/src/openssl/crypto/rsa/rsa_sign.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * RSA low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <stdio.h> |
17 | | #include "internal/cryptlib.h" |
18 | | #include <openssl/bn.h> |
19 | | #include <openssl/rsa.h> |
20 | | #include <openssl/objects.h> |
21 | | #ifndef FIPS_MODULE |
22 | | # ifndef OPENSSL_NO_MD2 |
23 | | # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ |
24 | | # endif |
25 | | # ifndef OPENSSL_NO_MD4 |
26 | | # include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ |
27 | | # endif |
28 | | # ifndef OPENSSL_NO_MD5 |
29 | | # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ |
30 | | # endif |
31 | | # ifndef OPENSSL_NO_MDC2 |
32 | | # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ |
33 | | # endif |
34 | | # ifndef OPENSSL_NO_RMD160 |
35 | | # include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ |
36 | | # endif |
37 | | # ifndef OPENSSL_NO_SM3 |
38 | | # include "internal/sm3.h" /* uses SM3_DIGEST_LENGTH */ |
39 | | # endif |
40 | | #endif |
41 | | #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ |
42 | | #include "crypto/rsa.h" |
43 | | #include "rsa_local.h" |
44 | | |
45 | | /* |
46 | | * The general purpose ASN1 code is not available inside the FIPS provider. |
47 | | * To remove the dependency RSASSA-PKCS1-v1_5 DigestInfo encodings can be |
48 | | * treated as a special case by pregenerating the required ASN1 encoding. |
49 | | * This encoding will also be shared by the default provider. |
50 | | * |
51 | | * The EMSA-PKCS1-v1_5 encoding method includes an ASN.1 value of type |
52 | | * DigestInfo, where the type DigestInfo has the syntax |
53 | | * |
54 | | * DigestInfo ::= SEQUENCE { |
55 | | * digestAlgorithm DigestAlgorithm, |
56 | | * digest OCTET STRING |
57 | | * } |
58 | | * |
59 | | * DigestAlgorithm ::= AlgorithmIdentifier { |
60 | | * {PKCS1-v1-5DigestAlgorithms} |
61 | | * } |
62 | | * |
63 | | * The AlgorithmIdentifier is a sequence containing the digest OID and |
64 | | * parameters (a value of type NULL). |
65 | | * |
66 | | * The ENCODE_DIGESTINFO_SHA() and ENCODE_DIGESTINFO_MD() macros define an |
67 | | * initialized array containing the DER encoded DigestInfo for the specified |
68 | | * SHA or MD digest. The content of the OCTET STRING is not included. |
69 | | * |name| is the digest name. |
70 | | * |n| is last byte in the encoded OID for the digest. |
71 | | * |sz| is the digest length in bytes. It must not be greater than 110. |
72 | | */ |
73 | | |
74 | | #define ASN1_SEQUENCE 0x30 |
75 | | #define ASN1_OCTET_STRING 0x04 |
76 | | #define ASN1_NULL 0x05 |
77 | | #define ASN1_OID 0x06 |
78 | | |
79 | | /* SHA OIDs are of the form: (2 16 840 1 101 3 4 2 |n|) */ |
80 | | #define ENCODE_DIGESTINFO_SHA(name, n, sz) \ |
81 | | static const unsigned char digestinfo_##name##_der[] = { \ |
82 | | ASN1_SEQUENCE, 0x11 + sz, \ |
83 | | ASN1_SEQUENCE, 0x0d, \ |
84 | | ASN1_OID, 0x09, 2 * 40 + 16, 0x86, 0x48, 1, 101, 3, 4, 2, n, \ |
85 | | ASN1_NULL, 0x00, \ |
86 | | ASN1_OCTET_STRING, sz \ |
87 | | }; |
88 | | |
89 | | /* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ |
90 | | #define ENCODE_DIGESTINFO_MD(name, n, sz) \ |
91 | | static const unsigned char digestinfo_##name##_der[] = { \ |
92 | | ASN1_SEQUENCE, 0x10 + sz, \ |
93 | | ASN1_SEQUENCE, 0x0c, \ |
94 | | ASN1_OID, 0x08, 1 * 40 + 2, 0x86, 0x48, 0x86, 0xf7, 0x0d, 2, n, \ |
95 | | ASN1_NULL, 0x00, \ |
