xref: /dragonfly/crypto/libressl/crypto/rsa/rsa_pss.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: rsa_pss.c,v 1.15 2022/01/07 09:55:32 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2005.
4  */
5 /* ====================================================================
6  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/evp.h>
66 #include <openssl/rsa.h>
67 #include <openssl/sha.h>
68 
69 #include "evp_locl.h"
70 #include "rsa_locl.h"
71 
72 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
73 
74 int
RSA_verify_PKCS1_PSS(RSA * rsa,const unsigned char * mHash,const EVP_MD * Hash,const unsigned char * EM,int sLen)75 RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
76     const unsigned char *EM, int sLen)
77 {
78           return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
79 }
80 
81 int
RSA_verify_PKCS1_PSS_mgf1(RSA * rsa,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const unsigned char * EM,int sLen)82 RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
83     const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
84     int sLen)
85 {
86           int i;
87           int ret = 0;
88           int hLen, maskedDBLen, MSBits, emLen;
89           const unsigned char *H;
90           unsigned char *DB = NULL;
91           EVP_MD_CTX ctx;
92           unsigned char H_[EVP_MAX_MD_SIZE];
93 
94           EVP_MD_CTX_init(&ctx);
95 
96           if (mgf1Hash == NULL)
97                     mgf1Hash = Hash;
98 
99           hLen = EVP_MD_size(Hash);
100           if (hLen < 0)
101                     goto err;
102           /*
103            * Negative sLen has special meanings:
104            *        -1        sLen == hLen
105            *        -2        salt length is autorecovered from signature
106            *        -N        reserved
107            */
108           if (sLen == -1)
109                     sLen = hLen;
110           else if (sLen == -2)
111                     sLen = -2;
112           else if (sLen < -2) {
113                     RSAerror(RSA_R_SLEN_CHECK_FAILED);
114                     goto err;
115           }
116 
117           MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
118           emLen = RSA_size(rsa);
119           if (EM[0] & (0xFF << MSBits)) {
120                     RSAerror(RSA_R_FIRST_OCTET_INVALID);
121                     goto err;
122           }
123           if (MSBits == 0) {
124                     EM++;
125                     emLen--;
126           }
127           if (emLen < (hLen + sLen + 2)) {
128                     /* sLen can be small negative */
129                     RSAerror(RSA_R_DATA_TOO_LARGE);
130                     goto err;
131           }
132           if (EM[emLen - 1] != 0xbc) {
133                     RSAerror(RSA_R_LAST_OCTET_INVALID);
134                     goto err;
135           }
136           maskedDBLen = emLen - hLen - 1;
137           H = EM + maskedDBLen;
138           DB = malloc(maskedDBLen);
139           if (!DB) {
140                     RSAerror(ERR_R_MALLOC_FAILURE);
141                     goto err;
142           }
143           if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
144                     goto err;
145           for (i = 0; i < maskedDBLen; i++)
146                     DB[i] ^= EM[i];
147           if (MSBits)
148                     DB[0] &= 0xFF >> (8 - MSBits);
149           for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
150                     ;
151           if (DB[i++] != 0x1) {
152                     RSAerror(RSA_R_SLEN_RECOVERY_FAILED);
153                     goto err;
154           }
155           if (sLen >= 0 && (maskedDBLen - i) != sLen) {
156                     RSAerror(RSA_R_SLEN_CHECK_FAILED);
157                     goto err;
158           }
159           if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
160               !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
161               !EVP_DigestUpdate(&ctx, mHash, hLen))
162                     goto err;
163           if (maskedDBLen - i) {
164                     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
165                               goto err;
166           }
167           if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
168                     goto err;
169           if (timingsafe_bcmp(H_, H, hLen)) {
170                     RSAerror(RSA_R_BAD_SIGNATURE);
171                     ret = 0;
172           } else
173                     ret = 1;
174 
175 err:
176           free(DB);
177           EVP_MD_CTX_cleanup(&ctx);
178 
179           return ret;
180 }
181 
182 int
RSA_padding_add_PKCS1_PSS(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,int sLen)183 RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
184     const unsigned char *mHash, const EVP_MD *Hash, int sLen)
185 {
186           return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
187 }
188 
189 int
RSA_padding_add_PKCS1_PSS_mgf1(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLen)190 RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
191     const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
192     int sLen)
193 {
194           int i;
195           int ret = 0;
196           int hLen, maskedDBLen, MSBits, emLen;
197           unsigned char *H, *salt = NULL, *p;
198           EVP_MD_CTX ctx;
199 
200           EVP_MD_CTX_init(&ctx);
201 
202           if (mgf1Hash == NULL)
203                     mgf1Hash = Hash;
204 
205           hLen = EVP_MD_size(Hash);
206           if (hLen < 0)
207                     goto err;
208           /*
209            * Negative sLen has special meanings:
210            *        -1        sLen == hLen
211            *        -2        salt length is maximized
212            *        -N        reserved
213            */
214           if (sLen == -1)
215                     sLen = hLen;
216           else if (sLen == -2)
217                     sLen = -2;
218           else if (sLen < -2) {
219                     RSAerror(RSA_R_SLEN_CHECK_FAILED);
220                     goto err;
221           }
222 
223           MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
224           emLen = RSA_size(rsa);
225           if (MSBits == 0) {
226                     *EM++ = 0;
227                     emLen--;
228           }
229           if (sLen == -2)
230                     sLen = emLen - hLen - 2;
231           else if (emLen < (hLen + sLen + 2)) {
232                     RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
233                     goto err;
234           }
235           if (sLen > 0) {
236                     salt = malloc(sLen);
237                     if (!salt) {
238                               RSAerror(ERR_R_MALLOC_FAILURE);
239                               goto err;
240                     }
241                     arc4random_buf(salt, sLen);
242           }
243           maskedDBLen = emLen - hLen - 1;
244           H = EM + maskedDBLen;
245           if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
246               !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
247               !EVP_DigestUpdate(&ctx, mHash, hLen))
248                     goto err;
249           if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
250                     goto err;
251           if (!EVP_DigestFinal_ex(&ctx, H, NULL))
252                     goto err;
253 
254           /* Generate dbMask in place then perform XOR on it */
255           if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
256                     goto err;
257 
258           p = EM;
259 
260           /*
261            * Initial PS XORs with all zeroes which is a NOP so just update
262            * pointer. Note from a test above this value is guaranteed to
263            * be non-negative.
264            */
265           p += emLen - sLen - hLen - 2;
266           *p++ ^= 0x1;
267           if (sLen > 0) {
268                     for (i = 0; i < sLen; i++)
269                               *p++ ^= salt[i];
270           }
271           if (MSBits)
272                     EM[0] &= 0xFF >> (8 - MSBits);
273 
274           /* H is already in place so just set final 0xbc */
275           EM[emLen - 1] = 0xbc;
276 
277           ret = 1;
278 
279 err:
280           free(salt);
281           EVP_MD_CTX_cleanup(&ctx);
282 
283           return ret;
284 }
285