kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1217 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9f33fc63c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9f33fc63c6'
${ noResults }
boringssl/crypto/rsa/padding.c

781 lines
21 KiB
Raw Blame History 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 2005.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/rsa.h>

  57. 

  58. #include <assert.h>

  59. #include <string.h>

  60. 

  61. #include <openssl/digest.h>

  62. #include <openssl/err.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/rand.h>

  65. #include <openssl/sha.h>

  66. 

  67. #include "internal.h"

  68. 

  69. /* TODO(fork): don't the check functions have to be constant time? */

  70. 

  71. int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,

  72.                                  const uint8_t *from, unsigned flen) {

  73.   unsigned j;

  74.   uint8_t *p;

  75. 

  76.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  77.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,

  78.                       RSA_R_KEY_SIZE_TOO_SMALL);

  79.     return 0;

  80.   }

  81. 

  82.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  83.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,

  84.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  85.     return 0;

  86.   }

  87. 

  88.   p = (uint8_t *)to;

  89. 

  90.   *(p++) = 0;

  91.   *(p++) = 1; /* Private Key BT (Block Type) */

  92. 

  93.   /* pad out with 0xff data */

  94.   j = tlen - 3 - flen;

  95.   memset(p, 0xff, j);

  96.   p += j;

  97.   *(p++) = 0;

  98.   memcpy(p, from, (unsigned int)flen);

  99.   return 1;

  100. }

  101. 

  102. int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,

  103.                                    const uint8_t *from, unsigned flen) {

  104.   unsigned i, j;

  105.   const uint8_t *p;

  106. 

  107.   if (flen < 2) {

  108.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  109.                       RSA_R_DATA_TOO_SMALL);

  110.     return -1;

  111.   }

  112. 

  113.   p = from;

  114.   if ((*(p++) != 0) || (*(p++) != 1)) {

  115.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  116.                       RSA_R_BLOCK_TYPE_IS_NOT_01);

  117.     return -1;

  118.   }

  119. 

  120.   /* scan over padding data */

  121.   j = flen - 2; /* one for leading 00, one for type. */

  122.   for (i = 0; i < j; i++) {

  123.     /* should decrypt to 0xff */

  124.     if (*p != 0xff) {

  125.       if (*p == 0) {

  126.         p++;

  127.         break;

  128.       } else {

  129.         OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  130.                           RSA_R_BAD_FIXED_HEADER_DECRYPT);

  131.         return -1;

  132.       }

  133.     }

  134.     p++;

  135.   }

  136. 

  137.   if (i == j) {

  138.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  139.                       RSA_R_NULL_BEFORE_BLOCK_MISSING);

  140.     return -1;

  141.   }

  142. 

  143.   if (i < 8) {

  144.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  145.                       RSA_R_BAD_PAD_BYTE_COUNT);

  146.     return -1;

  147.   }

  148.   i++; /* Skip over the '\0' */

  149.   j -= i;

  150.   if (j > tlen) {

  151.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  152.                       RSA_R_DATA_TOO_LARGE);

  153.     return -1;

  154.   }

  155.   memcpy(to, p, j);

  156. 

  157.   return j;

  158. }

  159. 

  160. int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,

  161.                                  const uint8_t *from, unsigned flen) {

  162.   unsigned i, j;

  163.   uint8_t *p;

  164. 

  165.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  166.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,

  167.                       RSA_R_KEY_SIZE_TOO_SMALL);

  168.     return 0;

  169.   }

  170. 

  171.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  172.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,

  173.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  174.     return 0;

  175.   }

  176. 

  177.   p = (unsigned char *)to;

  178. 

  179.   *(p++) = 0;

  180.   *(p++) = 2; /* Public Key BT (Block Type) */

  181. 

  182.   /* pad out with non-zero random data */

  183.   j = tlen - 3 - flen;

  184. 