96 | | ASN1_OCTET_STRING, sz \ |
97 | | }; |
98 | | |
99 | | #ifndef FIPS_MODULE |
100 | | # ifndef OPENSSL_NO_MD2 |
101 | | ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) |
102 | | # endif |
103 | | # ifndef OPENSSL_NO_MD4 |
104 | | ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) |
105 | | # endif |
106 | | # ifndef OPENSSL_NO_MD5 |
107 | | ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) |
108 | | # endif |
109 | | # ifndef OPENSSL_NO_MDC2 |
110 | | /* MDC-2 (2 5 8 3 101) */ |
111 | | static const unsigned char digestinfo_mdc2_der[] = { |
112 | | ASN1_SEQUENCE, 0x0c + MDC2_DIGEST_LENGTH, |
113 | | ASN1_SEQUENCE, 0x08, |
114 | | ASN1_OID, 0x04, 2 * 40 + 5, 8, 3, 101, |
115 | | ASN1_NULL, 0x00, |
116 | | ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH |
117 | | }; |
118 | | # endif |
119 | | # ifndef OPENSSL_NO_RMD160 |
120 | | /* RIPEMD160 (1 3 36 3 2 1) */ |
121 | | static const unsigned char digestinfo_ripemd160_der[] = { |
122 | | ASN1_SEQUENCE, 0x0d + RIPEMD160_DIGEST_LENGTH, |
123 | | ASN1_SEQUENCE, 0x09, |
124 | | ASN1_OID, 0x05, 1 * 40 + 3, 36, 3, 2, 1, |
125 | | ASN1_NULL, 0x00, |
126 | | ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH |
127 | | }; |
128 | | # endif |
129 | | # ifndef OPENSSL_NO_SM3 |
130 | | /* SM3 (1 2 156 10197 1 401) */ |
131 | | static const unsigned char digestinfo_sm3_der[] = { |
132 | | ASN1_SEQUENCE, 0x10 + SM3_DIGEST_LENGTH, |
133 | | ASN1_SEQUENCE, 0x0c, |
134 | | ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78, |
135 | | ASN1_NULL, 0x00, |
136 | | ASN1_OCTET_STRING, SM3_DIGEST_LENGTH |
137 | | }; |
138 | | # endif |
139 | | #endif /* FIPS_MODULE */ |
140 | | |
141 | | /* SHA-1 (1 3 14 3 2 26) */ |
142 | | static const unsigned char digestinfo_sha1_der[] = { |
143 | | ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, |
144 | | ASN1_SEQUENCE, 0x09, |
145 | | ASN1_OID, 0x05, 1 * 40 + 3, 14, 3, 2, 26, |
146 | | ASN1_NULL, 0x00, |
147 | | ASN1_OCTET_STRING, SHA_DIGEST_LENGTH |
148 | | }; |
149 | | |
150 | | ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) |
151 | | ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) |
152 | | ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) |
153 | | ENCODE_DIGESTINFO_SHA(sha224, 0x04, SHA224_DIGEST_LENGTH) |
154 | | ENCODE_DIGESTINFO_SHA(sha512_224, 0x05, SHA224_DIGEST_LENGTH) |
155 | | ENCODE_DIGESTINFO_SHA(sha512_256, 0x06, SHA256_DIGEST_LENGTH) |
156 | | ENCODE_DIGESTINFO_SHA(sha3_224, 0x07, SHA224_DIGEST_LENGTH) |
157 | | ENCODE_DIGESTINFO_SHA(sha3_256, 0x08, SHA256_DIGEST_LENGTH) |
158 | | ENCODE_DIGESTINFO_SHA(sha3_384, 0x09, SHA384_DIGEST_LENGTH) |
159 | | ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) |
160 | | |
161 | | #define MD_CASE(name) \ |
162 | 0 | case NID_##name: \ |
163 | 0 | *len = sizeof(digestinfo_##name##_der); \ |
164 | 0 | return digestinfo_##name##_der; |
165 | | |
166 | | const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len) |
167 | 0 | { |
168 | 0 | switch (md_nid) { |
169 | 0 | #ifndef FIPS_MODULE |
170 | 0 | # ifndef OPENSSL_NO_MDC2 |
171 | 0 | MD_CASE(mdc2) |
172 | 0 | # endif |
173 | 0 | # ifndef OPENSSL_NO_MD2 |
174 | 0 | MD_CASE(md2) |
175 | 0 | # endif |
176 | 0 | # ifndef OPENSSL_NO_MD4 |
177 | 0 | MD_CASE(md4) |
178 | 0 | # endif |
179 | 0 | # ifndef OPENSSL_NO_MD5 |
180 | 0 | MD_CASE(md5) |
181 | 0 | # endif |
182 | 0 | # ifndef OPENSSL_NO_RMD160 |
183 | 0 | MD_CASE(ripemd160) |
184 | 0 | # endif |
