openssl/rand.h> |
22 | | #include <openssl/sha.h> |
23 | | #include "rsa_local.h" |
24 | | |
25 | | static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; |
26 | | |
27 | | #if defined(_MSC_VER) && defined(_ARM_) |
28 | | # pragma optimize("g", off) |
29 | | #endif |
30 | | |
31 | | int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, |
32 | | const EVP_MD *Hash, const unsigned char *EM, |
33 | | int sLen) |
34 | 0 | { |
35 | 0 | return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); |
36 | 0 | } |
37 | | |
38 | | int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, |
39 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
40 | | const unsigned char *EM, int sLen) |
41 | 0 | { |
42 | 0 | return ossl_rsa_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, mgf1Hash, EM, &sLen); |
43 | 0 | } |
44 | | |
45 | | int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, |
46 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
47 | | const unsigned char *EM, int *sLenOut) |
48 | 0 | { |
49 | 0 | int i; |
50 | 0 | int ret = 0; |
51 | 0 | int sLen = *sLenOut; |
52 | 0 | int hLen, maskedDBLen, MSBits, emLen; |
53 | 0 | const unsigned char *H; |
54 | 0 | unsigned char *DB = NULL; |
55 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
56 | 0 | unsigned char H_[EVP_MAX_MD_SIZE]; |
57 | |
|
58 | 0 | if (ctx == NULL) |
59 | 0 | goto err; |
60 | | |
61 | 0 | if (mgf1Hash == NULL) |
62 | 0 | mgf1Hash = Hash; |
63 | |
|
64 | 0 | hLen = EVP_MD_get_size(Hash); |
65 | 0 | if (hLen <= 0) |
66 | 0 | goto err; |
67 | | /*- |
68 | | * Negative sLen has special meanings: |
69 | | * -1 sLen == hLen |
70 | | * -2 salt length is autorecovered from signature |
71 | | * -3 salt length is maximized |
72 | | * -4 salt length is autorecovered from signature |
73 | | * -N reserved |
74 | | */ |
75 | 0 | if (sLen == RSA_PSS_SALTLEN_DIGEST) { |
76 | 0 | sLen = hLen; |
77 | 0 | } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
78 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); |
79 | 0 | goto err; |
80 | 0 | } |
81 | | |
82 | 0 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; |
83 | 0 | emLen = RSA_size(rsa); |
84 | 0 | if (EM[0] & (0xFF << MSBits)) { |
85 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID); |
86 | 0 | goto err; |
87 | 0 | } |
88 | 0 | if (MSBits == 0) { |
89 | 0 | EM++; |
90 | 0 | emLen--; |
91 | 0 | } |
92 | 0 | if (emLen < hLen + 2) { |
93 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); |
94 | 0 | goto err; |
95 | 0 | } |
96 | 0 | if (sLen == RSA_PSS_SALTLEN_MAX) { |
97 | 0 | sLen = emLen - hLen - 2; |
98 | 0 | } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */ |
99 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); |
100 | 0 | goto err; |
101 | 0 | } |
102 | 0 | if (EM[emLen - 1] != 0xbc) { |
103 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID); |
104 | 0 | goto err; |
105 | 0 | } |
106 | 0 | maskedDBLen = emLen - hLen - 1; |
107 | 0 | H = EM + maskedDBLen; |
108 | 0 | DB = OPENSSL_malloc(maskedDBLen); |
109 | 0 | if (DB == NULL) |
110 | 0 | goto err; |
111 | 0 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) |
112 | 0 | goto err; |
113 | 0 | for (i = 0; i < maskedDBLen; i++) |
114 | 0 | DB[i] ^= EM[i]; |
115 | 0 | if (MSBits) |
116 | 0 | DB[0] &= 0xFF >> (8 - MSBits); |
117 | 0 | for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ; |
118 | 0 | if (DB[i++] != 0x1) { |
119 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); |
120 | 0 | goto err; |
121 | 0 | } |
122 | 0 | if (sLen != RSA_PSS_SALTLEN_AUTO |
123 | 0 | && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX |
124 | 0 | && (maskedDBLen - i) != sLen) { |
125 | 0 | ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, |
126 | 0 | "expected: %d retrieved: %d", sLen, |
127 | 0 | maskedDBLen - i); |
128 | 0 | goto err; |
129 | 0 | } else { |
130 | 0 | sLen = maskedDBLen - i; |
131 | 0 | } |
132 | 0 | if (!EVP_DigestInit_ex(ctx, Hash, NULL) |
133 | 0 | || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) |
134 | 0 | || !EVP_DigestUpdate(ctx, mHash, hLen)) |
135 | 0 | goto err; |
136 | 0 | if (sLen != 0) { |
137 | 0 | if (!EVP_DigestUpdate(ctx, DB + i, sLen)) |
138 | 0 | goto err; |
139 | 0 | } |
140 | 0 | if (!EVP_DigestFinal_ex(ctx, H_, NULL)) |
141 | 0 | goto err; |
142 | 0 | if (memcmp(H_, H, hLen)) { |
143 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
144 | 0 | ret = 0; |
145 | 0 | } else { |
146 | 0 | ret = 1; |
147 | 0 | } |
148 | |
|
149 | 0 | *sLenOut = sLen; |
150 | 0 | err: |
151 | 0 | OPENSSL_free(DB); |
152 | 0 | EVP_MD_CTX_free(ctx); |
153 | |
|
154 | 0 | return ret; |
155 | |
|
156 | 0 | } |
157 | | |
158 | | int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, |
159 | | const unsigned char *mHash, |
160 | | const EVP_MD *Hash, int sLen) |
161 | 0 | { |
162 | 0 | return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); |
163 | 0 | } |
164 | | |
165 | | int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, |
166 | | const unsigned char *mHash, |
167 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
168 | | int sLen) |
169 | 0 | { |
170 | 0 | return ossl_rsa_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, mgf1Hash, &sLen); |
171 | 0 | } |
172 | | |
173 | | int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, |
174 | | const unsigned char *mHash, |
175 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
176 | | int *sLenOut) |
177 | 0 | { |
178 | 0 | int i; |
179 | 0 | int ret = 0; |
180 | 0 | int sLen = *sLenOut; |
181 | 0 | int hLen, maskedDBLen, MSBits, emLen; |
182 | 0 | unsigned char *H, *salt = NULL, *p; |
183 | 0 | EVP_MD_CTX *ctx = NULL; |
184 | 0 | int sLenMax = -1; |
185 | |
|
186 | 0 | if (mgf1Hash == NULL) |
187 | 0 | mgf1Hash = Hash; |
188 | |
|
189 | 0 | hLen = EVP_MD_get_size(Hash); |
190 | 0 | if (hLen <= 0) |
191 | 0 | goto err; |
192 | | /*- |
193 | | * Negative sLen has special meanings: |
194 | | * -1 sLen == hLen |
195 | | * -2 salt length is maximized |
196 | | * -3 same as above (on signing) |
197 | | * -4 salt length is min(hLen, maximum salt length) |
198 | | * -N reserved |
199 | | */ |
200 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
201 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
202 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
203 | | * the hash function output block (in bytes)." |
204 | | * |
205 | | * Provide a way to use at most the digest length, so that the default does |
206 | | * not violate FIPS 186-4. */ |
207 | 0 | if (sLen == RSA_PSS_SALTLEN_DIGEST) { |
208 | 0 | sLen = hLen; |
209 | 0 | } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN |
210 | 0 | || sLen == RSA_PSS_SALTLEN_AUTO) { |
211 | 0 | sLen = RSA_PSS_SALTLEN_MAX; |
212 | 0 | } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
213 | 0 | sLen = RSA_PSS_SALTLEN_MAX; |
214 | 0 | sLenMax = hLen; |
215 | 0 | } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
216 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); |
