int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
const EVP_MD *Hash, const unsigned char *EM, int sLen)
{
int i;
int ret = 0;
int hLen, maskedDBLen, MSBits, emLen;
const unsigned char *H;
unsigned char *DB = NULL;
EVP_MD_CTX ctx;
unsigned char H_[EVP_MAX_MD_SIZE];
hLen = EVP_MD_size(Hash);
/*
* Negative sLen has special meanings:
* -1 sLen == hLen
* -2 salt length is autorecovered from signature
* -N reserved
*/
if (sLen == -1) sLen = hLen;
else if (sLen == -2) sLen = -2;
else if (sLen < -2)
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
emLen = RSA_size(rsa);
if (EM[0] & (0xFF << MSBits))
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
goto err;
}
if (MSBits == 0)
{
EM++;
emLen--;
}
if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
goto err;
}
if (EM[emLen - 1] != 0xbc)
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
goto err;
}
maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen;
DB = OPENSSL_malloc(maskedDBLen);
if (!DB)
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
goto err;
}
PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
for (i = 0; i < maskedDBLen; i++)
DB[i] ^= EM[i];
if (MSBits)
DB[0] &= 0xFF >> (8 - MSBits);
for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
if (DB[i++] != 0x1)
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
goto err;
}
if (sLen >= 0 && (maskedDBLen - i) != sLen)
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
EVP_MD_CTX_init(&ctx);
EVP_DigestInit_ex(&ctx, Hash, NULL);
EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
EVP_DigestUpdate(&ctx, mHash, hLen);
if (maskedDBLen - i)
EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
EVP_DigestFinal(&ctx, H_, NULL);
EVP_MD_CTX_cleanup(&ctx);
if (memcmp(H_, H, hLen))
{
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
ret = 0;
}
else
ret = 1;
err:
if (DB)
OPENSSL_free(DB);
return ret;
}
int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
const unsigned char *mHash,
const EVP_MD *Hash, int sLen)
{
int i;
int ret = 0;
int hLen, maskedDBLen, MSBits, emLen;
unsigned char *H, *salt = NULL, *p;
EVP_MD_CTX ctx;
hLen = EVP_MD_size(Hash);
/*
* Negative sLen has special meanings:
* -1 sLen == hLen
* -2 salt length is maximized
* -N reserved
*/
if (sLen == -1) sLen = hLen;
else if (sLen == -2) sLen = -2;
else if (sLen < -2)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
emLen = RSA_size(rsa);
if (MSBits == 0)
{
*EM++ = 0;
emLen--;
}
if (sLen == -2)
{
sLen = emLen - hLen - 2;
}
else if (emLen < (hLen + sLen + 2))
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err;
}
if (sLen > 0)
{
salt = OPENSSL_malloc(sLen);
if (!salt)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (!RAND_bytes(salt, sLen))
goto err;
}
maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen;
EVP_MD_CTX_init(&ctx);
EVP_DigestInit_ex(&ctx, Hash, NULL);
EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
EVP_DigestUpdate(&ctx, mHash, hLen);
if (sLen)
EVP_DigestUpdate(&ctx, salt, sLen);
EVP_DigestFinal(&ctx, H, NULL);
EVP_MD_CTX_cleanup(&ctx);
/* Generate dbMask in place then perform XOR on it */
PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
p = EM;
/* Initial PS XORs with all zeroes which is a NOP so just update
* pointer. Note from a test above this value is guaranteed to
* be non-negative.
