diff options
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_pss.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_pss.c | 81 |
1 files changed, 53 insertions, 28 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c index ac211e2ffe..5f9f533d0c 100644 --- a/src/lib/libcrypto/rsa/rsa_pss.c +++ b/src/lib/libcrypto/rsa/rsa_pss.c | |||
| @@ -73,6 +73,13 @@ static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; | |||
| 73 | int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | 73 | int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, |
| 74 | const EVP_MD *Hash, const unsigned char *EM, int sLen) | 74 | const EVP_MD *Hash, const unsigned char *EM, int sLen) |
| 75 | { | 75 | { |
| 76 | return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); | ||
| 77 | } | ||
| 78 | |||
| 79 | int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | ||
| 80 | const EVP_MD *Hash, const EVP_MD *mgf1Hash, | ||
| 81 | const unsigned char *EM, int sLen) | ||
| 82 | { | ||
| 76 | int i; | 83 | int i; |
| 77 | int ret = 0; | 84 | int ret = 0; |
| 78 | int hLen, maskedDBLen, MSBits, emLen; | 85 | int hLen, maskedDBLen, MSBits, emLen; |
| @@ -80,6 +87,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 80 | unsigned char *DB = NULL; | 87 | unsigned char *DB = NULL; |
| 81 | EVP_MD_CTX ctx; | 88 | EVP_MD_CTX ctx; |
| 82 | unsigned char H_[EVP_MAX_MD_SIZE]; | 89 | unsigned char H_[EVP_MAX_MD_SIZE]; |
| 90 | EVP_MD_CTX_init(&ctx); | ||
| 91 | |||
| 92 | if (mgf1Hash == NULL) | ||
| 93 | mgf1Hash = Hash; | ||
| 83 | 94 | ||
| 84 | hLen = EVP_MD_size(Hash); | 95 | hLen = EVP_MD_size(Hash); |
| 85 | if (hLen < 0) | 96 | if (hLen < 0) |
| @@ -94,7 +105,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 94 | else if (sLen == -2) sLen = -2; | 105 | else if (sLen == -2) sLen = -2; |
| 95 | else if (sLen < -2) | 106 | else if (sLen < -2) |
| 96 | { | 107 | { |
| 97 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); | 108 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); |
| 98 | goto err; | 109 | goto err; |
| 99 | } | 110 | } |
| 100 | 111 | ||
| @@ -102,7 +113,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 102 | emLen = RSA_size(rsa); | 113 | emLen = RSA_size(rsa); |
| 103 | if (EM[0] & (0xFF << MSBits)) | 114 | if (EM[0] & (0xFF << MSBits)) |
| 104 | { | 115 | { |
| 105 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); | 116 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID); |
| 106 | goto err; | 117 | goto err; |
| 107 | } | 118 | } |
| 108 | if (MSBits == 0) | 119 | if (MSBits == 0) |
| @@ -112,12 +123,12 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 112 | } | 123 | } |
| 113 | if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ | 124 | if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ |
| 114 | { | 125 | { |
| 115 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); | 126 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); |
| 116 | goto err; | 127 | goto err; |
| 117 | } | 128 | } |
| 118 | if (EM[emLen - 1] != 0xbc) | 129 | if (EM[emLen - 1] != 0xbc) |
| 119 | { | 130 | { |
| 120 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); | 131 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID); |
| 121 | goto err; | 132 | goto err; |
| 122 | } | 133 | } |
| 123 | maskedDBLen = emLen - hLen - 1; | 134 | maskedDBLen = emLen - hLen - 1; |
| @@ -125,10 +136,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 125 | DB = OPENSSL_malloc(maskedDBLen); | 136 | DB = OPENSSL_malloc(maskedDBLen); |
| 126 | if (!DB) | 137 | if (!DB) |
| 127 | { | 138 | { |
| 128 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); | 139 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); |
| 129 | goto err; | 140 | goto err; |
| 130 | } | 141 | } |
| 131 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) | 142 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) |
| 132 | goto err; | 143 | goto err; |
| 133 | for (i = 0; i < maskedDBLen; i++) | 144 | for (i = 0; i < maskedDBLen; i++) |
| 134 | DB[i] ^= EM[i]; | 145 | DB[i] ^= EM[i]; |
| @@ -137,25 +148,28 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 137 | for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; | 148 | for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; |
| 138 | if (DB[i++] != 0x1) | 149 | if (DB[i++] != 0x1) |
| 139 | { | 150 | { |
| 140 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); | 151 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED); |
| 141 | goto err; | 152 | goto err; |
| 142 | } | 153 | } |
| 143 | if (sLen >= 0 && (maskedDBLen - i) != sLen) | 154 | if (sLen >= 0 && (maskedDBLen - i) != sLen) |
| 144 | { | 155 | { |
| 145 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); | 156 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); |
| 146 | goto err; | 157 | goto err; |
| 147 | } | 158 | } |
| 148 | EVP_MD_CTX_init(&ctx); | 159 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) |
| 149 | EVP_DigestInit_ex(&ctx, Hash, NULL); | 160 | || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) |