217 | 0 | goto err; |
218 | 0 | } |
219 | | |
220 | 0 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; |
221 | 0 | emLen = RSA_size(rsa); |
222 | 0 | if (MSBits == 0) { |
223 | 0 | *EM++ = 0; |
224 | 0 | emLen--; |
225 | 0 | } |
226 | 0 | if (emLen < hLen + 2) { |
227 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
228 | 0 | goto err; |
229 | 0 | } |
230 | 0 | if (sLen == RSA_PSS_SALTLEN_MAX) { |
231 | 0 | sLen = emLen - hLen - 2; |
232 | 0 | if (sLenMax >= 0 && sLen > sLenMax) |
233 | 0 | sLen = sLenMax; |
234 | 0 | } else if (sLen > emLen - hLen - 2) { |
235 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
236 | 0 | goto err; |
237 | 0 | } |
238 | 0 | if (sLen > 0) { |
239 | 0 | salt = OPENSSL_malloc(sLen); |
240 | 0 | if (salt == NULL) |
241 | 0 | goto err; |
242 | 0 | if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0) |
243 | 0 | goto err; |
244 | 0 | } |
245 | 0 | maskedDBLen = emLen - hLen - 1; |
246 | 0 | H = EM + maskedDBLen; |
247 | 0 | ctx = EVP_MD_CTX_new(); |
248 | 0 | if (ctx == NULL) |
249 | 0 | goto err; |
250 | 0 | if (!EVP_DigestInit_ex(ctx, Hash, NULL) |
251 | 0 | || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) |
252 | 0 | || !EVP_DigestUpdate(ctx, mHash, hLen)) |
253 | 0 | goto err; |
254 | 0 | if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) |
255 | 0 | goto err; |
256 | 0 | if (!EVP_DigestFinal_ex(ctx, H, NULL)) |
257 | 0 | goto err; |
258 | | |
259 | | /* Generate dbMask in place then perform XOR on it */ |
260 | 0 | if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) |
261 | 0 | goto err; |
262 | | |
263 | 0 | p = EM; |
264 | | |
265 | | /* |
266 | | * Initial PS XORs with all zeroes which is a NOP so just update pointer. |
267 | | * Note from a test above this value is guaranteed to be non-negative. |
268 | | */ |
269 | 0 | p += emLen - sLen - hLen - 2; |
270 | 0 | *p++ ^= 0x1; |
271 | 0 | if (sLen > 0) { |
272 | 0 | for (i = 0; i < sLen; i++) |
273 | 0 | *p++ ^= salt[i]; |
274 | 0 | } |
275 | 0 | if (MSBits) |
276 | 0 | EM[0] &= 0xFF >> (8 - MSBits); |
277 | | |
278 | | /* H is already in place so just set final 0xbc */ |
279 | |
|
280 | 0 | EM[emLen - 1] = 0xbc; |
281 | |
|
282 | 0 | ret = 1; |
283 | |
|
284 | 0 | *sLenOut = sLen; |
285 | 0 | err: |
286 | 0 | EVP_MD_CTX_free(ctx); |
287 | 0 | OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */ |
288 | |
|
289 | 0 | return ret; |
290 | |
|
291 | 0 | } |
292 | | |
293 | | /* |
294 | | * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS |
295 | | * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3): |
296 | | * |
297 | | * If the default values of the hashAlgorithm, maskGenAlgorithm, and |
298 | | * trailerField fields of RSASSA-PSS-params are used, then the algorithm |
299 | | * identifier will have the following value: |
300 | | * |
301 | | * rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= { |
302 | | * algorithm id-RSASSA-PSS, |
303 | | * parameters RSASSA-PSS-params : { |
304 | | * hashAlgorithm sha1, |
305 | | * maskGenAlgorithm mgf1SHA1, |
306 | | * saltLength 20, |
307 | | * trailerField trailerFieldBC |
308 | | * } |
309 | | * } |
310 | | * |
311 | | * RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier { |
312 | | * {PKCS1Algorithms} |
313 | | * } |
314 | | */ |
315 | | static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = { |
316 | | NID_sha1, /* default hashAlgorithm */ |
317 | | { |
318 | | NID_mgf1, /* default maskGenAlgorithm */ |
