Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

rsa_pss.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago
prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新 ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新以下のOSSをアップデート・mruby-1.3.0 ・musl-1.1.18 ・onigmo-6.1.3 ・tcc-0.9.27 以下のOSSを追加・openssl-1.1.0e ・curl-7.57.0 ・zlib-1.2.11 以下のmrbgemsを追加・iij/mruby-digest ・iij/mruby-env ・iij/mruby-errno ・iij/mruby-iijson ・iij/mruby-ipaddr ・iij/mruby-mock ・iij/mruby-require ・iij/mruby-tls-openssl
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc`
File size: 6.6 KB

Line
1	/*
2	* Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <stdio.h>
11	#include "internal/cryptlib.h"
12	#include <openssl/bn.h>
13	#include <openssl/rsa.h>
14	#include <openssl/evp.h>
15	#include <openssl/rand.h>
16	#include <openssl/sha.h>
17	#include "rsa_locl.h"
18
19	static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
20
21	#if defined(_MSC_VER) && defined(_ARM_)
22	# pragma optimize("g", off)
23	#endif
24
25	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
26	const EVP_MD Hash, const unsigned char EM,
27	int sLen)
28	{
29	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
30	}
31
32	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
33	const EVP_MD Hash, const EVP_MD mgf1Hash,
34	const unsigned char *EM, int sLen)
35	{
36	int i;
37	int ret = 0;
38	int hLen, maskedDBLen, MSBits, emLen;
39	const unsigned char *H;
40	unsigned char *DB = NULL;
41	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
42	unsigned char H_[EVP_MAX_MD_SIZE];
43
44
45	if (ctx == NULL)
46	goto err;
47
48	if (mgf1Hash == NULL)
49	mgf1Hash = Hash;
50
51	hLen = EVP_MD_size(Hash);
52	if (hLen < 0)
53	goto err;
54	/*-
55	* Negative sLen has special meanings:
56	* -1 sLen == hLen
57	* -2 salt length is autorecovered from signature
58	* -N reserved
59	*/
60	if (sLen == -1)
61	sLen = hLen;
62	else if (sLen == -2)
63	sLen = -2;
64	else if (sLen < -2) {
65	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
66	goto err;
67	}
68
69	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
70	emLen = RSA_size(rsa);
71	if (EM[0] & (0xFF << MSBits)) {
72	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
73	goto err;
74	}
75	if (MSBits == 0) {
76	EM++;
77	emLen--;
78	}
79	if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
80	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
81	goto err;
82	}
83	if (EM[emLen - 1] != 0xbc) {
84	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
85	goto err;
86	}
87	maskedDBLen = emLen - hLen - 1;
88	H = EM + maskedDBLen;
89	DB = OPENSSL_malloc(maskedDBLen);
90	if (DB == NULL) {
91	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
92	goto err;
93	}
94	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
95	goto err;
96	for (i = 0; i < maskedDBLen; i++)
97	DB[i] ^= EM[i];
98	if (MSBits)
99	DB[0] &= 0xFF >> (8 - MSBits);
100	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
101	if (DB[i++] != 0x1) {
102	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
103	goto err;
104	}
105	if (sLen >= 0 && (maskedDBLen - i) != sLen) {
106	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
107	goto err;
108	}
109	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
110	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
111	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
112	goto err;
113	if (maskedDBLen - i) {
114	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
115	goto err;
116	}
117	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
118	goto err;
119	if (memcmp(H_, H, hLen)) {
120	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
121	ret = 0;
122	} else
123	ret = 1;
124
125	err:
126	OPENSSL_free(DB);
127	EVP_MD_CTX_free(ctx);
128
129	return ret;
130
131	}
132
133	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
134	const unsigned char *mHash,
135	const EVP_MD *Hash, int sLen)
136	{
137	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
138	}
139
140	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
141	const unsigned char *mHash,
142	const EVP_MD Hash, const EVP_MD mgf1Hash,
143	int sLen)
144	{
145	int i;
146	int ret = 0;
147	int hLen, maskedDBLen, MSBits, emLen;
148	unsigned char H, salt = NULL, *p;
149	EVP_MD_CTX *ctx = NULL;
150
151	if (mgf1Hash == NULL)
152	mgf1Hash = Hash;
153
154	hLen = EVP_MD_size(Hash);
155	if (hLen < 0)
156	goto err;
157	/*-
158	* Negative sLen has special meanings:
159	* -1 sLen == hLen
160	* -2 salt length is maximized
161	* -N reserved
162	*/
163	if (sLen == -1)
164	sLen = hLen;
165	else if (sLen == -2)
166	sLen = -2;
167	else if (sLen < -2) {
168	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
169	goto err;
170	}
171
172	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
173	emLen = RSA_size(rsa);
174	if (MSBits == 0) {
175	*EM++ = 0;
176	emLen--;
177	}
178	if (sLen == -2) {
179	sLen = emLen - hLen - 2;
180	} else if (emLen < (hLen + sLen + 2)) {
181	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
182	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
183	goto err;
184	}
185	if (sLen > 0) {
186	salt = OPENSSL_malloc(sLen);
187	if (salt == NULL) {
188	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
189	ERR_R_MALLOC_FAILURE);
190	goto err;
191	}
192	if (RAND_bytes(salt, sLen) <= 0)
193	goto err;
194	}
195	maskedDBLen = emLen - hLen - 1;
196	H = EM + maskedDBLen;
197	ctx = EVP_MD_CTX_new();
198	if (ctx == NULL)
199	goto err;
200	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
201	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
202	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
203	goto err;
204	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
205	goto err;
206	if (!EVP_DigestFinal_ex(ctx, H, NULL))
207	goto err;
208
209	/* Generate dbMask in place then perform XOR on it */
210	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
211	goto err;
212
213	p = EM;
214
215	/*
216	* Initial PS XORs with all zeroes which is a NOP so just update pointer.
217	* Note from a test above this value is guaranteed to be non-negative.
218	*/
219	p += emLen - sLen - hLen - 2;
220	*p++ ^= 0x1;
221	if (sLen > 0) {
222	for (i = 0; i < sLen; i++)
223	*p++ ^= salt[i];
224	}
225	if (MSBits)
226	EM[0] &= 0xFF >> (8 - MSBits);
227
228	/* H is already in place so just set final 0xbc */
229
230	EM[emLen - 1] = 0xbc;
231
232	ret = 1;
233
234	err:
235	EVP_MD_CTX_free(ctx);
236	OPENSSL_free(salt);
237
238	return ret;
239
240	}
241
242	#if defined(_MSC_VER)
243	# pragma optimize("",on)
244	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: EcnlProtoTool/trunk/openssl-1.1.0e/crypto/rsa/rsa_pss.c@ 331

Download in other formats: