A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

226 lines
6.8 KiB

  1. /*
  2. * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/bn.h>
  12. #include <openssl/rsa.h>
  13. #include <openssl/objects.h>
  14. #include <openssl/x509.h>
  15. #include "internal/x509_int.h"
  16. #include "rsa_locl.h"
  17. /* Size of an SSL signature: MD5+SHA1 */
  18. #define SSL_SIG_LENGTH 36
  19. int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
  20. unsigned char *sigret, unsigned int *siglen, RSA *rsa)
  21. {
  22. X509_SIG sig;
  23. ASN1_TYPE parameter;
  24. int i, j, ret = 1;
  25. unsigned char *p, *tmps = NULL;
  26. const unsigned char *s = NULL;
  27. X509_ALGOR algor;
  28. ASN1_OCTET_STRING digest;
  29. if (rsa->meth->rsa_sign) {
  30. return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
  31. }
  32. /* Special case: SSL signature, just check the length */
  33. if (type == NID_md5_sha1) {
  34. if (m_len != SSL_SIG_LENGTH) {
  35. RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
  36. return (0);
  37. }
  38. i = SSL_SIG_LENGTH;
  39. s = m;
  40. } else {
  41. sig.algor = &algor;
  42. sig.algor->algorithm = OBJ_nid2obj(type);
  43. if (sig.algor->algorithm == NULL) {
  44. RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
  45. return (0);
  46. }
  47. if (OBJ_length(sig.algor->algorithm) == 0) {
  48. RSAerr(RSA_F_RSA_SIGN,
  49. RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
  50. return (0);
  51. }
  52. parameter.type = V_ASN1_NULL;
  53. parameter.value.ptr = NULL;
  54. sig.algor->parameter = &parameter;
  55. sig.digest = &digest;
  56. sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
  57. sig.digest->length = m_len;
  58. i = i2d_X509_SIG(&sig, NULL);
  59. }
  60. j = RSA_size(rsa);
  61. if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
  62. RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
  63. return (0);
  64. }
  65. if (type != NID_md5_sha1) {
  66. tmps = OPENSSL_malloc((unsigned int)j + 1);
  67. if (tmps == NULL) {
  68. RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
  69. return (0);
  70. }
  71. p = tmps;
  72. i2d_X509_SIG(&sig, &p);
  73. s = tmps;
  74. }
  75. i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
  76. if (i <= 0)
  77. ret = 0;
  78. else
  79. *siglen = i;
  80. if (type != NID_md5_sha1)
  81. OPENSSL_clear_free(tmps, (unsigned int)j + 1);
  82. return (ret);
  83. }
  84. /*
  85. * Check DigestInfo structure does not contain extraneous data by reencoding
  86. * using DER and checking encoding against original.
  87. */
  88. static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo,
  89. int dinfolen)
  90. {
  91. unsigned char *der = NULL;
  92. int derlen;
  93. int ret = 0;
  94. derlen = i2d_X509_SIG(sig, &der);
  95. if (derlen <= 0)
  96. return 0;
  97. if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
  98. ret = 1;
  99. OPENSSL_clear_free(der, derlen);
  100. return ret;
  101. }
  102. int int_rsa_verify(int dtype, const unsigned char *m,
  103. unsigned int m_len,
  104. unsigned char *rm, size_t *prm_len,
  105. const unsigned char *sigbuf, size_t siglen, RSA *rsa)
  106. {
  107. int i, ret = 0, sigtype;
  108. unsigned char *s;
  109. X509_SIG *sig = NULL;
  110. if (siglen != (unsigned int)RSA_size(rsa)) {
  111. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
  112. return (0);
  113. }
  114. if ((dtype == NID_md5_sha1) && rm) {
  115. i = RSA_public_decrypt((int)siglen,
  116. sigbuf, rm, rsa, RSA_PKCS1_PADDING);
  117. if (i <= 0)
  118. return 0;
  119. *prm_len = i;
  120. return 1;
  121. }
  122. s = OPENSSL_malloc((unsigned int)siglen);
  123. if (s == NULL) {
  124. RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
  125. goto err;
  126. }
  127. if ((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH)) {
  128. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
  129. goto err;
  130. }
  131. i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
  132. if (i <= 0)
  133. goto err;
  134. /*
  135. * Oddball MDC2 case: signature can be OCTET STRING. check for correct
  136. * tag and length octets.
  137. */
  138. if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
  139. if (rm) {
  140. memcpy(rm, s + 2, 16);
  141. *prm_len = 16;
  142. ret = 1;
  143. } else if (memcmp(m, s + 2, 16)) {
  144. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
  145. } else {
  146. ret = 1;
  147. }
  148. } else if (dtype == NID_md5_sha1) {
  149. /* Special case: SSL signature */
  150. if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
  151. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
  152. else
  153. ret = 1;
  154. } else {
  155. const unsigned char *p = s;
  156. sig = d2i_X509_SIG(NULL, &p, (long)i);
  157. if (sig == NULL)
  158. goto err;
  159. /* Excess data can be used to create forgeries */
  160. if (p != s + i || !rsa_check_digestinfo(sig, s, i)) {
  161. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
  162. goto err;
  163. }
  164. /*
  165. * Parameters to the signature algorithm can also be used to create
  166. * forgeries
  167. */
  168. if (sig->algor->parameter
  169. && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
  170. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
  171. goto err;
  172. }
  173. sigtype = OBJ_obj2nid(sig->algor->algorithm);
  174. if (sigtype != dtype) {
  175. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
  176. goto err;
  177. }
  178. if (rm) {
  179. const EVP_MD *md;
  180. md = EVP_get_digestbynid(dtype);
  181. if (md && (EVP_MD_size(md) != sig->digest->length))
  182. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
  183. else {
  184. memcpy(rm, sig->digest->data, sig->digest->length);
  185. *prm_len = sig->digest->length;
  186. ret = 1;
  187. }
  188. } else if (((unsigned int)sig->digest->length != m_len) ||
  189. (memcmp(m, sig->digest->data, m_len) != 0)) {
  190. RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
  191. } else
  192. ret = 1;
  193. }
  194. err:
  195. X509_SIG_free(sig);
  196. OPENSSL_clear_free(s, (unsigned int)siglen);
  197. return (ret);
  198. }
  199. int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
  200. const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
  201. {
  202. if (rsa->meth->rsa_verify) {
  203. return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
  204. }
  205. return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
  206. }