1// Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15#include <openssl/rsa.h> 16 17#include <assert.h> 18#include <limits.h> 19#include <string.h> 20 21#include <openssl/bn.h> 22#include <openssl/digest.h> 23#include <openssl/err.h> 24#include <openssl/mem.h> 25 26#include "../../internal.h" 27#include "../bcm_interface.h" 28#include "../service_indicator/internal.h" 29#include "internal.h" 30 31 32int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len, 33 const uint8_t *from, size_t from_len) { 34 // See RFC 8017, section 9.2. 35 if (to_len < RSA_PKCS1_PADDING_SIZE) { 36 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 37 return 0; 38 } 39 40 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) { 41 OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 42 return 0; 43 } 44 45 to[0] = 0; 46 to[1] = 1; 47 OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len); 48 to[to_len - from_len - 1] = 0; 49 OPENSSL_memcpy(to + to_len - from_len, from, from_len); 50 return 1; 51} 52 53int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len, 54 size_t max_out, const uint8_t *from, 55 size_t from_len) { 56 // See RFC 8017, section 9.2. This is part of signature verification and thus 57 // does not need to run in constant-time. 58 if (from_len < 2) { 59 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL); 60 return 0; 61 } 62 63 // Check the header. 64 if (from[0] != 0 || from[1] != 1) { 65 OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01); 66 return 0; 67 } 68 69 // Scan over padded data, looking for the 00. 70 size_t pad; 71 for (pad = 2 /* header */; pad < from_len; pad++) { 72 if (from[pad] == 0x00) { 73 break; 74 } 75 76 if (from[pad] != 0xff) { 77 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT); 78 return 0; 79 } 80 } 81 82 if (pad == from_len) { 83 OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING); 84 return 0; 85 } 86 87 if (pad < 2 /* header */ + 8) { 88 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT); 89 return 0; 90 } 91 92 // Skip over the 00. 93 pad++; 94 95 if (from_len - pad > max_out) { 96 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 97 return 0; 98 } 99 100 OPENSSL_memcpy(out, from + pad, from_len - pad); 101 *out_len = from_len - pad; 102 return 1; 103} 104 105int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from, 106 size_t from_len) { 107 if (from_len > to_len) { 108 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 109 return 0; 110 } 111 112 if (from_len < to_len) { 113 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL); 114 return 0; 115 } 116 117 OPENSSL_memcpy(to, from, from_len); 118 return 1; 119} 120 121int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len, 122 const EVP_MD *md) { 123 int ret = 0; 124 bssl::ScopedEVP_MD_CTX ctx; 125 FIPS_service_indicator_lock_state(); 126 127 size_t md_len = EVP_MD_size(md); 128 129 for (uint32_t i = 0; len > 0; i++) { 130 uint8_t counter[4]; 131 counter[0] = (uint8_t)(i >> 24); 132 counter[1] = (uint8_t)(i >> 16); 133 counter[2] = (uint8_t)(i >> 8); 134 counter[3] = (uint8_t)i; 135 if (!EVP_DigestInit_ex(ctx.get(), md, nullptr) || 136 !EVP_DigestUpdate(ctx.get(), seed, seed_len) || 137 !EVP_DigestUpdate(ctx.get(), counter, sizeof(counter))) { 138 goto err; 139 } 140 141 if (md_len <= len) { 142 if (!EVP_DigestFinal_ex(ctx.get(), out, nullptr)) { 143 goto err; 144 } 145 out += md_len; 146 len -= md_len; 147 } else { 148 uint8_t digest[EVP_MAX_MD_SIZE]; 149 if (!EVP_DigestFinal_ex(ctx.get(), digest, nullptr)) { 150 goto err; 151 } 152 OPENSSL_memcpy(out, digest, len); 153 len = 0; 154 } 155 } 156 157 ret = 1; 158 159err: 160 FIPS_service_indicator_unlock_state(); 161 return ret; 162} 163 164static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0}; 165 166int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, 167 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 168 const uint8_t *EM, int sLen) { 169 if (mgf1Hash == NULL) { 170 mgf1Hash = Hash; 171 } 172 173 int ret = 0; 174 uint8_t *DB = NULL; 175 const uint8_t *H; 176 bssl::ScopedEVP_MD_CTX ctx; 177 unsigned MSBits; 178 size_t emLen, maskedDBLen, salt_start; 179 FIPS_service_indicator_lock_state(); 180 181 size_t hLen = EVP_MD_size(Hash); 182 if (sLen == RSA_PSS_SALTLEN_DIGEST) { 183 sLen = (int)hLen; 184 } else if (sLen == RSA_PSS_SALTLEN_AUTO) { 185 // Leave |sLen| negative, which will trigger the logic below to recover and 186 // allow any salt length. 187 } else if (sLen < 0) { 188 // Other negative values are reserved. 