libcrypto/rsa/rsa_pss.c

*c4bb5f42Sjoshua/* $OpenBSD: rsa_pss.c,v 1.19 2024/03/26 05:26:27 joshua Exp $ */
82a8dcafSdjm/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
0dd13104Sdjm * project 2005.
0dd13104Sdjm */
0dd13104Sdjm/* ====================================================================
0dd13104Sdjm * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
0dd13104Sdjm *
0dd13104Sdjm * Redistribution and use in source and binary forms, with or without
0dd13104Sdjm * modification, are permitted provided that the following conditions
0dd13104Sdjm * are met:
0dd13104Sdjm *
0dd13104Sdjm * 1. Redistributions of source code must retain the above copyright
0dd13104Sdjm *    notice, this list of conditions and the following disclaimer.
0dd13104Sdjm *
0dd13104Sdjm * 2. Redistributions in binary form must reproduce the above copyright
0dd13104Sdjm *    notice, this list of conditions and the following disclaimer in
0dd13104Sdjm *    the documentation and/or other materials provided with the
0dd13104Sdjm *    distribution.
0dd13104Sdjm *
0dd13104Sdjm * 3. All advertising materials mentioning features or use of this
0dd13104Sdjm *    software must display the following acknowledgment:
0dd13104Sdjm *    "This product includes software developed by the OpenSSL Project
0dd13104Sdjm *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
0dd13104Sdjm *
0dd13104Sdjm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
0dd13104Sdjm *    endorse or promote products derived from this software without
0dd13104Sdjm *    prior written permission. For written permission, please contact
0dd13104Sdjm *    licensing@OpenSSL.org.
0dd13104Sdjm *
0dd13104Sdjm * 5. Products derived from this software may not be called "OpenSSL"
0dd13104Sdjm *    nor may "OpenSSL" appear in their names without prior written
0dd13104Sdjm *    permission of the OpenSSL Project.
0dd13104Sdjm *
0dd13104Sdjm * 6. Redistributions of any form whatsoever must retain the following
0dd13104Sdjm *    acknowledgment:
0dd13104Sdjm *    "This product includes software developed by the OpenSSL Project
0dd13104Sdjm *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
0dd13104Sdjm *
0dd13104Sdjm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
0dd13104Sdjm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
0dd13104Sdjm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
0dd13104Sdjm * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
0dd13104Sdjm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
0dd13104Sdjm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
0dd13104Sdjm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
0dd13104Sdjm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
0dd13104Sdjm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
0dd13104Sdjm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
0dd13104Sdjm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
0dd13104Sdjm * OF THE POSSIBILITY OF SUCH DAMAGE.
0dd13104Sdjm * ====================================================================
0dd13104Sdjm *
0dd13104Sdjm * This product includes cryptographic software written by Eric Young
0dd13104Sdjm * (eay@cryptsoft.com).  This product includes software written by Tim
0dd13104Sdjm * Hudson (tjh@cryptsoft.com).
0dd13104Sdjm *
0dd13104Sdjm */
0dd13104Sdjm
0dd13104Sdjm#include <stdio.h>
ef624301Sjsing#include <stdlib.h>
a8913c44Sjsing#include <string.h>
a8913c44Sjsing
0dd13104Sdjm#include <openssl/bn.h>
b6ab114eSjsing#include <openssl/err.h>
0dd13104Sdjm#include <openssl/evp.h>
b6ab114eSjsing#include <openssl/rsa.h>
0dd13104Sdjm#include <openssl/sha.h>
0dd13104Sdjm
c9675a23Stb#include "evp_local.h"
c9675a23Stb#include "rsa_local.h"
bc366ef8Stb
5650a0e1Sdjmstatic const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
5650a0e1Sdjm
87203b09Smiodint
