/src/openssl31/crypto/rsa/rsa_pss.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * RSA low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <stdio.h> |
17 | | #include "internal/cryptlib.h" |
18 | | #include <openssl/bn.h> |
19 | | #include <openssl/rsa.h> |
20 | | #include <openssl/evp.h> |
21 | | #include <openssl/rand.h> |
22 | | #include <openssl/sha.h> |
23 | | #include "rsa_local.h" |
24 | | |
25 | | static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; |
26 | | |
27 | | #if defined(_MSC_VER) && defined(_ARM_) |
28 | | # pragma optimize("g", off) |
29 | | #endif |
30 | | |
31 | | int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, |
32 | | const EVP_MD *Hash, const unsigned char *EM, |
33 | | int sLen) |
34 | 0 | { |
35 | 0 | return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); |
36 | 0 | } |
37 | | |
38 | | int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, |
39 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
40 | | const unsigned char *EM, int sLen) |
41 | 4.60k | { |
42 | 4.60k | int i; |
43 | 4.60k | int ret = 0; |
44 | 4.60k | int hLen, maskedDBLen, MSBits, emLen; |
45 | 4.60k | const unsigned char *H; |
46 | 4.60k | unsigned char *DB = NULL; |
47 | 4.60k | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
48 | 4.60k | unsigned char H_[EVP_MAX_MD_SIZE]; |
49 | | |
50 | 4.60k | if (ctx == NULL) |
51 | 0 | goto err; |
52 | | |
53 | 4.60k | if (mgf1Hash == NULL) |
54 | 0 | mgf1Hash = Hash; |
55 | | |
56 | 4.60k | hLen = EVP_MD_get_size(Hash); |
57 | 4.60k | if (hLen < 0) |
58 | 0 | goto err; |
59 | | /*- |
60 | | * Negative sLen has special meanings: |
61 | | * -1 sLen == hLen |
62 | | * -2 salt length is autorecovered from signature |
63 | | * -3 salt length is maximized |
64 | | * -4 salt length is autorecovered from signature |
65 | | * -N reserved |
66 | | */ |
67 | 4.60k | if (sLen == RSA_PSS_SALTLEN_DIGEST) { |
68 | 2.82k | sLen = hLen; |
69 | 2.82k | } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
70 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); |
71 | 0 | goto err; |
72 | 0 | } |
73 | | |
74 | 4.60k | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; |
75 | 4.60k | emLen = RSA_size(rsa); |
76 | 4.60k | if (EM[0] & (0xFF << MSBits)) { |
77 | 1.21k | ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID); |
78 | 1.21k | goto err; |
79 | 1.21k | } |
80 | 3.39k | if (MSBits == 0) { |
81 | 822 | EM++; |
82 | 822 | emLen--; |
83 | 822 | } |
84 | 3.39k | if (emLen < hLen + 2) { |
85 | 38 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); |
86 | 38 | goto err; |
87 | 38 | } |
88 | 3.35k | if (sLen == RSA_PSS_SALTLEN_MAX) { |
89 | 0 | sLen = emLen - hLen - 2; |
90 | 3.35k | } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */ |
91 | 21 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); |
92 | 21 | goto err; |
93 | 21 | } |
94 | 3.33k | if (EM[emLen - 1] != 0xbc) { |
95 | 3.13k | ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID); |
96 | 3.13k | goto err; |
97 | 3.13k | } |
98 | 194 | maskedDBLen = emLen - hLen - 1; |
99 | 194 | H = EM + maskedDBLen; |
100 | 194 | DB = OPENSSL_malloc(maskedDBLen); |
101 | 194 | if (DB == NULL) { |
102 | 0 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
103 | 0 | goto err; |
104 | 0 | } |
105 | 194 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) |
106 | 0 | goto err; |
107 | 39.4k | for (i = 0; i < maskedDBLen; i++) |
108 | 39.2k | DB[i] ^= EM[i]; |
109 | 194 | if (MSBits) |
110 | 162 | DB[0] &= 0xFF >> (8 - MSBits); |
111 | 4.85k | for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ; |