*/
p += emLen - sLen - hLen - 2;
*p++ ^= 0x1;
if (sLen > 0)
{
for (i = 0; i < sLen; i++)
*p++ ^= salt[i];
}
if (MSBits)
EM[0] &= 0xFF >> (8 - MSBits);
/* H is already in place so just set final 0xbc */
EM[emLen - 1] = 0xbc;
ret = 1;
err:
if (salt)
OPENSSL_free(salt);
return ret;
}
int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
const unsigned char *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash,
int sLen) {
int i;
int ret = 0;
size_t maskedDBLen, MSBits, emLen;
size_t hLen;
unsigned char *H, *salt = NULL, *p;
EVP_MD_CTX ctx;
if (mgf1Hash == NULL) {
mgf1Hash = Hash;
}
hLen = EVP_MD_size(Hash);
/* Negative sLen has special meanings:
* -1 sLen == hLen
* -2 salt length is maximized
* -N reserved */
if (sLen == -1) {
sLen = hLen;
} else if (sLen == -2) {
sLen = -2;
} else if (sLen < -2) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
RSA_R_SLEN_CHECK_FAILED);
goto err;
}
if (BN_is_zero(rsa->n)) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
RSA_R_EMPTY_PUBLIC_KEY);
goto err;
}
MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
emLen = RSA_size(rsa);
if (MSBits == 0) {
assert(emLen >= 1);
*EM++ = 0;
emLen--;
}
if (sLen == -2) {
if (emLen < hLen + 2) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err;
}
sLen = emLen - hLen - 2;
} else if (emLen < hLen + sLen + 2) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err;
}
if (sLen > 0) {
salt = OPENSSL_malloc(sLen);
if (!salt) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (RAND_pseudo_bytes(salt, sLen) <= 0) {
goto err;
}
}
maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen;
EVP_MD_CTX_init(&ctx);
if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
!EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
!EVP_DigestUpdate(&ctx, mHash, hLen)) {
goto err;
}
if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {
goto err;
}
if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {
goto err;
}
EVP_MD_CTX_cleanup(&ctx);
/* Generate dbMask in place then perform XOR on it */
if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
goto err;
}
p = EM;
/* Initial PS XORs with all zeroes which is a NOP so just update
* pointer. Note from a test above this value is guaranteed to
* be non-negative. */
p += emLen - sLen - hLen - 2;
*p++ ^= 0x1;
if (sLen > 0) {
for (i = 0; i < sLen; i++) {
*p++ ^= salt[i];
}
}
if (MSBits) {
EM[0] &= 0xFF >> (8 - MSBits);
}
/* H is already in place so just set final 0xbc */
EM[emLen - 1] = 0xbc;
ret = 1;
err:
if (salt) {
OPENSSL_free(salt);
}
return ret;
}
int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash,
const uint8_t *EM, int sLen) {
int i;
int ret = 0;
int maskedDBLen, MSBits, emLen;
size_t hLen;
const uint8_t *H;
uint8_t *DB = NULL;
EVP_MD_CTX ctx;
uint8_t H_[EVP_MAX_MD_SIZE];
EVP_MD_CTX_init(&ctx);
if (mgf1Hash == NULL) {
mgf1Hash = Hash;
}
hLen = EVP_MD_size(Hash);
/* Negative sLen has special meanings:
* -1 sLen == hLen
* -2 salt length is autorecovered from signature
* -N reserved */
if (sLen == -1) {
sLen = hLen;
} else if (sLen == -2) {
sLen = -2;
} else if (sLen < -2) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
emLen = RSA_size(rsa);
if (EM[0] & (0xFF << MSBits)) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
RSA_R_FIRST_OCTET_INVALID);
goto err;
}
if (MSBits == 0) {
EM++;
emLen--;
}
if (emLen < ((int)hLen + sLen + 2)) {
/* sLen can be small negative */
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_DATA_TOO_LARGE);
goto err;
}
if (EM[emLen - 1] != 0xbc) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_LAST_OCTET_INVALID);
goto err;
}
maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen;
DB = OPENSSL_malloc(maskedDBLen);
if (!DB) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, ERR_R_MALLOC_FAILURE);
goto err;
}
if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
goto err;
}
for (i = 0; i < maskedDBLen; i++) {
DB[i] ^= EM[i];
}
if (MSBits) {
DB[0] &= 0xFF >> (8 - MSBits);
}
for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
;
if (DB[i++] != 0x1) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
RSA_R_SLEN_RECOVERY_FAILED);
goto err;
}
if (sLen >= 0 && (maskedDBLen - i) != sLen) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
!EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
!EVP_DigestUpdate(&ctx, mHash, hLen)) {
goto err;
}
if (maskedDBLen - i) {
if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {
goto err;
}
}
if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
goto err;
}
if (memcmp(H_, H, hLen)) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_BAD_SIGNATURE);
ret = 0;
} else {
ret = 1;
}
err:
if (DB) {
OPENSSL_free(DB);
}
EVP_MD_CTX_cleanup(&ctx);
return ret;
}
int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
const uint8_t *from, unsigned flen,
const uint8_t *param, unsigned plen,
const EVP_MD *md, const EVP_MD *mgf1md) {
unsigned i, dblen, mlen = -1, mdlen;
const uint8_t *maskeddb, *maskedseed;
uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
int bad, looking_for_one_byte, one_index = 0;
if (md == NULL) {
md = EVP_sha1();
}
if (mgf1md == NULL) {
mgf1md = md;
}
mdlen = EVP_MD_size(md);
/* The encoded message is one byte smaller than the modulus to ensure that it
* doesn't end up greater than the modulus. Thus there's an extra "+1" here
* compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
if (flen < 1 + 2*mdlen + 1) {
/* 'flen' is the length of the modulus, i.e. does not depend on the
* particular ciphertext. */
goto decoding_err;
}
dblen = flen - mdlen - 1;
db = OPENSSL_malloc(dblen);
if (db == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
ERR_R_MALLOC_FAILURE);
goto err;
}
maskedseed = from + 1;
maskeddb = from + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
goto err;
}
for (i = 0; i < mdlen; i++) {
seed[i] ^= maskedseed[i];
}
if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
goto err;
}
for (i = 0; i < dblen; i++) {
db[i] ^= maskeddb[i];
}
if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {
goto err;
}
bad = CRYPTO_memcmp(db, phash, mdlen);
bad |= from[0];
looking_for_one_byte = 1;
for (i = mdlen; i < dblen; i++) {
int equals1 = constant_time_byte_eq(db[i], 1);
int equals0 = constant_time_byte_eq(db[i], 0);
one_index =
constant_time_select(looking_for_one_byte & equals1, i, one_index);
looking_for_one_byte =
constant_time_select(equals1, 0, looking_for_one_byte);
bad |= looking_for_one_byte & ~equals0;
}
bad |= looking_for_one_byte;
if (bad) {
goto decoding_err;
}
one_index++;
mlen = dblen - one_index;
if (tlen < mlen) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
RSA_R_DATA_TOO_LARGE);
mlen = -1;
} else {
memcpy(to, db + one_index, mlen);
}
OPENSSL_free(db);
return mlen;
decoding_err:
/* to avoid chosen ciphertext attacks, the error message should not reveal
* which kind of decoding error happened */
OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
RSA_R_OAEP_DECODING_ERROR);
err:
if (db != NULL) {
OPENSSL_free(db);
}
return -1;
}
int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
const uint8_t *from, unsigned flen,
const uint8_t *param, unsigned plen,
const EVP_MD *md, const EVP_MD *mgf1md) {
unsigned i, emlen, mdlen;
uint8_t *db, *seed;
uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];
int ret = 0;
if (md == NULL) {
md = EVP_sha1();
}
if (mgf1md == NULL) {
mgf1md = md;
}
mdlen = EVP_MD_size(md);
if (tlen < 2 * mdlen + 2) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
emlen = tlen - 1;
if (flen > emlen - 2 * mdlen - 1) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
if (emlen < 2 * mdlen + 1) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
to[0] = 0;
seed = to + 1;
db = to + mdlen + 1;
if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {
return 0;
}
memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, flen);
if (RAND_pseudo_bytes(seed, mdlen) <= 0) {
return 0;
}
dbmask = OPENSSL_malloc(emlen - mdlen);
if (dbmask == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
ERR_R_MALLOC_FAILURE);
return 0;
}
if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
goto out;
}
for (i = 0; i < emlen - mdlen; i++) {
db[i] ^= dbmask[i];
}
if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
goto out;
}
for (i = 0; i < mdlen; i++) {
seed[i] ^= seedmask[i];
}
ret = 1;
out:
if (dbmask != NULL) {
OPENSSL_free(dbmask);
}
return ret;
}
