/src/openssl/crypto/rsa/rsa_pss.c

Source (jump to first uncovered line)
/*
 * Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
                   ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes(salt, sLen) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_free(salt);

    return ret;

}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include <openssl/bn.h>
13		#include <openssl/rsa.h>
14		#include <openssl/evp.h>
15		#include <openssl/rand.h>
16		#include <openssl/sha.h>
17		#include "rsa_locl.h"
18
19		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
20
21		#if defined(_MSC_VER) && defined(_ARM_)
22		# pragma optimize("g", off)
23		#endif
24
25		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
26		const EVP_MD Hash, const unsigned char EM,
27		int sLen)
28	0	{
29	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
30	0	}
31
32		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
33		const EVP_MD Hash, const EVP_MD mgf1Hash,
34		const unsigned char *EM, int sLen)
35	0	{
36	0	int i;
37	0	int ret = 0;
38	0	int hLen, maskedDBLen, MSBits, emLen;
39	0	const unsigned char *H;
40	0	unsigned char *DB = NULL;
41	0	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
42	0	unsigned char H_[EVP_MAX_MD_SIZE];
43	0
44	0	if (ctx == NULL)
45	0	goto err;
46	0
47	0	if (mgf1Hash == NULL)
48	0	mgf1Hash = Hash;
49	0
50	0	hLen = EVP_MD_size(Hash);
51	0	if (hLen < 0)
52	0	goto err;
53	0	/*-
54	0	* Negative sLen has special meanings:
55	0	* -1 sLen == hLen
56	0	* -2 salt length is autorecovered from signature
57	0	* -3 salt length is maximized
58	0	* -N reserved
59	0	*/
60	0	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
61	0	sLen = hLen;
62	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
63	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
64	0	goto err;
65	0	}
66	0
67	0	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
68	0	emLen = RSA_size(rsa);
69	0	if (EM[0] & (0xFF << MSBits)) {
70	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
71	0	goto err;
72	0	}
73	0	if (MSBits == 0) {
74	0	EM++;
75	0	emLen--;
76	0	}
77	0	if (emLen < hLen + 2) {
78	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
79	0	goto err;
80	0	}
81	0	if (sLen == RSA_PSS_SALTLEN_MAX) {
82	0	sLen = emLen - hLen - 2;
83	0	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
84	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
85	0	goto err;
86	0	}
87	0	if (EM[emLen - 1] != 0xbc) {
88	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
89	0	goto err;
90	0	}
91	0	maskedDBLen = emLen - hLen - 1;
92	0	H = EM + maskedDBLen;
93	0	DB = OPENSSL_malloc(maskedDBLen);
94	0	if (DB == NULL) {
95	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
96	0	goto err;
97	0	}
98	0	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
99	0	goto err;
100	0	for (i = 0; i < maskedDBLen; i++)
101	0	DB[i] ^= EM[i];
102	0	if (MSBits)
103	0	DB[0] &= 0xFF >> (8 - MSBits);
104	0	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
105	0	if (DB[i++] != 0x1) {
106	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
107	0	goto err;
108	0	}
109	0	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
110	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
111	0	goto err;
112	0	}
113	0	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
114	0	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
115	0	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
116	0	goto err;
117	0	if (maskedDBLen - i) {
118	0	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
119	0	goto err;
120	0	}
121	0	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
122	0	goto err;
123	0	if (memcmp(H_, H, hLen)) {
124	0	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
125	0	ret = 0;
126	0	} else {
127	0	ret = 1;
128	0	}
129	0
130	0	err:
131	0	OPENSSL_free(DB);
132	0	EVP_MD_CTX_free(ctx);
133	0
134	0	return ret;
135	0
136	0	}
137
138		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
139		const unsigned char *mHash,
140		const EVP_MD *Hash, int sLen)
141	0	{
142	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
143	0	}
144
145		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
146		const unsigned char *mHash,
147		const EVP_MD Hash, const EVP_MD mgf1Hash,
148		int sLen)
149	0	{
150	0	int i;
151	0	int ret = 0;
152	0	int hLen, maskedDBLen, MSBits, emLen;
153	0	unsigned char H, salt = NULL, *p;
154	0	EVP_MD_CTX *ctx = NULL;
155	0
156	0	if (mgf1Hash == NULL)
157	0	mgf1Hash = Hash;
158	0
159	0	hLen = EVP_MD_size(Hash);
160	0	if (hLen < 0)
161	0	goto err;
162	0	/*-
163	0	* Negative sLen has special meanings:
164	0	* -1 sLen == hLen
165	0	* -2 salt length is maximized
166	0	* -3 same as above (on signing)
167	0	* -N reserved
168	0	*/
169	0	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
170	0	sLen = hLen;
171	0	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
172	0	sLen = RSA_PSS_SALTLEN_MAX;
173	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
174	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
175	0	goto err;
176	0	}
177	0
178	0	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
179	0	emLen = RSA_size(rsa);
180	0	if (MSBits == 0) {
181	0	*EM++ = 0;
182	0	emLen--;
183	0	}
184	0	if (emLen < hLen + 2) {
185	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
186	0	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
187	0	goto err;
188	0	}
189	0	if (sLen == RSA_PSS_SALTLEN_MAX) {
190	0	sLen = emLen - hLen - 2;
191	0	} else if (sLen > emLen - hLen - 2) {
192	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
193	0	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
194	0	goto err;
195	0	}
196	0	if (sLen > 0) {
197	0	salt = OPENSSL_malloc(sLen);
198	0	if (salt == NULL) {
199	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
200	0	ERR_R_MALLOC_FAILURE);
201	0	goto err;
202	0	}
203	0	if (RAND_bytes(salt, sLen) <= 0)
204	0	goto err;
205	0	}
206	0	maskedDBLen = emLen - hLen - 1;
207	0	H = EM + maskedDBLen;
208	0	ctx = EVP_MD_CTX_new();
209	0	if (ctx == NULL)
210	0	goto err;
211	0	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
212	0	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
213	0	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
214	0	goto err;
215	0	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
216	0	goto err;
217	0	if (!EVP_DigestFinal_ex(ctx, H, NULL))
218	0	goto err;
219	0
220	0	/* Generate dbMask in place then perform XOR on it */
221	0	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
222	0	goto err;
223	0
224	0	p = EM;
225	0
226	0	/*
227	0	* Initial PS XORs with all zeroes which is a NOP so just update pointer.
228	0	* Note from a test above this value is guaranteed to be non-negative.
229	0	*/
230	0	p += emLen - sLen - hLen - 2;
231	0	*p++ ^= 0x1;
232	0	if (sLen > 0) {
233	0	for (i = 0; i < sLen; i++)
234	0	*p++ ^= salt[i];
235	0	}
236	0	if (MSBits)
237	0	EM[0] &= 0xFF >> (8 - MSBits);
238	0
239	0	/* H is already in place so just set final 0xbc */
240	0
241	0	EM[emLen - 1] = 0xbc;
242	0
243	0	ret = 1;
244	0
245	0	err:
246	0	EVP_MD_CTX_free(ctx);
247	0	OPENSSL_free(salt);
248	0
249	0	return ret;
250	0
251	0	}
252
253		#if defined(_MSC_VER)
254		# pragma optimize("",on)
255		#endif