112 | 194 | if (DB[i++] != 0x1) { |
113 | 141 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); |
114 | 141 | goto err; |
115 | 141 | } |
116 | 53 | if (sLen != RSA_PSS_SALTLEN_AUTO |
117 | 53 | && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX |
118 | 53 | && (maskedDBLen - i) != sLen) { |
119 | 24 | ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, |
120 | 24 | "expected: %d retrieved: %d", sLen, |
121 | 24 | maskedDBLen - i); |
122 | 24 | goto err; |
123 | 24 | } |
124 | 29 | if (!EVP_DigestInit_ex(ctx, Hash, NULL) |
125 | 29 | || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) |
126 | 29 | || !EVP_DigestUpdate(ctx, mHash, hLen)) |
127 | 0 | goto err; |
128 | 29 | if (maskedDBLen - i) { |
129 | 29 | if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i)) |
130 | 0 | goto err; |
131 | 29 | } |
132 | 29 | if (!EVP_DigestFinal_ex(ctx, H_, NULL)) |
133 | 0 | goto err; |
134 | 29 | if (memcmp(H_, H, hLen)) { |
135 | 25 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
136 | 25 | ret = 0; |
137 | 25 | } else { |
138 | 4 | ret = 1; |
139 | 4 | } |
140 | | |
141 | 4.60k | err: |
142 | 4.60k | OPENSSL_free(DB); |
143 | 4.60k | EVP_MD_CTX_free(ctx); |
144 | | |
145 | 4.60k | return ret; |
146 | | |
147 | 29 | } |
148 | | |
149 | | int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, |
150 | | const unsigned char *mHash, |
151 | | const EVP_MD *Hash, int sLen) |
152 | 0 | { |
153 | 0 | return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); |
154 | 0 | } |
155 | | |
156 | | int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, |
157 | | const unsigned char *mHash, |
158 | | const EVP_MD *Hash, const EVP_MD *mgf1Hash, |
159 | | int sLen) |
160 | 223 | { |
161 | 223 | int i; |
162 | 223 | int ret = 0; |
163 | 223 | int hLen, maskedDBLen, MSBits, emLen; |
164 | 223 | unsigned char *H, *salt = NULL, *p; |
165 | 223 | EVP_MD_CTX *ctx = NULL; |
166 | 223 | int sLenMax = -1; |
167 | | |
168 | 223 | if (mgf1Hash == NULL) |
169 | 0 | mgf1Hash = Hash; |
170 | | |
171 | 223 | hLen = EVP_MD_get_size(Hash); |
172 | 223 | if (hLen < 0) |
173 | 0 | goto err; |
174 | | /*- |
175 | | * Negative sLen has special meanings: |
176 | | * -1 sLen == hLen |
177 | | * -2 salt length is maximized |
178 | | * -3 same as above (on signing) |
179 | | * -4 salt length is min(hLen, maximum salt length) |
180 | | * -N reserved |
181 | | */ |
182 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
183 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
184 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
185 | | * the hash function output block (in bytes)." |
186 | | * |
187 | | * Provide a way to use at most the digest length, so that the default does |
188 | | * not violate FIPS 186-4. */ |
189 | 223 | if (sLen == RSA_PSS_SALTLEN_DIGEST) { |
190 | 223 | sLen = hLen; |
191 | 223 | } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN |
192 | 0 | || sLen == RSA_PSS_SALTLEN_AUTO) { |
193 | 0 | sLen = RSA_PSS_SALTLEN_MAX; |
194 | 0 | } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
195 | 0 | sLen = RSA_PSS_SALTLEN_MAX; |
196 | 0 | sLenMax = hLen; |
197 | 0 | } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
198 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); |
199 | 0 | goto err; |
200 | 0 | } |
201 | | |
202 | 223 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; |
203 | 223 | emLen = RSA_size(rsa); |
204 | 223 | if (MSBits == 0) { |
205 | 0 | *EM++ = 0; |
206 | 0 | emLen--; |
207 | 0 | } |
208 | 223 | if (emLen < hLen + 2) { |
209 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
210 | 0 | goto err; |
211 | 0 | } |