319 | | NID_sha1 /* default MGF1 hash */ |
320 | | }, |
321 | | 20, /* default saltLength */ |
322 | | 1 /* default trailerField (0xBC) */ |
323 | | }; |
324 | | |
325 | | int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params) |
326 | 0 | { |
327 | 0 | if (rsa_pss_params == NULL) |
328 | 0 | return 0; |
329 | 0 | *rsa_pss_params = default_RSASSA_PSS_params; |
330 | 0 | return 1; |
331 | 0 | } |
332 | | |
333 | | int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
334 | 0 | { |
335 | 0 | static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, }; |
336 | |
|
337 | 0 | return rsa_pss_params == NULL |
338 | 0 | || memcmp(rsa_pss_params, &pss_params_cmp, |
339 | 0 | sizeof(*rsa_pss_params)) == 0; |
340 | 0 | } |
341 | | |
342 | | int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to, |
343 | | const RSA_PSS_PARAMS_30 *from) |
344 | 0 | { |
345 | 0 | memcpy(to, from, sizeof(*to)); |
346 | 0 | return 1; |
347 | 0 | } |
348 | | |
349 | | int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params, |
350 | | int hashalg_nid) |
351 | 0 | { |
352 | 0 | if (rsa_pss_params == NULL) |
353 | 0 | return 0; |
354 | 0 | rsa_pss_params->hash_algorithm_nid = hashalg_nid; |
355 | 0 | return 1; |
356 | 0 | } |
357 | | |
358 | | int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params, |
359 | | int maskgenhashalg_nid) |
360 | 0 | { |
361 | 0 | if (rsa_pss_params == NULL) |
362 | 0 | return 0; |
363 | 0 | rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid; |
364 | 0 | return 1; |
365 | 0 | } |
366 | | |
367 | | int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params, |
368 | | int saltlen) |
369 | 0 | { |
370 | 0 | if (rsa_pss_params == NULL) |
371 | 0 | return 0; |
372 | 0 | rsa_pss_params->salt_len = saltlen; |
373 | 0 | return 1; |
374 | 0 | } |
375 | | |
376 | | int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params, |
377 | | int trailerfield) |
378 | 0 | { |
379 | 0 | if (rsa_pss_params == NULL) |
380 | 0 | return 0; |
381 | 0 | rsa_pss_params->trailer_field = trailerfield; |
382 | 0 | return 1; |
383 | 0 | } |
384 | | |
385 | | int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
386 | 0 | { |
387 | 0 | if (rsa_pss_params == NULL) |
388 | 0 | return default_RSASSA_PSS_params.hash_algorithm_nid; |
389 | 0 | return rsa_pss_params->hash_algorithm_nid; |
390 | 0 | } |
391 | | |
392 | | int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
393 | 0 | { |
394 | 0 | if (rsa_pss_params == NULL) |
395 | 0 | return default_RSASSA_PSS_params.mask_gen.algorithm_nid; |
396 | 0 | return rsa_pss_params->mask_gen.algorithm_nid; |
397 | 0 | } |
398 | | |
399 | | int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
400 | 0 | { |
401 | 0 | if (rsa_pss_params == NULL) |
402 | 0 | return default_RSASSA_PSS_params.hash_algorithm_nid; |
403 | 0 | return rsa_pss_params->mask_gen.hash_algorithm_nid; |
404 | 0 | } |
405 | | |
406 | | int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
407 | 0 | { |
408 | 0 | if (rsa_pss_params == NULL) |
409 | 0 | return default_RSASSA_PSS_params.salt_len; |
410 | 0 | return rsa_pss_params->salt_len; |
411 | 0 | } |
412 | | |
413 | | int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
414 | 0 | { |
415 | 0 | if (rsa_pss_params == NULL) |
416 | 0 | return default_RSASSA_PSS_params.trailer_field; |
417 | 0 | return rsa_pss_params->trailer_field; |
418 | 0 | } |
419 | | |
420 | | #if defined(_MSC_VER) |
421 | | # pragma optimize("",on) |
422 | | #endif |