1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci/* 11e1051a39Sopenharmony_ci * RSA low level APIs are deprecated for public use, but still ok for 12e1051a39Sopenharmony_ci * internal use. 13e1051a39Sopenharmony_ci */ 14e1051a39Sopenharmony_ci#include "internal/deprecated.h" 15e1051a39Sopenharmony_ci 16e1051a39Sopenharmony_ci#include <stdio.h> 17e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 18e1051a39Sopenharmony_ci#include <openssl/bn.h> 19e1051a39Sopenharmony_ci#include <openssl/rsa.h> 20e1051a39Sopenharmony_ci#include <openssl/objects.h> 21e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 22e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD2 23e1051a39Sopenharmony_ci# include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ 24e1051a39Sopenharmony_ci# endif 25e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD4 26e1051a39Sopenharmony_ci# include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ 27e1051a39Sopenharmony_ci# endif 28e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD5 29e1051a39Sopenharmony_ci# include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ 30e1051a39Sopenharmony_ci# endif 31e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MDC2 32e1051a39Sopenharmony_ci# include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ 33e1051a39Sopenharmony_ci# endif 34e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_RMD160 35e1051a39Sopenharmony_ci# include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ 36e1051a39Sopenharmony_ci# endif 37e1051a39Sopenharmony_ci#endif 38e1051a39Sopenharmony_ci#include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ 39e1051a39Sopenharmony_ci#include "crypto/rsa.h" 40e1051a39Sopenharmony_ci#include "rsa_local.h" 41e1051a39Sopenharmony_ci 42e1051a39Sopenharmony_ci/* 43e1051a39Sopenharmony_ci * The general purpose ASN1 code is not available inside the FIPS provider. 44e1051a39Sopenharmony_ci * To remove the dependency RSASSA-PKCS1-v1_5 DigestInfo encodings can be 45e1051a39Sopenharmony_ci * treated as a special case by pregenerating the required ASN1 encoding. 46e1051a39Sopenharmony_ci * This encoding will also be shared by the default provider. 47e1051a39Sopenharmony_ci * 48e1051a39Sopenharmony_ci * The EMSA-PKCS1-v1_5 encoding method includes an ASN.1 value of type 49e1051a39Sopenharmony_ci * DigestInfo, where the type DigestInfo has the syntax 50e1051a39Sopenharmony_ci * 51e1051a39Sopenharmony_ci * DigestInfo ::= SEQUENCE { 52e1051a39Sopenharmony_ci * digestAlgorithm DigestAlgorithm, 53e1051a39Sopenharmony_ci * digest OCTET STRING 54e1051a39Sopenharmony_ci * } 55e1051a39Sopenharmony_ci * 56e1051a39Sopenharmony_ci * DigestAlgorithm ::= AlgorithmIdentifier { 57e1051a39Sopenharmony_ci * {PKCS1-v1-5DigestAlgorithms} 58e1051a39Sopenharmony_ci * } 59e1051a39Sopenharmony_ci * 60e1051a39Sopenharmony_ci * The AlgorithmIdentifier is a sequence containing the digest OID and 61e1051a39Sopenharmony_ci * parameters (a value of type NULL). 62e1051a39Sopenharmony_ci * 63e1051a39Sopenharmony_ci * The ENCODE_DIGESTINFO_SHA() and ENCODE_DIGESTINFO_MD() macros define an 64e1051a39Sopenharmony_ci * initialized array containing the DER encoded DigestInfo for the specified 65e1051a39Sopenharmony_ci * SHA or MD digest. The content of the OCTET STRING is not included. 66e1051a39Sopenharmony_ci * |name| is the digest name. 67e1051a39Sopenharmony_ci * |n| is last byte in the encoded OID for the digest. 