  185.   if (!RAND_bytes(p, j)) {

  186.     return 0;

  187.   }

  188. 

  189.   for (i = 0; i < j; i++) {

  190.     while (*p == 0) {

  191.       if (!RAND_bytes(p, 1)) {

  192.         return 0;

  193.       }

  194.     }

  195.     p++;

  196.   }

  197. 

  198.   *(p++) = 0;

  199. 

  200.   memcpy(p, from, (unsigned int)flen);

  201.   return 1;

  202. }

  203. 

  204. /* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */

  205. static int constant_time_byte_eq(unsigned char a, unsigned char b) {

  206.   unsigned char z = ~(a ^ b);

  207.   z &= z >> 4;

  208.   z &= z >> 2;

  209.   z &= z >> 1;

  210. 

  211.   return z;

  212. }

  213. 

  214. /* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.

  215.  * Its behavior is undefined if |v| takes any other value. */

  216. static int constant_time_select(int v, int x, int y) {

  217.   return ((~(v - 1)) & x) | ((v - 1) & y);

  218. }

  219. 

  220. /* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.

  221.  * |x| and |y| must be positive. */

  222. static int constant_time_le(int x, int y) {

  223.   return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;

  224. }

  225. 

  226. int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,

  227.                                    size_t *out_index) {

  228.   size_t i;

  229.   int first_byte_is_zero, second_byte_is_two, looking_for_index;

  230.   int valid_index, zero_index = 0;

  231. 

  232.   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography

  233.    * Standard", section 7.2.2. */

  234.   if (from_len < RSA_PKCS1_PADDING_SIZE) {

  235.     /* |from| is zero-padded to the size of the RSA modulus, a public value, so

  236.      * this can be rejected in non-constant time. */

  237.     *out_index = 0;

  238.     return 0;

  239.   }

  240. 

  241.   first_byte_is_zero = constant_time_byte_eq(from[0], 0);

  242.   second_byte_is_two = constant_time_byte_eq(from[1], 2);

  243. 

  244.   looking_for_index = 1;

  245.   for (i = 2; i < from_len; i++) {

  246.     int equals0 = constant_time_byte_eq(from[i], 0);

  247.     zero_index =

  248.         constant_time_select(looking_for_index & equals0, i, zero_index);

  249.     looking_for_index = constant_time_select(equals0, 0, looking_for_index);

  250.   }

  251. 

  252.   /* The input must begin with 00 02. */

  253.   valid_index = first_byte_is_zero;

  254.   valid_index &= second_byte_is_two;

  255. 

  256.   /* We must have found the end of PS. */

  257.   valid_index &= ~looking_for_index;

  258. 

  259.   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */

  260.   valid_index &= constant_time_le(2 + 8, zero_index);

  261. 

  262.   /* Skip the zero byte. */

  263.   zero_index++;

  264. 

  265.   *out_index = constant_time_select(valid_index, zero_index, 0);

  266.   return valid_index;

  267. }

  268. 

  269. int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,

  270.                                    const uint8_t *from, unsigned flen) {

  271.   size_t msg_index, msg_len;

  272. 

  273.   if (flen == 0) {

  274.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  275.                       RSA_R_EMPTY_PUBLIC_KEY);

  276.     return -1;

  277.   }

  278. 

  279.   /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,

  280.    * the API contracts of this function and |RSA_decrypt| with

  281.    * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's

  282.    * attack. */

  283.   if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {

  284.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  285.                       RSA_R_PKCS_DECODING_ERROR);

  286.     return -1;

  287.   }

  288. 

  289.   msg_len = flen - msg_index;

  290.   if (msg_len > tlen) {

  291.     /* This shouldn't happen because this function is always called with |tlen|

  292.      * the key size and |flen| is bounded by the key size. */

  293.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  294.                       RSA_R_PKCS_DECODING_ERROR);

  295.     return -1;

  296.   }

  297.   memcpy(to, &from[msg_index], msg_len);

  298.   return msg_len;

  299. }

  300. 