189 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 190 goto err; 191 } 192 193 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 194 emLen = RSA_size(rsa); 195 if (EM[0] & (0xFF << MSBits)) { 196 OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID); 197 goto err; 198 } 199 if (MSBits == 0) { 200 EM++; 201 emLen--; 202 } 203 // |sLen| may be negative for the non-standard salt length recovery mode. 204 if (emLen < hLen + 2 || (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) { 205 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 206 goto err; 207 } 208 if (EM[emLen - 1] != 0xbc) { 209 OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID); 210 goto err; 211 } 212 maskedDBLen = emLen - hLen - 1; 213 H = EM + maskedDBLen; 214 DB = reinterpret_cast<uint8_t *>(OPENSSL_malloc(maskedDBLen)); 215 if (!DB) { 216 goto err; 217 } 218 if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) { 219 goto err; 220 } 221 for (size_t i = 0; i < maskedDBLen; i++) { 222 DB[i] ^= EM[i]; 223 } 224 if (MSBits) { 225 DB[0] &= 0xFF >> (8 - MSBits); 226 } 227 // This step differs slightly from EMSA-PSS-VERIFY (RFC 8017) step 10 because 228 // it accepts a non-standard salt recovery flow. DB should be some number of 229 // zeros, a one, then the salt. 230 for (salt_start = 0; DB[salt_start] == 0 && salt_start < maskedDBLen - 1; 231 salt_start++) { 232 ; 233 } 234 if (DB[salt_start] != 0x1) { 235 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED); 236 goto err; 237 } 238 salt_start++; 239 // If a salt length was specified, check it matches. 240 if (sLen >= 0 && maskedDBLen - salt_start != (size_t)sLen) { 241 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 242 goto err; 243 } 244 uint8_t H_[EVP_MAX_MD_SIZE]; 245 if (!EVP_DigestInit_ex(ctx.get(), Hash, NULL) || 246 !EVP_DigestUpdate(ctx.get(), kPSSZeroes, sizeof(kPSSZeroes)) || 247 !EVP_DigestUpdate(ctx.get(), mHash, hLen) || 248 !EVP_DigestUpdate(ctx.get(), DB + salt_start, maskedDBLen - salt_start) || 249 !EVP_DigestFinal_ex(ctx.get(), H_, NULL)) { 250 goto err; 251 } 252 if (OPENSSL_memcmp(H_, H, hLen) != 0) { 253 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); 254 goto err; 255 } 256 257 ret = 1; 258 259err: 260 OPENSSL_free(DB); 261 FIPS_service_indicator_unlock_state(); 262 return ret; 263} 264 265int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM, 266 const unsigned char *mHash, 267 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 268 int sLenRequested) { 269 int ret = 0; 270 bssl::ScopedEVP_MD_CTX ctx; 271 size_t maskedDBLen, MSBits, emLen; 272 size_t hLen; 273 unsigned char *H, *salt = NULL, *p; 274 275 if (mgf1Hash == NULL) { 276 mgf1Hash = Hash; 277 } 278 279 FIPS_service_indicator_lock_state(); 280 hLen = EVP_MD_size(Hash); 281 282 if (BN_is_zero(rsa->n)) { 283 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY); 284 goto err; 285 } 286 287 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 288 emLen = RSA_size(rsa); 289 if (MSBits == 0) { 290 assert(emLen >= 1); 291 *EM++ = 0; 292 emLen--; 293 } 294 295 if (emLen < hLen + 2) { 296 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 297 goto err; 298 } 299 300 size_t sLen; 301 if (sLenRequested == RSA_PSS_SALTLEN_DIGEST) { 302 sLen = hLen; 303 } else if (sLenRequested == RSA_PSS_SALTLEN_AUTO) { 304 // Use the maximum possible salt length. 305 sLen = emLen - hLen - 2; 306 } else if (sLenRequested < 0) { 307 // Other negative values are reserved. 308 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 309 goto err; 310 } else { 311 sLen = (size_t)sLenRequested; 312 } 313 314 if (emLen - hLen - 2 < sLen) { 315 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 316 goto err; 317 } 318 319 if (sLen > 0) { 320 salt = reinterpret_cast<uint8_t *>(OPENSSL_malloc(sLen)); 321 if (!salt) { 322 goto err; 323 } 324 BCM_rand_bytes(salt, sLen); 325 } 326 maskedDBLen = emLen - hLen - 1; 327 H = EM + maskedDBLen; 328 329 if (!EVP_DigestInit_ex(ctx.get(), Hash, NULL) || 330 !EVP_DigestUpdate(ctx.get(), kPSSZeroes, sizeof(kPSSZeroes)) || 331 !EVP_DigestUpdate(ctx.get(), mHash, hLen) || 332 !EVP_DigestUpdate(ctx.get(), salt, sLen) || 333 !EVP_DigestFinal_ex(ctx.get(), H, NULL)) { 334 goto err; 335 } 336 337 // Generate dbMask in place then perform XOR on it 338 if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) { 339 goto err; 340 } 341 342 p = EM; 343 // Initial PS XORs with all zeroes which is a NOP so just update 344 // pointer. Note from a test above this value is guaranteed to 345 // be non-negative. 346 p += emLen - sLen - hLen - 2; 347 *p++ ^= 0x1; 348 if (sLen > 0) { 349 for (size_t i = 0; i < sLen; i++) { 350 *p++ ^= salt[i]; 351 } 352 } 353 if (MSBits) { 354 EM[0] &= 0xFF >> (8 - MSBits); 355 } 356 357 // H is already in place so just set final 0xbc 358 359 EM[emLen - 1] = 0xbc; 360 361 ret = 1; 362 363err: 364 OPENSSL_free(salt); 365 FIPS_service_indicator_unlock_state(); 366 367 return ret; 368} 369