185 | 0 | # ifndef OPENSSL_NO_SM3 |
186 | 0 | MD_CASE(sm3) |
187 | 0 | # endif |
188 | 0 | #endif /* FIPS_MODULE */ |
189 | 0 | MD_CASE(sha1) |
190 | 0 | MD_CASE(sha224) |
191 | 0 | MD_CASE(sha256) |
192 | 0 | MD_CASE(sha384) |
193 | 0 | MD_CASE(sha512) |
194 | 0 | MD_CASE(sha512_224) |
195 | 0 | MD_CASE(sha512_256) |
196 | 0 | MD_CASE(sha3_224) |
197 | 0 | MD_CASE(sha3_256) |
198 | 0 | MD_CASE(sha3_384) |
199 | 0 | MD_CASE(sha3_512) |
200 | 0 | default: |
201 | 0 | return NULL; |
202 | 0 | } |
203 | 0 | } |
204 | | |
205 | | #define MD_NID_CASE(name, sz) \ |
206 | 0 | case NID_##name: \ |
207 | 0 | return sz; |
208 | | |
209 | | static int digest_sz_from_nid(int nid) |
210 | 0 | { |
211 | 0 | switch (nid) { |
212 | 0 | #ifndef FIPS_MODULE |
213 | 0 | # ifndef OPENSSL_NO_MDC2 |
214 | 0 | MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH) |
215 | 0 | # endif |
216 | 0 | # ifndef OPENSSL_NO_MD2 |
217 | 0 | MD_NID_CASE(md2, MD2_DIGEST_LENGTH) |
218 | 0 | # endif |
219 | 0 | # ifndef OPENSSL_NO_MD4 |
220 | 0 | MD_NID_CASE(md4, MD4_DIGEST_LENGTH) |
221 | 0 | # endif |
222 | 0 | # ifndef OPENSSL_NO_MD5 |
223 | 0 | MD_NID_CASE(md5, MD5_DIGEST_LENGTH) |
224 | 0 | # endif |
225 | 0 | # ifndef OPENSSL_NO_RMD160 |
226 | 0 | MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH) |
227 | 0 | # endif |
228 | 0 | #endif /* FIPS_MODULE */ |
229 | 0 | MD_NID_CASE(sha1, SHA_DIGEST_LENGTH) |
230 | 0 | MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH) |
231 | 0 | MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH) |
232 | 0 | MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH) |
233 | 0 | MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH) |
234 | 0 | MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH) |
235 | 0 | MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH) |
236 | 0 | MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH) |
237 | 0 | MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH) |
238 | 0 | MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH) |
239 | 0 | MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH) |
240 | 0 | default: |
241 | 0 | return 0; |
242 | 0 | } |
243 | 0 | } |
244 | | |
245 | | |
246 | | /* Size of an SSL signature: MD5+SHA1 */ |
247 | 0 | #define SSL_SIG_LENGTH 36 |
248 | | |
249 | | /* |
250 | | * Encodes a DigestInfo prefix of hash |type| and digest |m|, as |
251 | | * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This |
252 | | * encodes the DigestInfo (T and tLen) but does not add the padding. |
253 | | * |
254 | | * On success, it returns one and sets |*out| to a newly allocated buffer |
255 | | * containing the result and |*out_len| to its length. The caller must free |
256 | | * |*out| with OPENSSL_free(). Otherwise, it returns zero. |
257 | | */ |
258 | | static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, |
259 | | const unsigned char *m, size_t m_len) |
260 | 0 | { |
261 | 0 | size_t di_prefix_len, dig_info_len; |
262 | 0 | const unsigned char *di_prefix; |
263 | 0 | unsigned char *dig_info; |
264 | |
|
265 | 0 | if (type == NID_undef) { |
266 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
267 | 0 | return 0; |
268 | 0 | } |
269 | 0 | di_prefix = ossl_rsa_digestinfo_encoding(type, &di_prefix_len); |
270 | 0 | if (di_prefix == NULL) { |
271 | 0 | ERR_raise(ERR_LIB_RSA, |
272 | 0 | RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); |
273 | 0 | return 0; |
274 | 0 | } |