  301. int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {

  302.   if (flen > tlen) {

  303.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,

  304.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  305.     return 0;

  306.   }

  307. 

  308.   if (flen < tlen) {

  309.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,

  310.                       RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);

  311.     return 0;

  312.   }

  313. 

  314.   memcpy(to, from, (unsigned int)flen);

  315.   return 1;

  316. }

  317. 

  318. int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,

  319.                            unsigned flen) {

  320.   if (flen > tlen) {

  321.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_none, RSA_R_DATA_TOO_LARGE);

  322.     return -1;

  323.   }

  324. 

  325.   memcpy(to, from, flen);

  326.   return flen;

  327. }

  328. 

  329. int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,

  330.                unsigned seedlen, const EVP_MD *dgst) {

  331.   unsigned outlen = 0;

  332.   uint32_t i;

  333.   uint8_t cnt[4];

  334.   EVP_MD_CTX c;

  335.   uint8_t md[EVP_MAX_MD_SIZE];

  336.   unsigned mdlen;

  337.   int ret = -1;

  338. 

  339.   EVP_MD_CTX_init(&c);

  340.   mdlen = EVP_MD_size(dgst);

  341. 

  342.   for (i = 0; outlen < len; i++) {

  343.     cnt[0] = (uint8_t)((i >> 24) & 255);

  344.     cnt[1] = (uint8_t)((i >> 16) & 255);

  345.     cnt[2] = (uint8_t)((i >> 8)) & 255;

  346.     cnt[3] = (uint8_t)(i & 255);

  347.     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||

  348.         !EVP_DigestUpdate(&c, seed, seedlen) || !EVP_DigestUpdate(&c, cnt, 4)) {

  349.       goto err;

  350.     }

  351. 

  352.     if (outlen + mdlen <= len) {

  353.       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {

  354.         goto err;

  355.       }

  356.       outlen += mdlen;

  357.     } else {

  358.       if (!EVP_DigestFinal_ex(&c, md, NULL)) {

  359.         goto err;

  360.       }

  361.       memcpy(mask + outlen, md, len - outlen);

  362.       outlen = len;

  363.     }

  364.   }

  365.   ret = 0;

  366. 

  367. err:

  368.   EVP_MD_CTX_cleanup(&c);

  369.   return ret;

  370. }

  371. 

  372. int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  373.                                     const uint8_t *from, unsigned flen,

  374.                                     const uint8_t *param, unsigned plen,

  375.                                     const EVP_MD *md, const EVP_MD *mgf1md) {

  376.   unsigned i, emlen, mdlen;

  377.   uint8_t *db, *seed;

  378.   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];

  379.   int ret = 0;

  380. 

  381.   if (md == NULL) {

  382.     md = EVP_sha1();

  383.   }

  384.   if (mgf1md == NULL) {

  385.     mgf1md = md;

  386.   }

  387. 

  388.   mdlen = EVP_MD_size(md);

  389. 

  390.   if (tlen < 2 * mdlen + 2) {

  391.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  392.                       RSA_R_KEY_SIZE_TOO_SMALL);

  393.     return 0;

  394.   }

  395. 

  396.   emlen = tlen - 1;

  397.   if (flen > emlen - 2 * mdlen - 1) {

  398.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  399.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  400.     return 0;

  401.   }

  402. 

  403.   if (emlen < 2 * mdlen + 1) {

  404.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  405.                       RSA_R_KEY_SIZE_TOO_SMALL);

  406.     return 0;

  407.   }

  408. 

  409.   to[0] = 0;

  410.   seed = to + 1;

  411.   db = to + mdlen + 1;

  412. 

  413.   if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {

  414.     return 0;

  415.   }

  416.   memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);

  417.   db[emlen - flen - mdlen - 1] = 0x01;

  418.   memcpy(db + emlen - flen - mdlen, from, flen);

  419.   if (!RAND_bytes(seed, mdlen)) {

  420.     return 0;

  421.   }

  422. 

