1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include <fault_mitigation.h>
4 #include "tomcrypt_private.h"
5
6 /**
7 @file rsa_verify_hash.c
8 RSA PKCS #1 v1.5 or v2 PSS signature verification, Tom St Denis and Andreas Lange
9 */
10
11 #ifdef LTC_MRSA
12
13 /**
14 PKCS #1 de-sign then v1.5 or PSS depad
15 @param sig The signature data
16 @param siglen The length of the signature data (octets)
17 @param hash The hash of the message that was signed
18 @param hashlen The length of the hash of the message that was signed (octets)
19 @param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
20 @param hash_idx The index of the desired hash
21 @param saltlen The length of the salt used during signature
22 @param stat [out] The result of the signature comparison, 1==valid, 0==invalid
23 @param key The public RSA key corresponding to the key that performed the signature
24 @return CRYPT_OK on success (even if the signature is invalid)
25 */
rsa_verify_hash_ex(const unsigned char * sig,unsigned long siglen,const unsigned char * hash,unsigned long hashlen,int padding,int hash_idx,unsigned long saltlen,int * stat,const rsa_key * key)26 int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
27 const unsigned char *hash, unsigned long hashlen,
28 int padding,
29 int hash_idx, unsigned long saltlen,
30 int *stat, const rsa_key *key)
31 {
32 unsigned long modulus_bitlen, modulus_bytelen, x;
33 int err;
34 unsigned int inc1 = 0;
35 unsigned char *tmpbuf;
36 struct ftmn ftmn = { };
37
38 LTC_ARGCHK(hash != NULL);
39 LTC_ARGCHK(sig != NULL);
40 LTC_ARGCHK(stat != NULL);
41 LTC_ARGCHK(key != NULL);
42
43 /* default to invalid */
44 *stat = 0;
45 FTMN_SET_CHECK_RES(&ftmn, FTMN_INCR0, 1);
46
47 /* valid padding? */
48
49 if ((padding != LTC_PKCS_1_V1_5) &&
50 (padding != LTC_PKCS_1_PSS) &&
51 (padding != LTC_PKCS_1_V1_5_NA1)) {
52 return CRYPT_PK_INVALID_PADDING;
53 }
54
55 if (padding != LTC_PKCS_1_V1_5_NA1) {
56 /* valid hash ? */
57 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
58 return err;
59 }
60 }
61
62 /* get modulus len in bits */
63 modulus_bitlen = mp_count_bits( (key->N));
64
65 /* outlen must be at least the size of the modulus */
66 modulus_bytelen = mp_unsigned_bin_size( (key->N));
67 if (modulus_bytelen != siglen) {
68 return CRYPT_INVALID_PACKET;
69 }
70
71 /* allocate temp buffer for decoded sig */
72 tmpbuf = XMALLOC(siglen);
73 if (tmpbuf == NULL) {
74 return CRYPT_MEM;
75 }
76
77 /* RSA decode it */
78 x = siglen;
79 if ((err = ltc_mp.rsa_me(sig, siglen, tmpbuf, &x, PK_PUBLIC, key)) != CRYPT_OK) {
80 XFREE(tmpbuf);
81 return err;
82 }
83
84 /* make sure the output is the right size */
85 if (x != siglen) {
86 XFREE(tmpbuf);
87 return CRYPT_INVALID_PACKET;
88 }
89
90 if (padding == LTC_PKCS_1_PSS) {
91 /* PSS decode and verify it */
92
93 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("pkcs_1_pss_decode"));
94 if(modulus_bitlen%8 == 1){
95 err = pkcs_1_pss_decode(hash, hashlen, tmpbuf+1, x-1, saltlen, hash_idx, modulus_bitlen, stat);
96 }
97 else{
98 err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat);
99 }
100 if (*stat) {
101 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR1, 0);
102 inc1 = 1;
103 }
104 FTMN_POP_LINKED_CALL(&ftmn);
105
106 } else {
107 /* PKCS #1 v1.5 decode it */
108 unsigned char *out;
109 unsigned long outlen;
110 int decoded;
111
112 /* allocate temp buffer for decoded hash */
113 outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3;
114 out = XMALLOC(outlen);
115 if (out == NULL) {
116 err = CRYPT_MEM;
117 goto bail_2;
118 }
119
120 if ((err = pkcs_1_v1_5_decode(tmpbuf, x, LTC_PKCS_1_EMSA, modulus_bitlen, out, &outlen, &decoded)) != CRYPT_OK) {
121 XFREE(out);
122 goto bail_2;
123 }
124
125 if (padding == LTC_PKCS_1_V1_5) {
126 unsigned long loid[16], reallen;
127 ltc_asn1_list digestinfo[2], siginfo[2];
128
129 /* not all hashes have OIDs... so sad */
130 if (hash_descriptor[hash_idx]->OIDlen == 0) {
131 err = CRYPT_INVALID_ARG;
132 goto bail_2;
133 }
134
135 /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
136 /* construct the SEQUENCE
137 SEQUENCE {
138 SEQUENCE {hashoid OID
139 blah NULL
140 }
141 hash OCTET STRING
142 }
143 */
144 LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
145 LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
146 LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
147 LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen);
148
149 if ((err = der_decode_sequence_strict(out, outlen, siginfo, 2)) != CRYPT_OK) {
150 /* fallback to Legacy:missing NULL */
151 LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 1);
152 if ((err = der_decode_sequence_strict(out, outlen, siginfo, 2)) != CRYPT_OK) {
153 XFREE(out);
154 goto bail_2;
155 }
156 }
157
158 if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
159 XFREE(out);
160 goto bail_2;
161 }
162
163 /* test OID */
164 if ((reallen == outlen) &&
165 (digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) &&
166 (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx]->OID, sizeof(unsigned long) * hash_descriptor[hash_idx]->OIDlen) == 0) &&
167 (siginfo[1].size == hashlen) &&
168 (ftmn_set_check_res_memcmp(&ftmn, FTMN_INCR1, XMEMCMP,
169 siginfo[1].data, hash, hashlen) == 0)) {
170 *stat = 1;
171 }
172 inc1 = 1;
173 } else {
174 /* only check if the hash is equal */
175 if ((hashlen == outlen) &&
176 (ftmn_set_check_res_memcmp(&ftmn, FTMN_INCR1, XMEMCMP,
177 out, hash, hashlen) == 0)) {
178 *stat = 1;
179 }
180 inc1 = 1;
181 }
182
183 #ifdef LTC_CLEAN_STACK
184 zeromem(out, outlen);
185 #endif
186 XFREE(out);
187 }
188
189 bail_2:
190 #ifdef LTC_CLEAN_STACK
191 zeromem(tmpbuf, siglen);
192 #endif
193 XFREE(tmpbuf);
194 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1, inc1), !*stat);
195 return err;
196 }
197
198 #endif /* LTC_MRSA */
199