68e1051a39Sopenharmony_ci * |sz| is the digest length in bytes. It must not be greater than 110. 69e1051a39Sopenharmony_ci */ 70e1051a39Sopenharmony_ci 71e1051a39Sopenharmony_ci#define ASN1_SEQUENCE 0x30 72e1051a39Sopenharmony_ci#define ASN1_OCTET_STRING 0x04 73e1051a39Sopenharmony_ci#define ASN1_NULL 0x05 74e1051a39Sopenharmony_ci#define ASN1_OID 0x06 75e1051a39Sopenharmony_ci 76e1051a39Sopenharmony_ci/* SHA OIDs are of the form: (2 16 840 1 101 3 4 2 |n|) */ 77e1051a39Sopenharmony_ci#define ENCODE_DIGESTINFO_SHA(name, n, sz) \ 78e1051a39Sopenharmony_cistatic const unsigned char digestinfo_##name##_der[] = { \ 79e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x11 + sz, \ 80e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x0d, \ 81e1051a39Sopenharmony_ci ASN1_OID, 0x09, 2 * 40 + 16, 0x86, 0x48, 1, 101, 3, 4, 2, n, \ 82e1051a39Sopenharmony_ci ASN1_NULL, 0x00, \ 83e1051a39Sopenharmony_ci ASN1_OCTET_STRING, sz \ 84e1051a39Sopenharmony_ci}; 85e1051a39Sopenharmony_ci 86e1051a39Sopenharmony_ci/* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ 87e1051a39Sopenharmony_ci#define ENCODE_DIGESTINFO_MD(name, n, sz) \ 88e1051a39Sopenharmony_cistatic const unsigned char digestinfo_##name##_der[] = { \ 89e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x10 + sz, \ 90e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x0c, \ 91e1051a39Sopenharmony_ci ASN1_OID, 0x08, 1 * 40 + 2, 0x86, 0x48, 0x86, 0xf7, 0x0d, 2, n, \ 92e1051a39Sopenharmony_ci ASN1_NULL, 0x00, \ 93e1051a39Sopenharmony_ci ASN1_OCTET_STRING, sz \ 94e1051a39Sopenharmony_ci}; 95e1051a39Sopenharmony_ci 96e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 97e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD2 98e1051a39Sopenharmony_ciENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) 99e1051a39Sopenharmony_ci# endif 100e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD4 101e1051a39Sopenharmony_ciENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) 102e1051a39Sopenharmony_ci# endif 103e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD5 104e1051a39Sopenharmony_ciENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) 105e1051a39Sopenharmony_ci# endif 106e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MDC2 107e1051a39Sopenharmony_ci/* MDC-2 (2 5 8 3 101) */ 108e1051a39Sopenharmony_cistatic const unsigned char digestinfo_mdc2_der[] = { 109e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x0c + MDC2_DIGEST_LENGTH, 110e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x08, 111e1051a39Sopenharmony_ci ASN1_OID, 0x04, 2 * 40 + 5, 8, 3, 101, 112e1051a39Sopenharmony_ci ASN1_NULL, 0x00, 113e1051a39Sopenharmony_ci ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH 114e1051a39Sopenharmony_ci}; 115e1051a39Sopenharmony_ci# endif 116e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_RMD160 117e1051a39Sopenharmony_ci/* RIPEMD160 (1 3 36 3 2 1) */ 118e1051a39Sopenharmony_cistatic const unsigned char digestinfo_ripemd160_der[] = { 119e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x0d + RIPEMD160_DIGEST_LENGTH, 120e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x09, 121e1051a39Sopenharmony_ci ASN1_OID, 0x05, 1 * 40 + 3, 36, 3, 2, 1, 122e1051a39Sopenharmony_ci ASN1_NULL, 0x00, 123e1051a39Sopenharmony_ci ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH 124e1051a39Sopenharmony_ci}; 125e1051a39Sopenharmony_ci# endif 126e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 127e1051a39Sopenharmony_ci 128e1051a39Sopenharmony_ci/* SHA-1 (1 3 14 3 2 26) */ 129e1051a39Sopenharmony_cistatic const unsigned char digestinfo_sha1_der[] = { 130e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, 131e1051a39Sopenharmony_ci ASN1_SEQUENCE, 0x09, 132e1051a39Sopenharmony_ci ASN1_OID, 0x05, 1 * 40 + 3, 14, 3, 2, 26, 133e1051a39Sopenharmony_ci ASN1_NULL, 0x00, 134e1051a39Sopenharmony_ci ASN1_OCTET_STRING, SHA_DIGEST_LENGTH 135e1051a39Sopenharmony_ci}; 136e1051a39Sopenharmony_ci 137e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) 138e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) 139e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) 140e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha224, 0x04, SHA224_DIGEST_LENGTH) 141e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha512_224, 0x05, SHA224_DIGEST_LENGTH) 142e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha512_256, 0x06, SHA256_DIGEST_LENGTH) 143e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha3_224, 0x07, SHA224_DIGEST_LENGTH) 144e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha3_256, 0x08, SHA256_DIGEST_LENGTH) 145e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha3_384, 0x09, SHA384_DIGEST_LENGTH) 146e1051a39Sopenharmony_ciENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) 147e1051a39Sopenharmony_ci 148e1051a39Sopenharmony_ci#define MD_CASE(name) \ 149e1051a39Sopenharmony_ci case NID_##name: \ 150e1051a39Sopenharmony_ci *len = sizeof(digestinfo_##name##_der); \ 151e1051a39Sopenharmony_ci return digestinfo_##name##_der; 152e1051a39Sopenharmony_ci 153e1051a39Sopenharmony_ciconst unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len) 154e1051a39Sopenharmony_ci{ 155e1051a39Sopenharmony_ci switch (md_nid) { 156e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 157e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MDC2 158e1051a39Sopenharmony_ci MD_CASE(mdc2) 159e1051a39Sopenharmony_ci# endif 160e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD2 161e1051a39Sopenharmony_ci MD_CASE(md2) 162e1051a39Sopenharmony_ci# endif 163e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD4 164e1051a39Sopenharmony_ci MD_CASE(md4) 165e1051a39Sopenharmony_ci# endif 166e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD5 167e1051a39Sopenharmony_ci MD_CASE(md5) 168e1051a39Sopenharmony_ci# endif 169e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_RMD160 170e1051a39Sopenharmony_ci MD_CASE(ripemd160) 171e1051a39Sopenharmony_ci# endif 172e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 173e1051a39Sopenharmony_ci MD_CASE(sha1) 174e1051a39Sopenharmony_ci MD_CASE(sha224) 175e1051a39Sopenharmony_ci MD_CASE(sha256) 176e1051a39Sopenharmony_ci MD_CASE(sha384) 177e1051a39Sopenharmony_ci MD_CASE(sha512) 178e1051a39Sopenharmony_ci MD_CASE(sha512_224) 179e1051a39Sopenharmony_ci MD_CASE(sha512_256) 180e1051a39Sopenharmony_ci MD_CASE(sha3_224) 181e1051a39Sopenharmony_ci MD_CASE(sha3_256) 182e1051a39Sopenharmony_ci MD_CASE(sha3_384) 183e1051a39Sopenharmony_ci MD_CASE(sha3_512) 184e1051a39Sopenharmony_ci default: 185e1051a39Sopenharmony_ci return NULL; 186e1051a39Sopenharmony_ci } 187e1051a39Sopenharmony_ci} 188e1051a39Sopenharmony_ci 189e1051a39Sopenharmony_ci#define MD_NID_CASE(name, sz) \ 190e1051a39Sopenharmony_ci case NID_##name: \ 191e1051a39Sopenharmony_ci return sz; 192e1051a39Sopenharmony_ci 193e1051a39Sopenharmony_cistatic int digest_sz_from_nid(int nid) 