  423.   dbmask = OPENSSL_malloc(emlen - mdlen);

  424.   if (dbmask == NULL) {

  425.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  426.                       ERR_R_MALLOC_FAILURE);

  427.     return 0;

  428.   }

  429. 

  430.   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {

  431.     goto out;

  432.   }

  433.   for (i = 0; i < emlen - mdlen; i++) {

  434.     db[i] ^= dbmask[i];

  435.   }

  436. 

  437.   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {

  438.     goto out;

  439.   }

  440.   for (i = 0; i < mdlen; i++) {

  441.     seed[i] ^= seedmask[i];

  442.   }

  443.   ret = 1;

  444. 

  445. out:

  446.   if (dbmask != NULL) {

  447.     OPENSSL_free(dbmask);

  448.   }

  449.   return ret;

  450. }

  451. 

  452. int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  453.                                       const uint8_t *from, unsigned flen,

  454.                                       const uint8_t *param, unsigned plen,

  455.                                       const EVP_MD *md, const EVP_MD *mgf1md) {

  456.   unsigned i, dblen, mlen = -1, mdlen;

  457.   const uint8_t *maskeddb, *maskedseed;

  458.   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

  459.   int bad, looking_for_one_byte, one_index = 0;

  460. 

  461.   if (md == NULL) {

  462.     md = EVP_sha1();

  463.   }

  464.   if (mgf1md == NULL) {

  465.     mgf1md = md;

  466.   }

  467. 

  468.   mdlen = EVP_MD_size(md);

  469. 

  470.   /* The encoded message is one byte smaller than the modulus to ensure that it

  471.    * doesn't end up greater than the modulus. Thus there's an extra "+1" here

  472.    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */

  473.   if (flen < 1 + 2*mdlen + 1) {

  474.     /* 'flen' is the length of the modulus, i.e. does not depend on the

  475.      * particular ciphertext. */

  476.     goto decoding_err;

  477.   }

  478. 

  479.   dblen = flen - mdlen - 1;

  480.   db = OPENSSL_malloc(dblen);

  481.   if (db == NULL) {

  482.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  483.                       ERR_R_MALLOC_FAILURE);

  484.     goto err;

  485.   }

  486. 

  487.   maskedseed = from + 1;

  488.   maskeddb = from + 1 + mdlen;

  489. 

  490.   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {

  491.     goto err;

  492.   }

  493.   for (i = 0; i < mdlen; i++) {

  494.     seed[i] ^= maskedseed[i];

  495.   }

  496. 

  497.   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {

  498.     goto err;

  499.   }

  500.   for (i = 0; i < dblen; i++) {

  501.     db[i] ^= maskeddb[i];

  502.   }

  503. 

  504.   if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {

  505.     goto err;

  506.   }

  507. 

  508.   bad = CRYPTO_memcmp(db, phash, mdlen);

  509.   bad |= from[0];

  510. 

  511.   looking_for_one_byte = 1;

  512.   for (i = mdlen; i < dblen; i++) {

  513.     int equals1 = constant_time_byte_eq(db[i], 1);

  514.     int equals0 = constant_time_byte_eq(db[i], 0);

  515.     one_index =

  516.         constant_time_select(looking_for_one_byte & equals1, i, one_index);

  517.     looking_for_one_byte =

  518.         constant_time_select(equals1, 0, looking_for_one_byte);

  519.     bad |= looking_for_one_byte & ~equals0;

  520.   }

  521. 

  522.   bad |= looking_for_one_byte;

  523. 

  524.   if (bad) {

  525.     goto decoding_err;

  526.   }

  527. 

