generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Backport extended PSS support from HEAD: allow setting of mgf1Hash explicitly.

Browse Source 
This is needed to handle FIPS redirection fully.
This commit is contained in:
Dr. Stephen Henson
2011-06-02 18:13:33 +00:00
parent 916bcab28e
commit a5b386205f
4 changed files with 131 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
crypto/rsa/rsa.h
View File

@@ -222,12 +222,22 @@ struct rsa_st
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
pad, NULL) pad, NULL)
#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ #define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
(EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
len, NULL) len, NULL)
#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
(EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
0, plen)
#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ #define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
@@ -236,11 +246,24 @@ struct rsa_st
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) #define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) #define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
#define RSA_PKCS1_PADDING 1 #define RSA_PKCS1_PADDING 1
#define RSA_SSLV23_PADDING 2 #define RSA_SSLV23_PADDING 2
@@ -380,6 +403,14 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
const unsigned char *mHash, const unsigned char *mHash,
const EVP_MD *Hash, int sLen); const EVP_MD *Hash, int sLen);
int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash,
const unsigned char *EM, int sLen);
int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
const unsigned char *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen);
int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int RSA_set_ex_data(RSA *r,int idx,void *arg); int RSA_set_ex_data(RSA *r,int idx,void *arg);
@@ -424,6 +455,7 @@ void ERR_load_RSA_strings(void);
#define RSA_F_RSA_PADDING_ADD_NONE 107 #define RSA_F_RSA_PADDING_ADD_NONE 107
#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
#define RSA_F_RSA_PADDING_ADD_SSLV23 110 #define RSA_F_RSA_PADDING_ADD_SSLV23 110
@@ -445,6 +477,7 @@ void ERR_load_RSA_strings(void);
#define RSA_F_RSA_VERIFY 119 #define RSA_F_RSA_VERIFY 119
#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
#define RSA_F_RSA_VERIFY_PKCS1_PSS 126 #define RSA_F_RSA_VERIFY_PKCS1_PSS 126
#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
/* Reason codes. */ /* Reason codes. */
#define RSA_R_ALGORITHM_MISMATCH 100 #define RSA_R_ALGORITHM_MISMATCH 100
@@ -470,6 +503,7 @@ void ERR_load_RSA_strings(void);
#define RSA_R_INVALID_HEADER 137 #define RSA_R_INVALID_HEADER 137
#define RSA_R_INVALID_KEYBITS 145 #define RSA_R_INVALID_KEYBITS 145
#define RSA_R_INVALID_MESSAGE_LENGTH 131 #define RSA_R_INVALID_MESSAGE_LENGTH 131
#define RSA_R_INVALID_MGF1_MD 149
#define RSA_R_INVALID_PADDING 138 #define RSA_R_INVALID_PADDING 138
#define RSA_R_INVALID_PADDING_MODE 141 #define RSA_R_INVALID_PADDING_MODE 141
#define RSA_R_INVALID_PSS_SALTLEN 146 #define RSA_R_INVALID_PSS_SALTLEN 146

5
crypto/rsa/rsa_err.c
View File

@@ -1,6 +1,6 @@
/* crypto/rsa/rsa_err.c */ /* crypto/rsa/rsa_err.c */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -97,6 +97,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"}, {ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
@@ -118,6 +119,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"}, {ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"}, {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
{0,NULL} {0,NULL}
}; };
@@ -146,6 +148,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"}, {ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"}, {ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"}, {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
{ERR_REASON(RSA_R_INVALID_MGF1_MD) ,"invalid mgf1 md"},
{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"}, {ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"}, {ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"}, {ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},