194e1051a39Sopenharmony_ci{ 195e1051a39Sopenharmony_ci switch (nid) { 196e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 197e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MDC2 198e1051a39Sopenharmony_ci MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH) 199e1051a39Sopenharmony_ci# endif 200e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD2 201e1051a39Sopenharmony_ci MD_NID_CASE(md2, MD2_DIGEST_LENGTH) 202e1051a39Sopenharmony_ci# endif 203e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD4 204e1051a39Sopenharmony_ci MD_NID_CASE(md4, MD4_DIGEST_LENGTH) 205e1051a39Sopenharmony_ci# endif 206e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_MD5 207e1051a39Sopenharmony_ci MD_NID_CASE(md5, MD5_DIGEST_LENGTH) 208e1051a39Sopenharmony_ci# endif 209e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_RMD160 210e1051a39Sopenharmony_ci MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH) 211e1051a39Sopenharmony_ci# endif 212e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 213e1051a39Sopenharmony_ci MD_NID_CASE(sha1, SHA_DIGEST_LENGTH) 214e1051a39Sopenharmony_ci MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH) 215e1051a39Sopenharmony_ci MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH) 216e1051a39Sopenharmony_ci MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH) 217e1051a39Sopenharmony_ci MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH) 218e1051a39Sopenharmony_ci MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH) 219e1051a39Sopenharmony_ci MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH) 220e1051a39Sopenharmony_ci MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH) 221e1051a39Sopenharmony_ci MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH) 222e1051a39Sopenharmony_ci MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH) 223e1051a39Sopenharmony_ci MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH) 224e1051a39Sopenharmony_ci default: 225e1051a39Sopenharmony_ci return 0; 226e1051a39Sopenharmony_ci } 227e1051a39Sopenharmony_ci} 228e1051a39Sopenharmony_ci 229e1051a39Sopenharmony_ci 230e1051a39Sopenharmony_ci/* Size of an SSL signature: MD5+SHA1 */ 231e1051a39Sopenharmony_ci#define SSL_SIG_LENGTH 36 232e1051a39Sopenharmony_ci 233e1051a39Sopenharmony_ci/* 234e1051a39Sopenharmony_ci * Encodes a DigestInfo prefix of hash |type| and digest |m|, as 235e1051a39Sopenharmony_ci * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This 236e1051a39Sopenharmony_ci * encodes the DigestInfo (T and tLen) but does not add the padding. 237e1051a39Sopenharmony_ci * 238e1051a39Sopenharmony_ci * On success, it returns one and sets |*out| to a newly allocated buffer 239e1051a39Sopenharmony_ci * containing the result and |*out_len| to its length. The caller must free 240e1051a39Sopenharmony_ci * |*out| with OPENSSL_free(). Otherwise, it returns zero. 241e1051a39Sopenharmony_ci */ 242e1051a39Sopenharmony_cistatic int encode_pkcs1(unsigned char **out, size_t *out_len, int type, 243e1051a39Sopenharmony_ci const unsigned char *m, size_t m_len) 244e1051a39Sopenharmony_ci{ 245e1051a39Sopenharmony_ci size_t di_prefix_len, dig_info_len; 246e1051a39Sopenharmony_ci const unsigned char *di_prefix; 247e1051a39Sopenharmony_ci unsigned char *dig_info; 248e1051a39Sopenharmony_ci 249e1051a39Sopenharmony_ci if (type == NID_undef) { 250e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); 251e1051a39Sopenharmony_ci return 0; 252e1051a39Sopenharmony_ci } 253e1051a39Sopenharmony_ci di_prefix = ossl_rsa_digestinfo_encoding(type, &di_prefix_len); 254e1051a39Sopenharmony_ci if (di_prefix == NULL) { 255e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, 256e1051a39Sopenharmony_ci RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); 257e1051a39Sopenharmony_ci return 0; 258e1051a39Sopenharmony_ci } 259e1051a39Sopenharmony_ci dig_info_len = di_prefix_len + m_len; 260e1051a39Sopenharmony_ci dig_info = OPENSSL_malloc(dig_info_len); 261e1051a39Sopenharmony_ci if (dig_info == NULL) { 262e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 263e1051a39Sopenharmony_ci return 0; 264e1051a39Sopenharmony_ci } 265e1051a39Sopenharmony_ci memcpy(dig_info, di_prefix, di_prefix_len); 266e1051a39Sopenharmony_ci memcpy(dig_info + di_prefix_len, m, m_len); 267e1051a39Sopenharmony_ci 268e1051a39Sopenharmony_ci *out = dig_info; 269e1051a39Sopenharmony_ci *out_len = dig_info_len; 270e1051a39Sopenharmony_ci return 1; 271e1051a39Sopenharmony_ci} 272e1051a39Sopenharmony_ci 273e1051a39Sopenharmony_ciint RSA_sign(int type, const unsigned char *m, unsigned int m_len, 274e1051a39Sopenharmony_ci unsigned char *sigret, unsigned int *siglen, RSA *rsa) 275e1051a39Sopenharmony_ci{ 276e1051a39Sopenharmony_ci int encrypt_len, ret = 0; 277e1051a39Sopenharmony_ci size_t encoded_len = 0; 278e1051a39Sopenharmony_ci unsigned char *tmps = NULL; 279e1051a39Sopenharmony_ci const unsigned char *encoded = NULL; 280e1051a39Sopenharmony_ci 281e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 282e1051a39Sopenharmony_ci if (rsa->meth->rsa_sign != NULL) 283e1051a39Sopenharmony_ci return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa) > 0; 284e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 285e1051a39Sopenharmony_ci 286e1051a39Sopenharmony_ci /* Compute the encoded digest. */ 287e1051a39Sopenharmony_ci if (type == NID_md5_sha1) { 288e1051a39Sopenharmony_ci /* 289e1051a39Sopenharmony_ci * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 290e1051a39Sopenharmony_ci * earlier. It has no DigestInfo wrapper but otherwise is 291e1051a39Sopenharmony_ci * RSASSA-PKCS1-v1_5. 292e1051a39Sopenharmony_ci */ 293e1051a39Sopenharmony_ci if (m_len != SSL_SIG_LENGTH) { 294e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 295e1051a39Sopenharmony_ci return 0; 296e1051a39Sopenharmony_ci } 297e1051a39Sopenharmony_ci encoded_len = SSL_SIG_LENGTH; 298e1051a39Sopenharmony_ci encoded = m; 299e1051a39Sopenharmony_ci } else { 300e1051a39Sopenharmony_ci if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) 301e1051a39Sopenharmony_ci goto err; 302e1051a39Sopenharmony_ci encoded = tmps; 303e1051a39Sopenharmony_ci } 304e1051a39Sopenharmony_ci 305e1051a39Sopenharmony_ci if (encoded_len + RSA_PKCS1_PADDING_SIZE > (size_t)RSA_size(rsa)) { 306e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 307e1051a39Sopenharmony_ci goto err; 308e1051a39Sopenharmony_ci } 309e1051a39Sopenharmony_ci encrypt_len = RSA_private_encrypt((int)encoded_len, encoded, sigret, rsa, 310e1051a39Sopenharmony_ci RSA_PKCS1_PADDING); 311e1051a39Sopenharmony_ci if (encrypt_len <= 0) 312e1051a39Sopenharmony_ci goto err; 313e1051a39Sopenharmony_ci 314e1051a39Sopenharmony_ci *siglen = encrypt_len; 315e1051a39Sopenharmony_ci ret = 1; 316e1051a39Sopenharmony_ci 317e1051a39Sopenharmony_cierr: 318e1051a39Sopenharmony_ci OPENSSL_clear_free(tmps, encoded_len); 319e1051a39Sopenharmony_ci return ret; 320e1051a39Sopenharmony_ci} 321e1051a39Sopenharmony_ci 322e1051a39Sopenharmony_ci/* 323e1051a39Sopenharmony_ci * Verify an RSA signature in |sigbuf| using |rsa|. 