/src/openssl111/crypto/rsa/rsa_pss.c

Source (jump to first uncovered line)
/*
 * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
                   ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes(salt, sLen) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif

Coverage Report

Created: 2023-09-25 06:45

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include <openssl/bn.h>
13		#include <openssl/rsa.h>
14		#include <openssl/evp.h>
15		#include <openssl/rand.h>
16		#include <openssl/sha.h>
17		#include "rsa_local.h"
18
19		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
20
21		#if defined(_MSC_VER) && defined(_ARM_)
22		# pragma optimize("g", off)
23		#endif
24
25		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
26		const EVP_MD Hash, const unsigned char EM,
27		int sLen)
28	0	{
29	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
30	0	}
31
32		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
33		const EVP_MD Hash, const EVP_MD mgf1Hash,
34		const unsigned char *EM, int sLen)
35	564	{
36	564	int i;
37	564	int ret = 0;
38	564	int hLen, maskedDBLen, MSBits, emLen;
39	564	const unsigned char *H;
40	564	unsigned char *DB = NULL;
41	564	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
42	564	unsigned char H_[EVP_MAX_MD_SIZE];
43
44	564	if (ctx == NULL)
45	0	goto err;
46
47	564	if (mgf1Hash == NULL)
48	37	mgf1Hash = Hash;
49
50	564	hLen = EVP_MD_size(Hash);
51	564	if (hLen < 0)
52	0	goto err;
53		/*-
54		* Negative sLen has special meanings:
55		* -1 sLen == hLen
56		* -2 salt length is autorecovered from signature
57		* -3 salt length is maximized
58		* -N reserved
59		*/
60	564	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
61	148	sLen = hLen;
62	416	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
63	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
64	0	goto err;
65	0	}
66
67	564	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
68	564	emLen = RSA_size(rsa);
69	564	if (EM[0] & (0xFF << MSBits)) {
70	66	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
71	66	goto err;
72	66	}
73	498	if (MSBits == 0) {
74	14	EM++;
75	14	emLen--;
76	14	}
77	498	if (emLen < hLen + 2) {
78	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
79	0	goto err;
80	0	}
81	498	if (sLen == RSA_PSS_SALTLEN_MAX) {
82	0	sLen = emLen - hLen - 2;
83	498	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
84	5	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
85	5	goto err;
86	5	}
87	493	if (EM[emLen - 1] != 0xbc) {
88	427	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
89	427	goto err;
90	427	}
91	66	maskedDBLen = emLen - hLen - 1;
92	66	H = EM + maskedDBLen;
93	66	DB = OPENSSL_malloc(maskedDBLen);
94	66	if (DB == NULL) {
95	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
96	0	goto err;
97	0	}
98	66	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
99	0	goto err;
100	11.2k	for (i = 0; i < maskedDBLen; i++)
101	11.1k	DB[i] ^= EM[i];
102	66	if (MSBits)
103	62	DB[0] &= 0xFF >> (8 - MSBits);
104	2.98k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
105	66	if (DB[i++] != 0x1) {
106	33	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
107	33	goto err;
108	33	}
109	33	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
110	10	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
111	10	goto err;
112	10	}
113	23	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
114	23	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
115	23	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
116	0	goto err;
117	23	if (maskedDBLen - i) {
118	23	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
119	0	goto err;
120	23	}
121	23	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
122	0	goto err;
123	23	if (memcmp(H_, H, hLen)) {
124	18	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
125	18	ret = 0;
126	18	} else {
127	5	ret = 1;
128	5	}
129
130	564	err:
131	564	OPENSSL_free(DB);
132	564	EVP_MD_CTX_free(ctx);
133
134	564	return ret;
135
136	23	}
137
138		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
139		const unsigned char *mHash,
140		const EVP_MD *Hash, int sLen)
141	0	{
142	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
143	0	}
144
145		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
146		const unsigned char *mHash,
147		const EVP_MD Hash, const EVP_MD mgf1Hash,
148		int sLen)
149	384	{
150	384	int i;
151	384	int ret = 0;
152	384	int hLen, maskedDBLen, MSBits, emLen;
153	384	unsigned char H, salt = NULL, *p;
154	384	EVP_MD_CTX *ctx = NULL;
155
156	384	if (mgf1Hash == NULL)
157	216	mgf1Hash = Hash;
158
159	384	hLen = EVP_MD_size(Hash);
160	384	if (hLen < 0)
161	0	goto err;
162		/*-
163		* Negative sLen has special meanings:
164		* -1 sLen == hLen
165		* -2 salt length is maximized
166		* -3 same as above (on signing)
167		* -N reserved
168		*/
169	384	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
170	384	sLen = hLen;
171	384	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
172	0	sLen = RSA_PSS_SALTLEN_MAX;
173	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
174	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
175	0	goto err;
176	0	}
177
178	384	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
179	384	emLen = RSA_size(rsa);
180	384	if (MSBits == 0) {
181	0	*EM++ = 0;
182	0	emLen--;
183	0	}
184	384	if (emLen < hLen + 2) {
185	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
186	0	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
187	0	goto err;
188	0	}
189	384	if (sLen == RSA_PSS_SALTLEN_MAX) {
190	0	sLen = emLen - hLen - 2;
191	384	} else if (sLen > emLen - hLen - 2) {
192	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
193	0	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
194	0	goto err;
195	0	}
196	384	if (sLen > 0) {
197	384	salt = OPENSSL_malloc(sLen);
198	384	if (salt == NULL) {
199	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
200	0	ERR_R_MALLOC_FAILURE);
201	0	goto err;
202	0	}
203	384	if (RAND_bytes(salt, sLen) <= 0)
204	0	goto err;
205	384	}
206	384	maskedDBLen = emLen - hLen - 1;
207	384	H = EM + maskedDBLen;
208	384	ctx = EVP_MD_CTX_new();
209	384	if (ctx == NULL)
210	0	goto err;
211	384	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
212	384	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
213	384	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
214	0	goto err;
215	384	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
216	0	goto err;
217	384	if (!EVP_DigestFinal_ex(ctx, H, NULL))
218	0	goto err;
219
220		/* Generate dbMask in place then perform XOR on it */
221	384	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
222	0	goto err;
223
224	384	p = EM;
225
226		/*
227		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
228		* Note from a test above this value is guaranteed to be non-negative.
229		*/
230	384	p += emLen - sLen - hLen - 2;
231	384	*p++ ^= 0x1;
232	384	if (sLen > 0) {
233	14.9k	for (i = 0; i < sLen; i++)
234	14.6k	*p++ ^= salt[i];
235	384	}
236	384	if (MSBits)
237	384	EM[0] &= 0xFF >> (8 - MSBits);
238
239		/* H is already in place so just set final 0xbc */
240
241	384	EM[emLen - 1] = 0xbc;
242
243	384	ret = 1;
244
245	384	err:
246	384	EVP_MD_CTX_free(ctx);
247	384	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
248
249	384	return ret;
250
251	384	}
252
253		#if defined(_MSC_VER)
254		# pragma optimize("",on)
255		#endif