87203b09SmiodRSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
87203b09Smiod    const unsigned char *EM, int sLen)
0dd13104Sdjm{
ec07fdf1Sdjm	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
ec07fdf1Sdjm}
1da36015SbeckLCRYPTO_ALIAS(RSA_verify_PKCS1_PSS);
ec07fdf1Sdjm
87203b09Smiodint
87203b09SmiodRSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
87203b09Smiod    const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
87203b09Smiod    int sLen)
ec07fdf1Sdjm{
0dd13104Sdjm	int i;
0dd13104Sdjm	int ret = 0;
0dd13104Sdjm	int hLen, maskedDBLen, MSBits, emLen;
0dd13104Sdjm	const unsigned char *H;
0dd13104Sdjm	unsigned char *DB = NULL;
*c4bb5f42Sjoshua	EVP_MD_CTX *md_ctx;
0dd13104Sdjm	unsigned char H_[EVP_MAX_MD_SIZE];
87203b09Smiod
*c4bb5f42Sjoshua	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
*c4bb5f42Sjoshua		goto err;
ec07fdf1Sdjm
ec07fdf1Sdjm	if (mgf1Hash == NULL)
ec07fdf1Sdjm		mgf1Hash = Hash;
0dd13104Sdjm
f1535dc8Sdjm	hLen = EVP_MD_size(Hash);
f1535dc8Sdjm	if (hLen < 0)
f1535dc8Sdjm		goto err;
0dd13104Sdjm	/*
0dd13104Sdjm	 * Negative sLen has special meanings:
0dd13104Sdjm	 *	-1	sLen == hLen
0dd13104Sdjm	 *	-2	salt length is autorecovered from signature
0dd13104Sdjm	 *	-N	reserved
0dd13104Sdjm	 */
87203b09Smiod	if (sLen == -1)
87203b09Smiod		sLen = hLen;
87203b09Smiod	else if (sLen == -2)
87203b09Smiod		sLen = -2;
87203b09Smiod	else if (sLen < -2) {
5067ae9fSbeck		RSAerror(RSA_R_SLEN_CHECK_FAILED);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
0dd13104Sdjm
0dd13104Sdjm	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
0dd13104Sdjm	emLen = RSA_size(rsa);
87203b09Smiod	if (EM[0] & (0xFF << MSBits)) {
5067ae9fSbeck		RSAerror(RSA_R_FIRST_OCTET_INVALID);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
87203b09Smiod	if (MSBits == 0) {
0dd13104Sdjm		EM++;
0dd13104Sdjm		emLen--;
0dd13104Sdjm	}
14a995a9Sjsing	if (emLen < (hLen + sLen + 2)) {
14a995a9Sjsing		/* sLen can be small negative */
5067ae9fSbeck		RSAerror(RSA_R_DATA_TOO_LARGE);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
87203b09Smiod	if (EM[emLen - 1] != 0xbc) {
5067ae9fSbeck		RSAerror(RSA_R_LAST_OCTET_INVALID);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
0dd13104Sdjm	maskedDBLen = emLen - hLen - 1;
0dd13104Sdjm	H = EM + maskedDBLen;
6f3a6cb1Sbeck	DB = malloc(maskedDBLen);
87203b09Smiod	if (!DB) {
5067ae9fSbeck		RSAerror(ERR_R_MALLOC_FAILURE);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
ec07fdf1Sdjm	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
f1535dc8Sdjm		goto err;
0dd13104Sdjm	for (i = 0; i < maskedDBLen; i++)
0dd13104Sdjm		DB[i] ^= EM[i];
0dd13104Sdjm	if (MSBits)
0dd13104Sdjm		DB[0] &= 0xFF >> (8 - MSBits);
87203b09Smiod	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
87203b09Smiod		;
87203b09Smiod	if (DB[i++] != 0x1) {
5067ae9fSbeck		RSAerror(RSA_R_SLEN_RECOVERY_FAILED);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
87203b09Smiod	if (sLen >= 0 && (maskedDBLen - i) != sLen) {
5067ae9fSbeck		RSAerror(RSA_R_SLEN_CHECK_FAILED);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
*c4bb5f42Sjoshua	if (!EVP_DigestInit_ex(md_ctx, Hash, NULL) ||
*c4bb5f42Sjoshua	    !EVP_DigestUpdate(md_ctx, zeroes, sizeof zeroes) ||
*c4bb5f42Sjoshua	    !EVP_DigestUpdate(md_ctx, mHash, hLen))
ec07fdf1Sdjm		goto err;
87203b09Smiod	if (maskedDBLen - i) {
*c4bb5f42Sjoshua		if (!EVP_DigestUpdate(md_ctx, DB + i, maskedDBLen - i))
ec07fdf1Sdjm			goto err;
ec07fdf1Sdjm	}
*c4bb5f42Sjoshua	if (!EVP_DigestFinal_ex(md_ctx, H_, NULL))
ec07fdf1Sdjm		goto err;
2f115aa8Sdjm	if (timingsafe_bcmp(H_, H, hLen)) {
5067ae9fSbeck		RSAerror(RSA_R_BAD_SIGNATURE);
0dd13104Sdjm		ret = 0;
*c4bb5f42Sjoshua	} else {
0dd13104Sdjm		ret = 1;
*c4bb5f42Sjoshua	}
0dd13104Sdjm
0dd13104Sdjm err:
6f3a6cb1Sbeck	free(DB);
*c4bb5f42Sjoshua	EVP_MD_CTX_free(md_ctx);