324e1051a39Sopenharmony_ci * |type| is the NID of the digest algorithm to use. 325e1051a39Sopenharmony_ci * If |rm| is NULL, it verifies the signature for digest |m|, otherwise 326e1051a39Sopenharmony_ci * it recovers the digest from the signature, writing the digest to |rm| and 327e1051a39Sopenharmony_ci * the length to |*prm_len|. 328e1051a39Sopenharmony_ci * 329e1051a39Sopenharmony_ci * It returns one on successful verification or zero otherwise. 330e1051a39Sopenharmony_ci */ 331e1051a39Sopenharmony_ciint ossl_rsa_verify(int type, const unsigned char *m, unsigned int m_len, 332e1051a39Sopenharmony_ci unsigned char *rm, size_t *prm_len, 333e1051a39Sopenharmony_ci const unsigned char *sigbuf, size_t siglen, RSA *rsa) 334e1051a39Sopenharmony_ci{ 335e1051a39Sopenharmony_ci int len, ret = 0; 336e1051a39Sopenharmony_ci size_t decrypt_len, encoded_len = 0; 337e1051a39Sopenharmony_ci unsigned char *decrypt_buf = NULL, *encoded = NULL; 338e1051a39Sopenharmony_ci 339e1051a39Sopenharmony_ci if (siglen != (size_t)RSA_size(rsa)) { 340e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_WRONG_SIGNATURE_LENGTH); 341e1051a39Sopenharmony_ci return 0; 342e1051a39Sopenharmony_ci } 343e1051a39Sopenharmony_ci 344e1051a39Sopenharmony_ci /* Recover the encoded digest. */ 345e1051a39Sopenharmony_ci decrypt_buf = OPENSSL_malloc(siglen); 346e1051a39Sopenharmony_ci if (decrypt_buf == NULL) { 347e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 348e1051a39Sopenharmony_ci goto err; 349e1051a39Sopenharmony_ci } 350e1051a39Sopenharmony_ci 351e1051a39Sopenharmony_ci len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, 352e1051a39Sopenharmony_ci RSA_PKCS1_PADDING); 353e1051a39Sopenharmony_ci if (len <= 0) 354e1051a39Sopenharmony_ci goto err; 355e1051a39Sopenharmony_ci decrypt_len = len; 356e1051a39Sopenharmony_ci 357e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 358e1051a39Sopenharmony_ci if (type == NID_md5_sha1) { 359e1051a39Sopenharmony_ci /* 360e1051a39Sopenharmony_ci * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 361e1051a39Sopenharmony_ci * earlier. It has no DigestInfo wrapper but otherwise is 362e1051a39Sopenharmony_ci * RSASSA-PKCS1-v1_5. 363e1051a39Sopenharmony_ci */ 364e1051a39Sopenharmony_ci if (decrypt_len != SSL_SIG_LENGTH) { 365e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 366e1051a39Sopenharmony_ci goto err; 367e1051a39Sopenharmony_ci } 368e1051a39Sopenharmony_ci 369e1051a39Sopenharmony_ci if (rm != NULL) { 370e1051a39Sopenharmony_ci memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); 371e1051a39Sopenharmony_ci *prm_len = SSL_SIG_LENGTH; 372e1051a39Sopenharmony_ci } else { 373e1051a39Sopenharmony_ci if (m_len != SSL_SIG_LENGTH) { 374e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 375e1051a39Sopenharmony_ci goto err; 376e1051a39Sopenharmony_ci } 377e1051a39Sopenharmony_ci 378e1051a39Sopenharmony_ci if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { 379e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 380e1051a39Sopenharmony_ci goto err; 381e1051a39Sopenharmony_ci } 382e1051a39Sopenharmony_ci } 383e1051a39Sopenharmony_ci } else if (type == NID_mdc2 && decrypt_len == 2 + 16 384e1051a39Sopenharmony_ci && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) { 385e1051a39Sopenharmony_ci /* 386e1051a39Sopenharmony_ci * Oddball MDC2 case: signature can be OCTET STRING. check for correct 387e1051a39Sopenharmony_ci * tag and length octets. 