275 | 0 | dig_info_len = di_prefix_len + m_len; |
276 | 0 | dig_info = OPENSSL_malloc(dig_info_len); |
277 | 0 | if (dig_info == NULL) |
278 | 0 | return 0; |
279 | 0 | memcpy(dig_info, di_prefix, di_prefix_len); |
280 | 0 | memcpy(dig_info + di_prefix_len, m, m_len); |
281 | |
|
282 | 0 | *out = dig_info; |
283 | 0 | *out_len = dig_info_len; |
284 | 0 | return 1; |
285 | 0 | } |
286 | | |
287 | | int RSA_sign(int type, const unsigned char *m, unsigned int m_len, |
288 | | unsigned char *sigret, unsigned int *siglen, RSA *rsa) |
289 | 0 | { |
290 | 0 | int encrypt_len, ret = 0; |
291 | 0 | size_t encoded_len = 0; |
292 | 0 | unsigned char *tmps = NULL; |
293 | 0 | const unsigned char *encoded = NULL; |
294 | |
|
295 | 0 | #ifndef FIPS_MODULE |
296 | 0 | if (rsa->meth->rsa_sign != NULL) |
297 | 0 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa) > 0; |
298 | 0 | #endif /* FIPS_MODULE */ |
299 | | |
300 | | /* Compute the encoded digest. */ |
301 | 0 | if (type == NID_md5_sha1) { |
302 | | /* |
303 | | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and |
304 | | * earlier. It has no DigestInfo wrapper but otherwise is |
305 | | * RSASSA-PKCS1-v1_5. |
306 | | */ |
307 | 0 | if (m_len != SSL_SIG_LENGTH) { |
308 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
309 | 0 | return 0; |
310 | 0 | } |
311 | 0 | encoded_len = SSL_SIG_LENGTH; |
312 | 0 | encoded = m; |
313 | 0 | } else { |
314 | 0 | if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) |
315 | 0 | goto err; |
316 | 0 | encoded = tmps; |
317 | 0 | } |
318 | | |
319 | 0 | if (encoded_len + RSA_PKCS1_PADDING_SIZE > (size_t)RSA_size(rsa)) { |
320 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); |
321 | 0 | goto err; |
322 | 0 | } |
323 | 0 | encrypt_len = RSA_private_encrypt((int)encoded_len, encoded, sigret, rsa, |
324 | 0 | RSA_PKCS1_PADDING); |
325 | 0 | if (encrypt_len <= 0) |
326 | 0 | goto err; |
327 | | |
328 | 0 | *siglen = encrypt_len; |
329 | 0 | ret = 1; |
330 | |
|
331 | 0 | err: |
332 | 0 | OPENSSL_clear_free(tmps, encoded_len); |
333 | 0 | return ret; |
334 | 0 | } |
335 | | |
336 | | /* |
337 | | * Verify an RSA signature in |sigbuf| using |rsa|. |
338 | | * |type| is the NID of the digest algorithm to use. |
339 | | * If |rm| is NULL, it verifies the signature for digest |m|, otherwise |
340 | | * it recovers the digest from the signature, writing the digest to |rm| and |
341 | | * the length to |*prm_len|. |
342 | | * |
343 | | * It returns one on successful verification or zero otherwise. |
344 | | */ |
345 | | int ossl_rsa_verify(int type, const unsigned char *m, unsigned int m_len, |
346 | | unsigned char *rm, size_t *prm_len, |
347 | | const unsigned char *sigbuf, size_t siglen, RSA *rsa) |
348 | 0 | { |
349 | 0 | int len, ret = 0; |
350 | 0 | size_t decrypt_len, encoded_len = 0; |
351 | 0 | unsigned char *decrypt_buf = NULL, *encoded = NULL; |
352 | |
|
353 | 0 | if (siglen != (size_t)RSA_size(rsa)) { |
354 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_WRONG_SIGNATURE_LENGTH); |
355 | 0 | return 0; |
356 | 0 | } |
357 | | |
358 | | /* Recover the encoded digest. */ |
359 | 0 | decrypt_buf = OPENSSL_malloc(siglen); |
360 | 0 | if (decrypt_buf == NULL) |
361 | 0 | goto err; |
362 | | |
363 | 0 | len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, |
364 | 0 | RSA_PKCS1_PADDING); |
365 | 0 | if (len <= 0) |
366 | 0 | goto err; |
367 | 0 | decrypt_len = len; |
368 | |
|
