1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/bn.h> 19 #include <openssl/rsa.h> 20 #include <openssl/objects.h> 21 #ifndef FIPS_MODULE 22 # ifndef OPENSSL_NO_MD2 23 # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ 24 # endif 25 # ifndef OPENSSL_NO_MD4 26 # include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ 27 # endif 28 # ifndef OPENSSL_NO_MD5 29 # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ 30 # endif 31 # ifndef OPENSSL_NO_MDC2 32 # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ 33 # endif 34 # ifndef OPENSSL_NO_RMD160 35 # include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ 36 # endif 37 #endif 38 #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ 39 #include "crypto/rsa.h" 40 #include "rsa_local.h" 41 42 /* 43 * The general purpose ASN1 code is not available inside the FIPS provider. 44 * To remove the dependency RSASSA-PKCS1-v1_5 DigestInfo encodings can be 45 * treated as a special case by pregenerating the required ASN1 encoding. 46 * This encoding will also be shared by the default provider. 47 * 48 * The EMSA-PKCS1-v1_5 encoding method includes an ASN.1 value of type 49 * DigestInfo, where the type DigestInfo has the syntax 50 * 51 * DigestInfo ::= SEQUENCE { 52 * digestAlgorithm DigestAlgorithm, 53 * digest OCTET STRING 54 * } 55 * 56 * DigestAlgorithm ::= AlgorithmIdentifier { 57 * {PKCS1-v1-5DigestAlgorithms} 58 * } 59 * 60 * The AlgorithmIdentifier is a sequence containing the digest OID and 61 * parameters (a value of type NULL). 62 * 63 * The ENCODE_DIGESTINFO_SHA() and ENCODE_DIGESTINFO_MD() macros define an 64 * initialized array containing the DER encoded DigestInfo for the specified 65 * SHA or MD digest. The content of the OCTET STRING is not included. 66 * |name| is the digest name. 67 * |n| is last byte in the encoded OID for the digest. 68 * |sz| is the digest length in bytes. It must not be greater than 110. 69 */ 70 71 #define ASN1_SEQUENCE 0x30 72 #define ASN1_OCTET_STRING 0x04 73 #define ASN1_NULL 0x05 74 #define ASN1_OID 0x06 75 76 /* SHA OIDs are of the form: (2 16 840 1 101 3 4 2 |n|) */ 77 #define ENCODE_DIGESTINFO_SHA(name, n, sz) \ 78 static const unsigned char digestinfo_##name##_der[] = { \ 79 ASN1_SEQUENCE, 0x11 + sz, \ 80 ASN1_SEQUENCE, 0x0d, \ 81 ASN1_OID, 0x09, 2 * 40 + 16, 0x86, 0x48, 1, 101, 3, 4, 2, n, \ 82 ASN1_NULL, 0x00, \ 83 ASN1_OCTET_STRING, sz \ 84 }; 85 86 /* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ 87 #define ENCODE_DIGESTINFO_MD(name, n, sz) \ 88 static const unsigned char digestinfo_##name##_der[] = { \ 89 ASN1_SEQUENCE, 0x10 + sz, \ 90 ASN1_SEQUENCE, 0x0c, \ 91 ASN1_OID, 0x08, 1 * 40 + 2, 0x86, 0x48, 0x86, 0xf7, 0x0d, 2, n, \ 92 ASN1_NULL, 0x00, \ 93 ASN1_OCTET_STRING, sz \ 94 }; 95 96 #ifndef FIPS_MODULE 97 # ifndef OPENSSL_NO_MD2 98 ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) 99 # endif 100 # ifndef OPENSSL_NO_MD4 101 ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) 102 # endif 103 # ifndef OPENSSL_NO_MD5 104 ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) 105 # endif 106 # ifndef OPENSSL_NO_MDC2 107 /* MDC-2 (2 5 8 3 101) */ 108 static const unsigned char digestinfo_mdc2_der[] = { 109 ASN1_SEQUENCE, 0x0c + MDC2_DIGEST_LENGTH, 110 ASN1_SEQUENCE, 0x08, 111 ASN1_OID, 0x04, 2 * 40 + 5, 8, 3, 101, 112 ASN1_NULL, 0x00, 113 ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH 114 }; 115 # endif 