388e1051a39Sopenharmony_ci */ 389e1051a39Sopenharmony_ci if (rm != NULL) { 390e1051a39Sopenharmony_ci memcpy(rm, decrypt_buf + 2, 16); 391e1051a39Sopenharmony_ci *prm_len = 16; 392e1051a39Sopenharmony_ci } else { 393e1051a39Sopenharmony_ci if (m_len != 16) { 394e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 395e1051a39Sopenharmony_ci goto err; 396e1051a39Sopenharmony_ci } 397e1051a39Sopenharmony_ci 398e1051a39Sopenharmony_ci if (memcmp(m, decrypt_buf + 2, 16) != 0) { 399e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 400e1051a39Sopenharmony_ci goto err; 401e1051a39Sopenharmony_ci } 402e1051a39Sopenharmony_ci } 403e1051a39Sopenharmony_ci } else 404e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 405e1051a39Sopenharmony_ci { 406e1051a39Sopenharmony_ci /* 407e1051a39Sopenharmony_ci * If recovering the digest, extract a digest-sized output from the end 408e1051a39Sopenharmony_ci * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption 409e1051a39Sopenharmony_ci * output as in a standard verification. 410e1051a39Sopenharmony_ci */ 411e1051a39Sopenharmony_ci if (rm != NULL) { 412e1051a39Sopenharmony_ci len = digest_sz_from_nid(type); 413e1051a39Sopenharmony_ci 414e1051a39Sopenharmony_ci if (len <= 0) 415e1051a39Sopenharmony_ci goto err; 416e1051a39Sopenharmony_ci m_len = (unsigned int)len; 417e1051a39Sopenharmony_ci if (m_len > decrypt_len) { 418e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); 419e1051a39Sopenharmony_ci goto err; 420e1051a39Sopenharmony_ci } 421e1051a39Sopenharmony_ci m = decrypt_buf + decrypt_len - m_len; 422e1051a39Sopenharmony_ci } 423e1051a39Sopenharmony_ci 424e1051a39Sopenharmony_ci /* Construct the encoded digest and ensure it matches. */ 425e1051a39Sopenharmony_ci if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) 426e1051a39Sopenharmony_ci goto err; 427e1051a39Sopenharmony_ci 428e1051a39Sopenharmony_ci if (encoded_len != decrypt_len 429e1051a39Sopenharmony_ci || memcmp(encoded, decrypt_buf, encoded_len) != 0) { 430e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 431e1051a39Sopenharmony_ci goto err; 432e1051a39Sopenharmony_ci } 433e1051a39Sopenharmony_ci 434e1051a39Sopenharmony_ci /* Output the recovered digest. */ 435e1051a39Sopenharmony_ci if (rm != NULL) { 436e1051a39Sopenharmony_ci memcpy(rm, m, m_len); 437e1051a39Sopenharmony_ci *prm_len = m_len; 438e1051a39Sopenharmony_ci } 439e1051a39Sopenharmony_ci } 440e1051a39Sopenharmony_ci 441e1051a39Sopenharmony_ci ret = 1; 442e1051a39Sopenharmony_ci 443e1051a39Sopenharmony_cierr: 444e1051a39Sopenharmony_ci OPENSSL_clear_free(encoded, encoded_len); 445e1051a39Sopenharmony_ci OPENSSL_clear_free(decrypt_buf, siglen); 446e1051a39Sopenharmony_ci return ret; 447e1051a39Sopenharmony_ci} 448e1051a39Sopenharmony_ci 449e1051a39Sopenharmony_ciint RSA_verify(int type, const unsigned char *m, unsigned int m_len, 450e1051a39Sopenharmony_ci const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) 451e1051a39Sopenharmony_ci{ 452e1051a39Sopenharmony_ci 453e1051a39Sopenharmony_ci if (rsa->meth->rsa_verify != NULL) 454e1051a39Sopenharmony_ci return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa); 455e1051a39Sopenharmony_ci 456e1051a39Sopenharmony_ci return ossl_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa); 457e1051a39Sopenharmony_ci} 458