369 | 0 | #ifndef FIPS_MODULE |
370 | 0 | if (type == NID_md5_sha1) { |
371 | | /* |
372 | | * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and |
373 | | * earlier. It has no DigestInfo wrapper but otherwise is |
374 | | * RSASSA-PKCS1-v1_5. |
375 | | */ |
376 | 0 | if (decrypt_len != SSL_SIG_LENGTH) { |
377 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
378 | 0 | goto err; |
379 | 0 | } |
380 | | |
381 | 0 | if (rm != NULL) { |
382 | 0 | memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); |
383 | 0 | *prm_len = SSL_SIG_LENGTH; |
384 | 0 | } else { |
385 | 0 | if (m_len != SSL_SIG_LENGTH) { |
386 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
387 | 0 | goto err; |
388 | 0 | } |
389 | | |
390 | 0 | if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { |
391 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
392 | 0 | goto err; |
393 | 0 | } |
394 | 0 | } |
395 | 0 | } else if (type == NID_mdc2 && decrypt_len == 2 + 16 |
396 | 0 | && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) { |
397 | | /* |
398 | | * Oddball MDC2 case: signature can be OCTET STRING. check for correct |
399 | | * tag and length octets. |
400 | | */ |
401 | 0 | if (rm != NULL) { |
402 | 0 | memcpy(rm, decrypt_buf + 2, 16); |
403 | 0 | *prm_len = 16; |
404 | 0 | } else { |
405 | 0 | if (m_len != 16) { |
406 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
407 | 0 | goto err; |
408 | 0 | } |
409 | | |
410 | 0 | if (memcmp(m, decrypt_buf + 2, 16) != 0) { |
411 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
412 | 0 | goto err; |
413 | 0 | } |
414 | 0 | } |
415 | 0 | } else |
416 | 0 | #endif /* FIPS_MODULE */ |
417 | 0 | { |
418 | | /* |
419 | | * If recovering the digest, extract a digest-sized output from the end |
420 | | * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption |
421 | | * output as in a standard verification. |
422 | | */ |
423 | 0 | if (rm != NULL) { |
424 | 0 | len = digest_sz_from_nid(type); |
425 | |
|
426 | 0 | if (len <= 0) |
427 | 0 | goto err; |
428 | 0 | m_len = (unsigned int)len; |
429 | 0 | if (m_len > decrypt_len) { |
430 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); |
431 | 0 | goto err; |
432 | 0 | } |
433 | 0 | m = decrypt_buf + decrypt_len - m_len; |
434 | 0 | } |
435 | | |
436 | | /* Construct the encoded digest and ensure it matches. */ |
437 | 0 | if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) |
438 | 0 | goto err; |
439 | | |
440 | 0 | if (encoded_len != decrypt_len |
441 | 0 | || memcmp(encoded, decrypt_buf, encoded_len) != 0) { |
442 | 0 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); |
443 | 0 | goto err; |
444 | 0 | } |
445 | | |
446 | | /* Output the recovered digest. */ |
447 | 0 | if (rm != NULL) { |
448 | 0 | memcpy(rm, m, m_len); |
449 | 0 | *prm_len = m_len; |
450 | 0 | } |
451 | 0 | } |
452 | | |
453 | 0 | ret = 1; |
454 | |
|
455 | 0 | err: |
456 | 0 | OPENSSL_clear_free(encoded, encoded_len); |
457 | 0 | OPENSSL_clear_free(decrypt_buf, siglen); |
458 | 0 | return ret; |
459 | 0 | } |
460 | | |
461 | | int RSA_verify(int type, const unsigned char *m, unsigned int m_len, |
462 | | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) |
463 | 0 | { |
464 | |
|
465 | 0 | if (rsa->meth->rsa_verify != NULL) |
466 | 0 | return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa); |
467 | | |
468 | 0 | return ossl_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa); |
469 | 0 | } |