| 150 | EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); | 161 | || !EVP_DigestUpdate(&ctx, mHash, hLen)) |
| 151 | EVP_DigestUpdate(&ctx, mHash, hLen); | 162 | goto err; |
| 152 | if (maskedDBLen - i) | 163 | if (maskedDBLen - i) |
| 153 | EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); | 164 | { |
| 154 | EVP_DigestFinal(&ctx, H_, NULL); | 165 | if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) |
| 155 | EVP_MD_CTX_cleanup(&ctx); | 166 | goto err; |
| 167 | } | ||
| 168 | if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) | ||
| 169 | goto err; | ||
| 156 | if (memcmp(H_, H, hLen)) | 170 | if (memcmp(H_, H, hLen)) |
| 157 | { | 171 | { |
| 158 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); | 172 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); |
| 159 | ret = 0; | 173 | ret = 0; |
| 160 | } | 174 | } |
| 161 | else | 175 | else |
| @@ -164,6 +178,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, | |||
| 164 | err: | 178 | err: |
| 165 | if (DB) | 179 | if (DB) |
| 166 | OPENSSL_free(DB); | 180 | OPENSSL_free(DB); |
| 181 | EVP_MD_CTX_cleanup(&ctx); | ||
| 167 | 182 | ||
| 168 | return ret; | 183 | return ret; |
| 169 | 184 | ||
| @@ -173,12 +188,22 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | |||
| 173 | const unsigned char *mHash, | 188 | const unsigned char *mHash, |
| 174 | const EVP_MD *Hash, int sLen) | 189 | const EVP_MD *Hash, int sLen) |
| 175 | { | 190 | { |
| 191 | return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); | ||
| 192 | } | ||
| 193 | |||
| 194 | int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, | ||
| 195 | const unsigned char *mHash, | ||
| 196 | const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen) | ||
| 197 | { | ||
| 176 | int i; | 198 | int i; |
| 177 | int ret = 0; | 199 | int ret = 0; |
| 178 | int hLen, maskedDBLen, MSBits, emLen; | 200 | int hLen, maskedDBLen, MSBits, emLen; |
| 179 | unsigned char *H, *salt = NULL, *p; | 201 | unsigned char *H, *salt = NULL, *p; |
| 180 | EVP_MD_CTX ctx; | 202 | EVP_MD_CTX ctx; |
| 181 | 203 | ||
| 204 | if (mgf1Hash == NULL) | ||
| 205 | mgf1Hash = Hash; | ||
| 206 | |||
| 182 | hLen = EVP_MD_size(Hash); | 207 | hLen = EVP_MD_size(Hash); |
| 183 | if (hLen < 0) | 208 | if (hLen < 0) |
| 184 | goto err; | 209 | goto err; |
| @@ -192,7 +217,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | |||
| 192 | else if (sLen == -2) sLen = -2; | 217 | else if (sLen == -2) sLen = -2; |
| 193 | else if (sLen < -2) | 218 | else if (sLen < -2) |
| 194 | { | 219 | { |
| 195 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); | 220 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); |
| 196 | goto err; | 221 | goto err; |
| 197 | } | 222 | } |
| 198 | 223 | ||
| @@ -209,8 +234,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | |||
| 209 | } | 234 | } |
| 210 | else if (emLen < (hLen + sLen + 2)) | 235 | else if (emLen < (hLen + sLen + 2)) |
| 211 | { | 236 | { |
| 212 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, | 237 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
| 213 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | ||
| 214 | goto err; | 238 | goto err; |
| 215 | } | 239 | } |
| 216 | if (sLen > 0) | 240 | if (sLen > 0) |
| @@ -218,8 +242,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | |||
| 218 | salt = OPENSSL_malloc(sLen); | 242 | salt = OPENSSL_malloc(sLen); |
| 219 | if (!salt) | 243 | if (!salt) |
| 220 | { | 244 | { |
| 221 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, | 245 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE); |
| 222 | ERR_R_MALLOC_FAILURE); | ||
| 223 | goto err; | 246 | goto err; |
| 224 | } | 247 | } |
| 225 | if (RAND_bytes(salt, sLen) <= 0) | 248 | if (RAND_bytes(salt, sLen) <= 0) |
| @@ -228,16 +251,18 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, | |||
| 228 | maskedDBLen = emLen - hLen - 1; | 251 | maskedDBLen = emLen - hLen - 1; |
| 229 | H = EM + maskedDBLen; | 252 | H = EM + maskedDBLen; |
| 230 | EVP_MD_CTX_init(&ctx); | 253 | EVP_MD_CTX_init(&ctx); |
| 231 | EVP_DigestInit_ex(&ctx, Hash, NULL); | 254 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) |
| 232 | EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); | 255 | || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) |
| 233 | EVP_DigestUpdate(&ctx, mHash, hLen); | 256 | || !EVP_DigestUpdate(&ctx, mHash, hLen)) |
| 234 | if (sLen) | 257 | goto err; |
| 235 | EVP_DigestUpdate(&ctx, salt, sLen); | 258 | if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) |
| 236 | EVP_DigestFinal(&ctx, H, NULL); | 259 | goto err; |
| 260 | if (!EVP_DigestFinal_ex(&ctx, H, NULL)) | ||
| 261 | goto err; | ||
| 237 | EVP_MD_CTX_cleanup(&ctx); | 262 | EVP_MD_CTX_cleanup(&ctx); |
| 238 | 263 | ||
| 239 | /* Generate dbMask in place then perform XOR on it */ | 264 | /* Generate dbMask in place then perform XOR on it */ |
| 240 | if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) | 265 | if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) |
| 241 | goto err; | 266 | goto err; |
| 242 | 267 | ||
| 243 | p = EM; | 268 | p = EM; |