212 | 223 | if (sLen == RSA_PSS_SALTLEN_MAX) { |
213 | 0 | sLen = emLen - hLen - 2; |
214 | 0 | if (sLenMax >= 0 && sLen > sLenMax) |
215 | 0 | sLen = sLenMax; |
216 | 223 | } else if (sLen > emLen - hLen - 2) { |
217 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
218 | 0 | goto err; |
219 | 0 | } |
220 | 223 | if (sLen > 0) { |
221 | 223 | salt = OPENSSL_malloc(sLen); |
222 | 223 | if (salt == NULL) { |
223 | 0 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
224 | 0 | goto err; |
225 | 0 | } |
226 | 223 | if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0) |
227 | 0 | goto err; |
228 | 223 | } |
229 | 223 | maskedDBLen = emLen - hLen - 1; |
230 | 223 | H = EM + maskedDBLen; |
231 | 223 | ctx = EVP_MD_CTX_new(); |
232 | 223 | if (ctx == NULL) |
233 | 0 | goto err; |
234 | 223 | if (!EVP_DigestInit_ex(ctx, Hash, NULL) |
235 | 223 | || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) |
236 | 223 | || !EVP_DigestUpdate(ctx, mHash, hLen)) |
237 | 0 | goto err; |
238 | 223 | if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) |
239 | 0 | goto err; |
240 | 223 | if (!EVP_DigestFinal_ex(ctx, H, NULL)) |
241 | 0 | goto err; |
242 | | |
243 | | /* Generate dbMask in place then perform XOR on it */ |
244 | 223 | if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) |
245 | 0 | goto err; |
246 | | |
247 | 223 | p = EM; |
248 | | |
249 | | /* |
250 | | * Initial PS XORs with all zeroes which is a NOP so just update pointer. |
251 | | * Note from a test above this value is guaranteed to be non-negative. |
252 | | */ |
253 | 223 | p += emLen - sLen - hLen - 2; |
254 | 223 | *p++ ^= 0x1; |
255 | 223 | if (sLen > 0) { |
256 | 9.23k | for (i = 0; i < sLen; i++) |
257 | 9.00k | *p++ ^= salt[i]; |
258 | 223 | } |
259 | 223 | if (MSBits) |
260 | 223 | EM[0] &= 0xFF >> (8 - MSBits); |
261 | | |
262 | | /* H is already in place so just set final 0xbc */ |
263 | | |
264 | 223 | EM[emLen - 1] = 0xbc; |
265 | | |
266 | 223 | ret = 1; |
267 | | |
268 | 223 | err: |
269 | 223 | EVP_MD_CTX_free(ctx); |
270 | 223 | OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */ |
271 | | |
272 | 223 | return ret; |
273 | | |
274 | 223 | } |
275 | | |
276 | | /* |
277 | | * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS |
278 | | * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3): |
279 | | * |
280 | | * If the default values of the hashAlgorithm, maskGenAlgorithm, and |
281 | | * trailerField fields of RSASSA-PSS-params are used, then the algorithm |
282 | | * identifier will have the following value: |
283 | | * |
284 | | * rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= { |
285 | | * algorithm id-RSASSA-PSS, |
286 | | * parameters RSASSA-PSS-params : { |
287 | | * hashAlgorithm sha1, |
288 | | * maskGenAlgorithm mgf1SHA1, |
289 | | * saltLength 20, |
290 | | * trailerField trailerFieldBC |
291 | | * } |
292 | | * } |
293 | | * |
294 | | * RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier { |
295 | | * {PKCS1Algorithms} |
296 | | * } |
297 | | */ |
298 | | static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = { |
299 | | NID_sha1, /* default hashAlgorithm */ |
300 | | { |
301 | | NID_mgf1, /* default maskGenAlgorithm */ |
302 | | NID_sha1 /* default MGF1 hash */ |
303 | | }, |
304 | | 20, /* default saltLength */ |
305 | | 1 /* default trailerField (0xBC) */ |
306 | | }; |
307 | | |
308 | | int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params) |
309 | 51.0k | { |
310 | 51.0k | if (rsa_pss_params == NULL) |
311 | 0 | return 0; |
312 | 51.0k | *rsa_pss_params = default_RSASSA_PSS_params; |
313 | 51.0k | return 1; |
314 | 51.0k | } |
315 | | |
316 | | int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
317 | 57.6k | { |
318 | 57.6k | static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, }; |
319 | | |
320 | 57.6k | return rsa_pss_params == NULL |
321 | 57.6k | || memcmp(rsa_pss_params, &pss_params_cmp, |
322 | 57.6k | sizeof(*rsa_pss_params)) == 0; |
323 | 57.6k | } |
324 | | |
325 | | int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to, |
326 | | const RSA_PSS_PARAMS_30 *from) |
327 | 0 | { |
328 | 0 | memcpy(to, from, sizeof(*to)); |
329 | 0 | return 1; |
330 | 0 | } |
331 | | |
332 | | int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params, |
333 | | int hashalg_nid) |
334 | 22.9k | { |
335 | 22.9k | if (rsa_pss_params == NULL) |
336 | 0 | return 0; |
337 | 22.9k | rsa_pss_params->hash_algorithm_nid = hashalg_nid; |
338 | 22.9k | return 1; |
339 | 22.9k | } |
340 | | |
341 | | int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params, |
342 | | int maskgenalg_nid) |
343 | 0 | { |
344 | 0 | if (rsa_pss_params == NULL) |
345 | 0 | return 0; |
346 | 0 | rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid; |
347 | 0 | return 1; |
348 | 0 | } |
349 | | |
350 | | int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params, |
351 | | int maskgenhashalg_nid) |
352 | 22.9k | { |
353 | 22.9k | if (rsa_pss_params == NULL) |
354 | 0 | return 0; |
355 | 22.9k | rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid; |
356 | 22.9k | return 1; |
357 | 22.9k | } |
358 | | |
359 | | int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params, |
360 | | int saltlen) |
361 | 22.9k | { |
362 | 22.9k | if (rsa_pss_params == NULL) |
363 | 0 | return 0; |
364 | 22.9k | rsa_pss_params->salt_len = saltlen; |
365 | 22.9k | return 1; |
366 | 22.9k | } |
367 | | |
368 | | int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params, |
369 | | int trailerfield) |
370 | 22.9k | { |
371 | 22.9k | if (rsa_pss_params == NULL) |
372 | 0 | return 0; |
373 | 22.9k | rsa_pss_params->trailer_field = trailerfield; |
374 | 22.9k | return 1; |
375 | 22.9k | } |
376 | | |
377 | | int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
378 | 46.3k | { |
379 | 46.3k | if (rsa_pss_params == NULL) |
380 | 22.9k | return default_RSASSA_PSS_params.hash_algorithm_nid; |
381 | 23.4k | return rsa_pss_params->hash_algorithm_nid; |
382 | 46.3k | } |
383 | | |
384 | | int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
385 | 45.9k | { |
386 | 45.9k | if (rsa_pss_params == NULL) |
387 | 22.9k | return default_RSASSA_PSS_params.mask_gen.algorithm_nid; |
388 | 23.0k | return rsa_pss_params->mask_gen.algorithm_nid; |
389 | 45.9k | } |
390 | | |
391 | | int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
392 | 46.3k | { |
393 | 46.3k | if (rsa_pss_params == NULL) |
394 | 22.9k | return default_RSASSA_PSS_params.hash_algorithm_nid; |
395 | 23.4k | return rsa_pss_params->mask_gen.hash_algorithm_nid; |
396 | 46.3k | } |
397 | | |
398 | | int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
399 | 50.6k | { |
400 | 50.6k | if (rsa_pss_params == NULL) |
401 | 8 | return default_RSASSA_PSS_params.salt_len; |
402 | 50.6k | return rsa_pss_params->salt_len; |
403 | 50.6k | } |
404 | | |
405 | | int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params) |
406 | 27.3k | { |
407 | 27.3k | if (rsa_pss_params == NULL) |
408 | 8 | return default_RSASSA_PSS_params.trailer_field; |
409 | 27.3k | return rsa_pss_params->trailer_field; |
410 | 27.3k | } |
411 | | |
412 | | #if defined(_MSC_VER) |
413 | | # pragma optimize("",on) |
414 | | #endif |