44
crypto/rsa/rsa_pmeth.c
View File

@@ -79,6 +79,8 @@ typedef struct
int pad_mode; int pad_mode;
/* message digest */ /* message digest */
const EVP_MD *md; const EVP_MD *md;
/* message digest for MGF1 */
const EVP_MD *mgf1md;
/* PSS/OAEP salt length */ /* PSS/OAEP salt length */
int saltlen; int saltlen;
/* Temp buffer */ /* Temp buffer */
@@ -95,6 +97,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
rctx->pub_exp = NULL; rctx->pub_exp = NULL;
rctx->pad_mode = RSA_PKCS1_PADDING; rctx->pad_mode = RSA_PKCS1_PADDING;
rctx->md = NULL; rctx->md = NULL;
rctx->mgf1md = NULL;
rctx->tbuf = NULL; rctx->tbuf = NULL;
rctx->saltlen = -2; rctx->saltlen = -2;
@@ -186,8 +189,10 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
{ {
if (!setup_tbuf(rctx, ctx)) if (!setup_tbuf(rctx, ctx))
return -1; return -1;
if (!RSA_padding_add_PKCS1_PSS(rsa, rctx->tbuf, tbs, if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
rctx->md, rctx->saltlen)) rctx->tbuf, tbs,
rctx->md, rctx->mgf1md,
rctx->saltlen))
return -1; return -1;
ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
sig, rsa, RSA_NO_PADDING); sig, rsa, RSA_NO_PADDING);
@@ -289,7 +294,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
rsa, RSA_NO_PADDING); rsa, RSA_NO_PADDING);
if (ret <= 0) if (ret <= 0)
return 0; return 0;
ret = RSA_verify_PKCS1_PSS(rsa, tbs, rctx->md, ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
rctx->md, rctx->mgf1md,
rctx->tbuf, rctx->saltlen); rctx->tbuf, rctx->saltlen);
if (ret <= 0) if (ret <= 0)
return 0; return 0;
@@ -403,15 +409,25 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
return -2; return -2;
case EVP_PKEY_CTRL_GET_RSA_PADDING:
*(int *)p2 = rctx->pad_mode;
return 1;
case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
if (p1 < -2) case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
return -2;
if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
{ {
RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
return -2; return -2;
} }
if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
*(int *)p2 = rctx->saltlen;
else
{
if (p1 < -2)
return -2;
rctx->saltlen = p1; rctx->saltlen = p1;
}
return 1; return 1;
case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
@@ -435,6 +451,24 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
rctx->md = p2; rctx->md = p2;
return 1; return 1;
case EVP_PKEY_CTRL_RSA_MGF1_MD:
case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
{
RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
return -2;
}
if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
{
if (rctx->mgf1md)
*(const EVP_MD **)p2 = rctx->mgf1md;
else
*(const EVP_MD **)p2 = rctx->md;
}
else
rctx->mgf1md = p2;
return 1;
case EVP_PKEY_CTRL_DIGESTINIT: case EVP_PKEY_CTRL_DIGESTINIT:
case EVP_PKEY_CTRL_PKCS7_ENCRYPT: case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
case EVP_PKEY_CTRL_PKCS7_DECRYPT: case EVP_PKEY_CTRL_PKCS7_DECRYPT:

81
crypto/rsa/rsa_pss.c
View File

@@ -73,6 +73,13 @@ static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
const EVP_MD *Hash, const unsigned char *EM, int sLen) const EVP_MD *Hash, const unsigned char *EM, int sLen)
{ {
return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}
int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash,
const unsigned char *EM, int sLen)
{
int i; int i;
int ret = 0; int ret = 0;
int hLen, maskedDBLen, MSBits, emLen; int hLen, maskedDBLen, MSBits, emLen;
@@ -80,6 +87,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
unsigned char *DB = NULL; unsigned char *DB = NULL;
EVP_MD_CTX ctx; EVP_MD_CTX ctx;
unsigned char H_[EVP_MAX_MD_SIZE]; unsigned char H_[EVP_MAX_MD_SIZE];
EVP_MD_CTX_init(&ctx);
if (mgf1Hash == NULL)
mgf1Hash = Hash;
hLen = EVP_MD_size(Hash); hLen = EVP_MD_size(Hash);
if (hLen < 0) if (hLen < 0)
@@ -94,7 +105,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
else if (sLen == -2) sLen = -2; else if (sLen == -2) sLen = -2;
else if (sLen < -2) else if (sLen < -2)
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
goto err; goto err;
} }
@@ -102,7 +113,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
emLen = RSA_size(rsa); emLen = RSA_size(rsa);
if (EM[0] & (0xFF << MSBits)) if (EM[0] & (0xFF << MSBits))
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
goto err; goto err;
} }
if (MSBits == 0) if (MSBits == 0)
@@ -112,12 +123,12 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
} }
if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
goto err; goto err;
} }
if (EM[emLen - 1] != 0xbc) if (EM[emLen - 1] != 0xbc)
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
goto err; goto err;
} }
maskedDBLen = emLen - hLen - 1; maskedDBLen = emLen - hLen - 1;
@@ -125,10 +136,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
DB = OPENSSL_malloc(maskedDBLen); DB = OPENSSL_malloc(maskedDBLen);
if (!DB) if (!DB)
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
goto err; goto err;
for (i = 0; i < maskedDBLen; i++) for (i = 0; i < maskedDBLen; i++)
DB[i] ^= EM[i]; DB[i] ^= EM[i];
@@ -137,25 +148,28 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
if (DB[i++] != 0x1) if (DB[i++] != 0x1)
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
goto err; goto err;
} }
if (sLen >= 0 && (maskedDBLen - i) != sLen) if (sLen >= 0 && (maskedDBLen - i) != sLen)
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
goto err; goto err;
} }
EVP_MD_CTX_init(&ctx); if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
EVP_DigestInit_ex(&ctx, Hash, NULL); || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); || !EVP_DigestUpdate(&ctx, mHash, hLen))
EVP_DigestUpdate(&ctx, mHash, hLen); goto err;
if (maskedDBLen - i) if (maskedDBLen - i)
EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); {
EVP_DigestFinal(&ctx, H_, NULL); if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
EVP_MD_CTX_cleanup(&ctx); goto err;
}
if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
goto err;
if (memcmp(H_, H, hLen)) if (memcmp(H_, H, hLen))
{ {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
ret = 0; ret = 0;
} }
else else
@@ -164,6 +178,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
err: err:
if (DB) if (DB)
OPENSSL_free(DB); OPENSSL_free(DB);
EVP_MD_CTX_cleanup(&ctx);
return ret; return ret;
@@ -173,12 +188,22 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
const unsigned char *mHash, const unsigned char *mHash,
const EVP_MD *Hash, int sLen) const EVP_MD *Hash, int sLen)
{ {
return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}
int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
const unsigned char *mHash,
const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
{
int i; int i;
int ret = 0; int ret = 0;
int hLen, maskedDBLen, MSBits, emLen; int hLen, maskedDBLen, MSBits, emLen;
unsigned char *H, *salt = NULL, *p; unsigned char *H, *salt = NULL, *p;
EVP_MD_CTX ctx; EVP_MD_CTX ctx;
if (mgf1Hash == NULL)
mgf1Hash = Hash;
hLen = EVP_MD_size(Hash); hLen = EVP_MD_size(Hash);
if (hLen < 0) if (hLen < 0)
goto err; goto err;
@@ -192,7 +217,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
else if (sLen == -2) sLen = -2; else if (sLen == -2) sLen = -2;
else if (sLen < -2) else if (sLen < -2)
{ {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
goto err; goto err;
} }
@@ -209,8 +234,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
} }
else if (emLen < (hLen + sLen + 2)) else if (emLen < (hLen + sLen + 2))
{ {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err; goto err;
} }
if (sLen > 0) if (sLen > 0)
@@ -218,8 +242,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
salt = OPENSSL_malloc(sLen); salt = OPENSSL_malloc(sLen);
if (!salt) if (!salt)
{ {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
if (RAND_bytes(salt, sLen) <= 0) if (RAND_bytes(salt, sLen) <= 0)
@@ -228,16 +251,18 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
maskedDBLen = emLen - hLen - 1; maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen; H = EM + maskedDBLen;
EVP_MD_CTX_init(&ctx); EVP_MD_CTX_init(&ctx);
EVP_DigestInit_ex(&ctx, Hash, NULL); if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
EVP_DigestUpdate(&ctx, mHash, hLen); || !EVP_DigestUpdate(&ctx, mHash, hLen))
if (sLen) goto err;
EVP_DigestUpdate(&ctx, salt, sLen); if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
EVP_DigestFinal(&ctx, H, NULL); goto err;
if (!EVP_DigestFinal_ex(&ctx, H, NULL))
goto err;
EVP_MD_CTX_cleanup(&ctx); EVP_MD_CTX_cleanup(&ctx);
/* Generate dbMask in place then perform XOR on it */ /* Generate dbMask in place then perform XOR on it */
if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
goto err; goto err;
p = EM; p = EM;