116 # ifndef OPENSSL_NO_RMD160 117 /* RIPEMD160 (1 3 36 3 2 1) */ 118 static const unsigned char digestinfo_ripemd160_der[] = { 119 ASN1_SEQUENCE, 0x0d + RIPEMD160_DIGEST_LENGTH, 120 ASN1_SEQUENCE, 0x09, 121 ASN1_OID, 0x05, 1 * 40 + 3, 36, 3, 2, 1, 122 ASN1_NULL, 0x00, 123 ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH 124 }; 125 # endif 126 #endif /* FIPS_MODULE */ 127 128 /* SHA-1 (1 3 14 3 2 26) */ 129 static const unsigned char digestinfo_sha1_der[] = { 130 ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, 131 ASN1_SEQUENCE, 0x09, 132 ASN1_OID, 0x05, 1 * 40 + 3, 14, 3, 2, 26, 133 ASN1_NULL, 0x00, 134 ASN1_OCTET_STRING, SHA_DIGEST_LENGTH 135 }; 136 137 ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) 138 ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) 139 ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) 140 ENCODE_DIGESTINFO_SHA(sha224, 0x04, SHA224_DIGEST_LENGTH) 141 ENCODE_DIGESTINFO_SHA(sha512_224, 0x05, SHA224_DIGEST_LENGTH) 142 ENCODE_DIGESTINFO_SHA(sha512_256, 0x06, SHA256_DIGEST_LENGTH) 143 ENCODE_DIGESTINFO_SHA(sha3_224, 0x07, SHA224_DIGEST_LENGTH) 144 ENCODE_DIGESTINFO_SHA(sha3_256, 0x08, SHA256_DIGEST_LENGTH) 145 ENCODE_DIGESTINFO_SHA(sha3_384, 0x09, SHA384_DIGEST_LENGTH) 146 ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) 147 148 #define MD_CASE(name) \ 149 case NID_##name: \ 150 *len = sizeof(digestinfo_##name##_der); \ 151 return digestinfo_##name##_der; 152 153 const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len) 154 { 155 switch (md_nid) { 156 #ifndef FIPS_MODULE 157 # ifndef OPENSSL_NO_MDC2 158 MD_CASE(mdc2) 159 # endif 160 # ifndef OPENSSL_NO_MD2 161 MD_CASE(md2) 162 # endif 163 # ifndef OPENSSL_NO_MD4 164 MD_CASE(md4) 165 # endif 166 # ifndef OPENSSL_NO_MD5 167 MD_CASE(md5) 168 # endif 169 # ifndef OPENSSL_NO_RMD160 170 MD_CASE(ripemd160) 171 # endif 172 #endif /* FIPS_MODULE */ 173 MD_CASE(sha1) 174 MD_CASE(sha224) 175 MD_CASE(sha256) 176 MD_CASE(sha384) 177 MD_CASE(sha512) 178 MD_CASE(sha512_224) 179 MD_CASE(sha512_256) 180 MD_CASE(sha3_224) 181 MD_CASE(sha3_256) 182 MD_CASE(sha3_384) 183 MD_CASE(sha3_512) 184 default: 185 return NULL; 186 } 187 } 188 189 #define MD_NID_CASE(name, sz) \ 190 case NID_##name: \ 191 return sz; 192 193 static int digest_sz_from_nid(int nid) 194 { 195 switch (nid) { 196 #ifndef FIPS_MODULE 197 # ifndef OPENSSL_NO_MDC2 198 MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH) 199 # endif 200 # ifndef OPENSSL_NO_MD2 201 MD_NID_CASE(md2, MD2_DIGEST_LENGTH) 202 # endif 203 # ifndef OPENSSL_NO_MD4 204 MD_NID_CASE(md4, MD4_DIGEST_LENGTH) 205 # endif 206 # ifndef OPENSSL_NO_MD5 207 MD_NID_CASE(md5, MD5_DIGEST_LENGTH) 208 # endif 209 # ifndef OPENSSL_NO_RMD160 210 MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH) 211 # endif 212 #endif /* FIPS_MODULE */ 213 MD_NID_CASE(sha1, SHA_DIGEST_LENGTH) 214 MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH) 215 MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH) 216 MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH) 217 MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH) 218 MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH) 219 MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH) 220 MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH) 221 MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH) 222 MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH) 223 MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH) 224 default: 225 return 0; 226 } 227 } 228 229 230 /* Size of an SSL signature: MD5+SHA1 */ 231 #define SSL_SIG_LENGTH 36 232 233 /* 234 * Encodes a DigestInfo prefix of hash |type| and digest |m|, as 235 * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This 236 * encodes the DigestInfo (T and tLen) but does not add the padding. 