0dd13104Sdjm
0dd13104Sdjm	return ret;
0dd13104Sdjm}
1da36015SbeckLCRYPTO_ALIAS(RSA_verify_PKCS1_PSS_mgf1);
0dd13104Sdjm
87203b09Smiodint
87203b09SmiodRSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
87203b09Smiod    const unsigned char *mHash, const EVP_MD *Hash, int sLen)
0dd13104Sdjm{
ec07fdf1Sdjm	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
ec07fdf1Sdjm}
1da36015SbeckLCRYPTO_ALIAS(RSA_padding_add_PKCS1_PSS);
ec07fdf1Sdjm
87203b09Smiodint
87203b09SmiodRSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
87203b09Smiod    const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
87203b09Smiod    int sLen)
ec07fdf1Sdjm{
0dd13104Sdjm	int i;
0dd13104Sdjm	int ret = 0;
0dd13104Sdjm	int hLen, maskedDBLen, MSBits, emLen;
0dd13104Sdjm	unsigned char *H, *salt = NULL, *p;
*c4bb5f42Sjoshua	EVP_MD_CTX *md_ctx;
0dd13104Sdjm
*c4bb5f42Sjoshua	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
*c4bb5f42Sjoshua		goto err;
40dd9be9Smiod
ec07fdf1Sdjm	if (mgf1Hash == NULL)
ec07fdf1Sdjm		mgf1Hash = Hash;
ec07fdf1Sdjm
f1535dc8Sdjm	hLen = EVP_MD_size(Hash);
f1535dc8Sdjm	if (hLen < 0)
f1535dc8Sdjm		goto err;
0dd13104Sdjm	/*
0dd13104Sdjm	 * Negative sLen has special meanings:
0dd13104Sdjm	 *	-1	sLen == hLen
0dd13104Sdjm	 *	-2	salt length is maximized
0dd13104Sdjm	 *	-N	reserved
0dd13104Sdjm	 */
87203b09Smiod	if (sLen == -1)
87203b09Smiod		sLen = hLen;
87203b09Smiod	else if (sLen == -2)
87203b09Smiod		sLen = -2;
87203b09Smiod	else if (sLen < -2) {
5067ae9fSbeck		RSAerror(RSA_R_SLEN_CHECK_FAILED);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
0dd13104Sdjm
0dd13104Sdjm	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
0dd13104Sdjm	emLen = RSA_size(rsa);
87203b09Smiod	if (MSBits == 0) {
0dd13104Sdjm		*EM++ = 0;
0dd13104Sdjm		emLen--;
0dd13104Sdjm	}
0dd13104Sdjm	if (sLen == -2)
0dd13104Sdjm		sLen = emLen - hLen - 2;
87203b09Smiod	else if (emLen < (hLen + sLen + 2)) {
5067ae9fSbeck		RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
0dd13104Sdjm		goto err;
0dd13104Sdjm	}
87203b09Smiod	if (sLen > 0) {
6f3a6cb1Sbeck		salt = malloc(sLen);
87203b09Smiod		if (!salt) {
5067ae9fSbeck			RSAerror(ERR_R_MALLOC_FAILURE);
0dd13104Sdjm			goto err;
0dd13104Sdjm		}
ef624301Sjsing		arc4random_buf(salt, sLen);
0dd13104Sdjm	}
0dd13104Sdjm	maskedDBLen = emLen - hLen - 1;
0dd13104Sdjm	H = EM + maskedDBLen;
*c4bb5f42Sjoshua	if (!EVP_DigestInit_ex(md_ctx, Hash, NULL) ||
*c4bb5f42Sjoshua	    !EVP_DigestUpdate(md_ctx, zeroes, sizeof zeroes) ||
*c4bb5f42Sjoshua	    !EVP_DigestUpdate(md_ctx, mHash, hLen))
ec07fdf1Sdjm		goto err;
*c4bb5f42Sjoshua	if (sLen && !EVP_DigestUpdate(md_ctx, salt, sLen))
ec07fdf1Sdjm		goto err;
*c4bb5f42Sjoshua	if (!EVP_DigestFinal_ex(md_ctx, H, NULL))
ec07fdf1Sdjm		goto err;
0dd13104Sdjm
0dd13104Sdjm	/* Generate dbMask in place then perform XOR on it */
ec07fdf1Sdjm	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
f1535dc8Sdjm		goto err;
0dd13104Sdjm
0dd13104Sdjm	p = EM;
0dd13104Sdjm
87203b09Smiod	/*
87203b09Smiod	 * Initial PS XORs with all zeroes which is a NOP so just update
0dd13104Sdjm	 * pointer. Note from a test above this value is guaranteed to
0dd13104Sdjm	 * be non-negative.
0dd13104Sdjm	 */
0dd13104Sdjm	p += emLen - sLen - hLen - 2;
0dd13104Sdjm	*p++ ^= 0x1;
87203b09Smiod	if (sLen > 0) {
0dd13104Sdjm		for (i = 0; i < sLen; i++)
0dd13104Sdjm			*p++ ^= salt[i];
0dd13104Sdjm	}
0dd13104Sdjm	if (MSBits)
0dd13104Sdjm		EM[0] &= 0xFF >> (8 - MSBits);
0dd13104Sdjm
0dd13104Sdjm	/* H is already in place so just set final 0xbc */
0dd13104Sdjm	EM[emLen - 1] = 0xbc;
0dd13104Sdjm
0dd13104Sdjm	ret = 1;
0dd13104Sdjm
0dd13104Sdjmerr:
6f3a6cb1Sbeck	free(salt);
*c4bb5f42Sjoshua	EVP_MD_CTX_free(md_ctx);
0dd13104Sdjm
0dd13104Sdjm	return ret;
0dd13104Sdjm}
1da36015SbeckLCRYPTO_ALIAS(RSA_padding_add_PKCS1_PSS_mgf1);