1 /* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/evp.h>
66 #include <openssl/rsa.h>
67 #include <openssl/sha.h>
69 static const unsigned char zeroes
[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
72 RSA_verify_PKCS1_PSS(RSA
*rsa
, const unsigned char *mHash
, const EVP_MD
*Hash
,
73 const unsigned char *EM
, int sLen
)
75 return RSA_verify_PKCS1_PSS_mgf1(rsa
, mHash
, Hash
, NULL
, EM
, sLen
);
79 RSA_verify_PKCS1_PSS_mgf1(RSA
*rsa
, const unsigned char *mHash
,
80 const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
, const unsigned char *EM
,
85 int hLen
, maskedDBLen
, MSBits
, emLen
;
86 const unsigned char *H
;
87 unsigned char *DB
= NULL
;
89 unsigned char H_
[EVP_MAX_MD_SIZE
];
91 EVP_MD_CTX_init(&ctx
);
96 hLen
= EVP_MD_size(Hash
);
100 * Negative sLen has special meanings:
102 * -2 salt length is autorecovered from signature
109 else if (sLen
< -2) {
110 RSAerror(RSA_R_SLEN_CHECK_FAILED
);
114 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
115 emLen
= RSA_size(rsa
);
116 if (EM
[0] & (0xFF << MSBits
)) {
117 RSAerror(RSA_R_FIRST_OCTET_INVALID
);
124 if (emLen
< (hLen
+ sLen
+ 2)) {
125 /* sLen can be small negative */
126 RSAerror(RSA_R_DATA_TOO_LARGE
);
129 if (EM
[emLen
- 1] != 0xbc) {
130 RSAerror(RSA_R_LAST_OCTET_INVALID
);
133 maskedDBLen
= emLen
- hLen
- 1;
134 H
= EM
+ maskedDBLen
;
135 DB
= malloc(maskedDBLen
);
137 RSAerror(ERR_R_MALLOC_FAILURE
);
140 if (PKCS1_MGF1(DB
, maskedDBLen
, H
, hLen
, mgf1Hash
) < 0)
142 for (i
= 0; i
< maskedDBLen
; i
++)
145 DB
[0] &= 0xFF >> (8 - MSBits
);
146 for (i
= 0; DB
[i
] == 0 && i
< (maskedDBLen
- 1); i
++)
148 if (DB
[i
++] != 0x1) {
149 RSAerror(RSA_R_SLEN_RECOVERY_FAILED
);
152 if (sLen
>= 0 && (maskedDBLen
- i
) != sLen
) {
153 RSAerror(RSA_R_SLEN_CHECK_FAILED
);
156 if (!EVP_DigestInit_ex(&ctx
, Hash
, NULL
) ||
157 !EVP_DigestUpdate(&ctx
, zeroes
, sizeof zeroes
) ||
158 !EVP_DigestUpdate(&ctx
, mHash
, hLen
))
160 if (maskedDBLen
- i
) {
161 if (!EVP_DigestUpdate(&ctx
, DB
+ i
, maskedDBLen
- i
))
164 if (!EVP_DigestFinal_ex(&ctx
, H_
, NULL
))
166 if (memcmp(H_
, H
, hLen
)) {
167 RSAerror(RSA_R_BAD_SIGNATURE
);
174 EVP_MD_CTX_cleanup(&ctx
);
180 RSA_padding_add_PKCS1_PSS(RSA
*rsa
, unsigned char *EM
,
181 const unsigned char *mHash
, const EVP_MD
*Hash
, int sLen
)
183 return RSA_padding_add_PKCS1_PSS_mgf1(rsa
, EM
, mHash
, Hash
, NULL
, sLen
);
187 RSA_padding_add_PKCS1_PSS_mgf1(RSA
*rsa
, unsigned char *EM
,
188 const unsigned char *mHash
, const EVP_MD
*Hash
, const EVP_MD
*mgf1Hash
,
193 int hLen
, maskedDBLen
, MSBits
, emLen
;
194 unsigned char *H
, *salt
= NULL
, *p
;
197 EVP_MD_CTX_init(&ctx
);
199 if (mgf1Hash
== NULL
)
202 hLen
= EVP_MD_size(Hash
);
206 * Negative sLen has special meanings:
208 * -2 salt length is maximized
215 else if (sLen
< -2) {
216 RSAerror(RSA_R_SLEN_CHECK_FAILED
);
220 MSBits
= (BN_num_bits(rsa
->n
) - 1) & 0x7;
221 emLen
= RSA_size(rsa
);
227 sLen
= emLen
- hLen
- 2;
228 else if (emLen
< (hLen
+ sLen
+ 2)) {
229 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
235 RSAerror(ERR_R_MALLOC_FAILURE
);
238 arc4random_buf(salt
, sLen
);
240 maskedDBLen
= emLen
- hLen
- 1;
241 H
= EM
+ maskedDBLen
;
242 if (!EVP_DigestInit_ex(&ctx
, Hash
, NULL
) ||
243 !EVP_DigestUpdate(&ctx
, zeroes
, sizeof zeroes
) ||
244 !EVP_DigestUpdate(&ctx
, mHash
, hLen
))
246 if (sLen
&& !EVP_DigestUpdate(&ctx
, salt
, sLen
))
248 if (!EVP_DigestFinal_ex(&ctx
, H
, NULL
))
251 /* Generate dbMask in place then perform XOR on it */
252 if (PKCS1_MGF1(EM
, maskedDBLen
, H
, hLen
, mgf1Hash
))
258 * Initial PS XORs with all zeroes which is a NOP so just update
259 * pointer. Note from a test above this value is guaranteed to
262 p
+= emLen
- sLen
- hLen
- 2;
265 for (i
= 0; i
< sLen
; i
++)
269 EM
[0] &= 0xFF >> (8 - MSBits
);
271 /* H is already in place so just set final 0xbc */
272 EM
[emLen
- 1] = 0xbc;
278 EVP_MD_CTX_cleanup(&ctx
);