237 * 238 * On success, it returns one and sets |*out| to a newly allocated buffer 239 * containing the result and |*out_len| to its length. The caller must free 240 * |*out| with OPENSSL_free(). Otherwise, it returns zero. 241 */ 242 static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, 243 const unsigned char *m, size_t m_len) 244 { 245 size_t di_prefix_len, dig_info_len; 246 const unsigned char *di_prefix; 247 unsigned char *dig_info; 248 249 if (type == NID_undef) { 250 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); 251 return 0; 252 } 253 di_prefix = ossl_rsa_digestinfo_encoding(type, &di_prefix_len); 254 if (di_prefix == NULL) { 255 ERR_raise(ERR_LIB_RSA, 256 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); 257 return 0; 258 } 259 dig_info_len = di_prefix_len + m_len; 260 dig_info = OPENSSL_malloc(dig_info_len); 261 if (dig_info == NULL) { 262 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 263 return 0; 264 } 265 memcpy(dig_info, di_prefix, di_prefix_len); 266 memcpy(dig_info + di_prefix_len, m, m_len); 267 268 *out = dig_info; 269 *out_len = dig_info_len; 270 return 1; 271 } 272 273 int RSA_sign(int type, const unsigned char *m, unsigned int m_len, 274 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 275 { 276 int encrypt_len, ret = 0; 277 size_t encoded_len = 0; 278 unsigned char *tmps = NULL; 279 const unsigned char *encoded = NULL; 280 281 #ifndef FIPS_MODULE 282 if (rsa->meth->rsa_sign != NULL) 283 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa) > 0; 284 #endif /* FIPS_MODULE */ 285 286 /* Compute the encoded digest. */ 287 if (type == NID_md5_sha1) { 288 /* 289 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 290 * earlier. It has no DigestInfo wrapper but otherwise is 291 * RSASSA-PKCS1-v1_5. 292 */ 293 if (m_len != SSL_SIG_LENGTH) { 294 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 295 return 0; 296 } 297 encoded_len = SSL_SIG_LENGTH; 298 encoded = m; 299 } else { 300 if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) 301 goto err; 302 encoded = tmps; 303 } 304 305 if (encoded_len + RSA_PKCS1_PADDING_SIZE > (size_t)RSA_size(rsa)) { 306 ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 307 goto err; 308 } 309 encrypt_len = RSA_private_encrypt((int)encoded_len, encoded, sigret, rsa, 310 RSA_PKCS1_PADDING); 311 if (encrypt_len <= 0) 312 goto err; 313 314 *siglen = encrypt_len; 315 ret = 1; 316 317 err: 318 OPENSSL_clear_free(tmps, encoded_len); 319 return ret; 320 } 321 322 /* 323 * Verify an RSA signature in |sigbuf| using |rsa|. 324 * |type| is the NID of the digest algorithm to use. 325 * If |rm| is NULL, it verifies the signature for digest |m|, otherwise 326 * it recovers the digest from the signature, writing the digest to |rm| and 327 * the length to |*prm_len|. 328 * 329 * It returns one on successful verification or zero otherwise. 