  528.   one_index++;

  529.   mlen = dblen - one_index;

  530.   if (tlen < mlen) {

  531.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  532.                       RSA_R_DATA_TOO_LARGE);

  533.     mlen = -1;

  534.   } else {

  535.     memcpy(to, db + one_index, mlen);

  536.   }

  537. 

  538.   OPENSSL_free(db);

  539.   return mlen;

  540. 

  541. decoding_err:

  542.   /* to avoid chosen ciphertext attacks, the error message should not reveal

  543.    * which kind of decoding error happened */

  544.   OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  545.                     RSA_R_OAEP_DECODING_ERROR);

  546.  err:

  547.   if (db != NULL) {

  548.     OPENSSL_free(db);

  549.   }

  550.   return -1;

  551. }

  552. 

  553. static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

  554. 

  555. int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,

  556.                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  557.                               const uint8_t *EM, int sLen) {

  558.   int i;

  559.   int ret = 0;

  560.   int maskedDBLen, MSBits, emLen;

  561.   size_t hLen;

  562.   const uint8_t *H;

  563.   uint8_t *DB = NULL;

  564.   EVP_MD_CTX ctx;

  565.   uint8_t H_[EVP_MAX_MD_SIZE];

  566.   EVP_MD_CTX_init(&ctx);

  567. 

  568.   if (mgf1Hash == NULL) {

  569.     mgf1Hash = Hash;

  570.   }

  571. 

  572.   hLen = EVP_MD_size(Hash);

  573. 

  574.   /* Negative sLen has special meanings:

  575.    *	-1	sLen == hLen

  576.    *	-2	salt length is autorecovered from signature

  577.    *	-N	reserved */

  578.   if (sLen == -1) {

  579.     sLen = hLen;

  580.   } else if (sLen == -2) {

  581.     sLen = -2;

  582.   } else if (sLen < -2) {

  583.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);

  584.     goto err;

  585.   }

  586. 

  587.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  588.   emLen = RSA_size(rsa);

  589.   if (EM[0] & (0xFF << MSBits)) {

  590.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,

  591.                       RSA_R_FIRST_OCTET_INVALID);

  592.     goto err;

  593.   }

  594.   if (MSBits == 0) {

  595.     EM++;

  596.     emLen--;

  597.   }

  598.   if (emLen < ((int)hLen + sLen + 2)) {

  599.     /* sLen can be small negative */

  600.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_DATA_TOO_LARGE);

  601.     goto err;

  602.   }

  603.   if (EM[emLen - 1] != 0xbc) {

  604.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_LAST_OCTET_INVALID);

  605.     goto err;

  606.   }

  607.   maskedDBLen = emLen - hLen - 1;

  608.   H = EM + maskedDBLen;

  609.   DB = OPENSSL_malloc(maskedDBLen);

  610.   if (!DB) {

  611.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, ERR_R_MALLOC_FAILURE);

  612.     goto err;

  613.   }

  614.   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {

  615.     goto err;

  616.   }

  617.   for (i = 0; i < maskedDBLen; i++) {

  618.     DB[i] ^= EM[i];

  619.   }

  620.   if (MSBits) {

  621.     DB[0] &= 0xFF >> (8 - MSBits);

  622.   }

  623.   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {

  624.     ;

  625.   }

  626.   if (DB[i++] != 0x1) {

  627.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,

  628.                       RSA_R_SLEN_RECOVERY_FAILED);

  629.     goto err;

  630.   }

  631.   if (sLen >= 0 && (maskedDBLen - i) != sLen) {

  632.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);

  633.     goto err;

  634.   }

  635.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  636.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  637.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  638.     goto err;

  639.   }

  640.   if (maskedDBLen - i) {

  641.     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {

  642.       goto err;

  643.     }

  644.   }

  645.   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {

  646.     goto err;

  647.   }

  648.   if (memcmp(H_, H, hLen)) {

  649.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_BAD_SIGNATURE);

  650.     ret = 0;

  651.   } else {

  652.     ret = 1;

  653.   }

  654. 

  655. err:

  656.   if (DB) {

  657.     OPENSSL_free(DB);

  658.   }

  659.   EVP_MD_CTX_cleanup(&ctx);

  660. 

  661.   return ret;

  662. }

  663. 

  664. int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,

  665.                                    const unsigned char *mHash,

  666.                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  667.                                    int sLen) {

  668.   int i;

  669.   int ret = 0;

  670.   size_t maskedDBLen, MSBits, emLen;

  671.   size_t hLen;

  672.   unsigned char *H, *salt = NULL, *p;

  673.   EVP_MD_CTX ctx;

  674. 

  675.   if (mgf1Hash == NULL) {

  676.     mgf1Hash = Hash;

  677.   }

  678. 

  679.   hLen = EVP_MD_size(Hash);

  680. 

  681.   /* Negative sLen has special meanings:

  682.    *	-1	sLen == hLen

  683.    *	-2	salt length is maximized

  684.    *	-N	reserved */

  685.   if (sLen == -1) {

  686.     sLen = hLen;

  687.   } else if (sLen == -2) {

  688.     sLen = -2;

  689.   } else if (sLen < -2) {

  690.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  691.                       RSA_R_SLEN_CHECK_FAILED);

  692.     goto err;

  693.   }

  694. 

  695.   if (BN_is_zero(rsa->n)) {

  696.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  697.                       RSA_R_EMPTY_PUBLIC_KEY);

  698.     goto err;

  699.   }

  700. 

  701.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  702.   emLen = RSA_size(rsa);

  703.   if (MSBits == 0) {

  704.     assert(emLen >= 1);

  705.     *EM++ = 0;

  706.     emLen--;

  707.   }

  708.   if (sLen == -2) {

  709.     if (emLen < hLen + 2) {

  710.       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  711.                         RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  712.       goto err;

  713.     }

  714.     sLen = emLen - hLen - 2;

  715.   } else if (emLen < hLen + sLen + 2) {

  716.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  717.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  718.     goto err;

  719.   }

  720.   if (sLen > 0) {

  721.     salt = OPENSSL_malloc(sLen);

  722.     if (!salt) {

  723.       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  724.                         ERR_R_MALLOC_FAILURE);

  725.       goto err;

  726.     }

  727.     if (!RAND_bytes(salt, sLen)) {

  728.       goto err;

  729.     }

  730.   }

  731.   maskedDBLen = emLen - hLen - 1;

  732.   H = EM + maskedDBLen;

  733.   EVP_MD_CTX_init(&ctx);

  734.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  735.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  736.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  737.     goto err;

  738.   }

  739.   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {

  740.     goto err;

  741.   }

  742.   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {

  743.     goto err;

  744.   }

  745.   EVP_MD_CTX_cleanup(&ctx);

  746. 

  747.   /* Generate dbMask in place then perform XOR on it */

  748.   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {

  749.     goto err;

  750.   }

  751. 

  752.   p = EM;

  753. 

  754.   /* Initial PS XORs with all zeroes which is a NOP so just update

  755.    * pointer. Note from a test above this value is guaranteed to

  756.    * be non-negative. */

  757.   p += emLen - sLen - hLen - 2;

  758.   *p++ ^= 0x1;

  759.   if (sLen > 0) {

  760.     for (i = 0; i < sLen; i++) {

  761.       *p++ ^= salt[i];

  762.     }

  763.   }

  764.   if (MSBits) {

  765.     EM[0] &= 0xFF >> (8 - MSBits);

  766.   }

  767. 

  768.   /* H is already in place so just set final 0xbc */

  769. 

  770.   EM[emLen - 1] = 0xbc;

  771. 

  772.   ret = 1;

  773. 

  774. err:

  775.   if (salt) {

  776.     OPENSSL_free(salt);

  777.   }

  778. 

  779.   return ret;

  780. }