330 */ 331 int ossl_rsa_verify(int type, const unsigned char *m, unsigned int m_len, 332 unsigned char *rm, size_t *prm_len, 333 const unsigned char *sigbuf, size_t siglen, RSA *rsa) 334 { 335 int len, ret = 0; 336 size_t decrypt_len, encoded_len = 0; 337 unsigned char *decrypt_buf = NULL, *encoded = NULL; 338 339 if (siglen != (size_t)RSA_size(rsa)) { 340 ERR_raise(ERR_LIB_RSA, RSA_R_WRONG_SIGNATURE_LENGTH); 341 return 0; 342 } 343 344 /* Recover the encoded digest. */ 345 decrypt_buf = OPENSSL_malloc(siglen); 346 if (decrypt_buf == NULL) { 347 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 348 goto err; 349 } 350 351 len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, 352 RSA_PKCS1_PADDING); 353 if (len <= 0) 354 goto err; 355 decrypt_len = len; 356 357 #ifndef FIPS_MODULE 358 if (type == NID_md5_sha1) { 359 /* 360 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 361 * earlier. It has no DigestInfo wrapper but otherwise is 362 * RSASSA-PKCS1-v1_5. 363 */ 364 if (decrypt_len != SSL_SIG_LENGTH) { 365 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 366 goto err; 367 } 368 369 if (rm != NULL) { 370 memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); 371 *prm_len = SSL_SIG_LENGTH; 372 } else { 373 if (m_len != SSL_SIG_LENGTH) { 374 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 375 goto err; 376 } 377 378 if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { 379 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 380 goto err; 381 } 382 } 383 } else if (type == NID_mdc2 && decrypt_len == 2 + 16 384 && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) { 385 /* 386 * Oddball MDC2 case: signature can be OCTET STRING. check for correct 387 * tag and length octets. 388 */ 389 if (rm != NULL) { 390 memcpy(rm, decrypt_buf + 2, 16); 391 *prm_len = 16; 392 } else { 393 if (m_len != 16) { 394 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 395 goto err; 396 } 397 398 if (memcmp(m, decrypt_buf + 2, 16) != 0) { 399 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 400 goto err; 401 } 402 } 403 } else 404 #endif /* FIPS_MODULE */ 405 { 406 /* 407 * If recovering the digest, extract a digest-sized output from the end 408 * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption 409 * output as in a standard verification. 410 */ 411 if (rm != NULL) { 412 len = digest_sz_from_nid(type); 413 414 if (len <= 0) 415 goto err; 416 m_len = (unsigned int)len; 417 if (m_len > decrypt_len) { 418 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); 419 goto err; 420 } 421 m = decrypt_buf + decrypt_len - m_len; 422 } 423 424 /* Construct the encoded digest and ensure it matches. */ 425 if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) 426 goto err; 427 428 if (encoded_len != decrypt_len 429 || memcmp(encoded, decrypt_buf, encoded_len) != 0) { 430 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 431 goto err; 432 } 433 434 /* Output the recovered digest. */ 435 if (rm != NULL) { 436 memcpy(rm, m, m_len); 437 *prm_len = m_len; 438 } 439 } 440 441 ret = 1; 442 443 err: 444 OPENSSL_clear_free(encoded, encoded_len); 445 OPENSSL_clear_free(decrypt_buf, siglen); 446 return ret; 447 } 448 449 int RSA_verify(int type, const unsigned char *m, unsigned int m_len, 450 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) 451 { 452 453 if (rsa->meth->rsa_verify != NULL) 454 return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa); 455 456 return ossl_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa); 457 } 458