1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/bn.h> 19 #include <openssl/rsa.h> 20 #include <openssl/objects.h> 21 #ifndef FIPS_MODULE 22 # ifndef OPENSSL_NO_MD2 23 # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ 24 # endif 25 # ifndef OPENSSL_NO_MD4 26 # include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ 27 # endif 28 # ifndef OPENSSL_NO_MD5 29 # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ 30 # endif 31 # ifndef OPENSSL_NO_MDC2 32 # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ 33 # endif 34 # ifndef OPENSSL_NO_RMD160 35 # include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ 36 # endif 37 # ifndef OPENSSL_NO_SM3 38 # include "internal/sm3.h" /* uses SM3_DIGEST_LENGTH */ 39 # endif 40 #endif 41 #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ 42 #include "crypto/rsa.h" 43 #include "rsa_local.h" 44 45 /* 46 * The general purpose ASN1 code is not available inside the FIPS provider. 47 * To remove the dependency RSASSA-PKCS1-v1_5 DigestInfo encodings can be 48 * treated as a special case by pregenerating the required ASN1 encoding. 49 * This encoding will also be shared by the default provider. 50 * 51 * The EMSA-PKCS1-v1_5 encoding method includes an ASN.1 value of type 52 * DigestInfo, where the type DigestInfo has the syntax 53 * 54 * DigestInfo ::= SEQUENCE { 55 * digestAlgorithm DigestAlgorithm, 56 * digest OCTET STRING 57 * } 58 * 59 * DigestAlgorithm ::= AlgorithmIdentifier { 60 * {PKCS1-v1-5DigestAlgorithms} 61 * } 62 * 63 * The AlgorithmIdentifier is a sequence containing the digest OID and 64 * parameters (a value of type NULL). 65 * 66 * The ENCODE_DIGESTINFO_SHA() and ENCODE_DIGESTINFO_MD() macros define an 67 * initialized array containing the DER encoded DigestInfo for the specified 68 * SHA or MD digest. The content of the OCTET STRING is not included. 69 * |name| is the digest name. 70 * |n| is last byte in the encoded OID for the digest. 71 * |sz| is the digest length in bytes. It must not be greater than 110. 72 */ 73 74 #define ASN1_SEQUENCE 0x30 75 #define ASN1_OCTET_STRING 0x04 76 #define ASN1_NULL 0x05 77 #define ASN1_OID 0x06 78 79 /* SHA OIDs are of the form: (2 16 840 1 101 3 4 2 |n|) */ 80 #define ENCODE_DIGESTINFO_SHA(name, n, sz) \ 81 static const unsigned char digestinfo_##name##_der[] = { \ 82 ASN1_SEQUENCE, 0x11 + sz, \ 83 ASN1_SEQUENCE, 0x0d, \ 84 ASN1_OID, 0x09, 2 * 40 + 16, 0x86, 0x48, 1, 101, 3, 4, 2, n, \ 85 ASN1_NULL, 0x00, \ 86 ASN1_OCTET_STRING, sz \ 87 }; 88 89 /* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ 90 #define ENCODE_DIGESTINFO_MD(name, n, sz) \ 91 static const unsigned char digestinfo_##name##_der[] = { \ 92 ASN1_SEQUENCE, 0x10 + sz, \ 93 ASN1_SEQUENCE, 0x0c, \ 94 ASN1_OID, 0x08, 1 * 40 + 2, 0x86, 0x48, 0x86, 0xf7, 0x0d, 2, n, \ 95 ASN1_NULL, 0x00, \ 96 ASN1_OCTET_STRING, sz \ 97 }; 98 99 #ifndef FIPS_MODULE 100 # ifndef OPENSSL_NO_MD2 101 ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) 102 # endif 103 # ifndef OPENSSL_NO_MD4 104 ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) 105 # endif 106 # ifndef OPENSSL_NO_MD5 107 ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) 108 # endif 109 # ifndef OPENSSL_NO_MDC2 110 /* MDC-2 (2 5 8 3 101) */ 111 static const unsigned char digestinfo_mdc2_der[] = { 112 ASN1_SEQUENCE, 0x0c + MDC2_DIGEST_LENGTH, 113 ASN1_SEQUENCE, 0x08, 114 ASN1_OID, 0x04, 2 * 40 + 5, 8, 3, 101, 115 ASN1_NULL, 0x00, 116 ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH 117 }; 118 # endif 119 # ifndef OPENSSL_NO_RMD160 120 /* RIPEMD160 (1 3 36 3 2 1) */ 121 static const unsigned char digestinfo_ripemd160_der[] = { 122 ASN1_SEQUENCE, 0x0d + RIPEMD160_DIGEST_LENGTH, 123 ASN1_SEQUENCE, 0x09, 124 ASN1_OID, 0x05, 1 * 40 + 3, 36, 3, 2, 1, 125 ASN1_NULL, 0x00, 126 ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH 127 }; 128 # endif 129 # ifndef OPENSSL_NO_SM3 130 /* SM3 (1 2 156 10197 1 401) */ 131 static const unsigned char digestinfo_sm3_der[] = { 132 ASN1_SEQUENCE, 0x0f + SM3_DIGEST_LENGTH, 133 ASN1_SEQUENCE, 0x0c, 134 ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78, 135 ASN1_NULL, 0x00, 136 ASN1_OCTET_STRING, SM3_DIGEST_LENGTH 137 }; 138 # endif 139 #endif /* FIPS_MODULE */ 140 141 /* SHA-1 (1 3 14 3 2 26) */ 142 static const unsigned char digestinfo_sha1_der[] = { 143 ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, 144 ASN1_SEQUENCE, 0x09, 145 ASN1_OID, 0x05, 1 * 40 + 3, 14, 3, 2, 26, 146 ASN1_NULL, 0x00, 147 ASN1_OCTET_STRING, SHA_DIGEST_LENGTH 148 }; 149 150 ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) 151 ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) 152 ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) 153 ENCODE_DIGESTINFO_SHA(sha224, 0x04, SHA224_DIGEST_LENGTH) 154 ENCODE_DIGESTINFO_SHA(sha512_224, 0x05, SHA224_DIGEST_LENGTH) 155 ENCODE_DIGESTINFO_SHA(sha512_256, 0x06, SHA256_DIGEST_LENGTH) 156 ENCODE_DIGESTINFO_SHA(sha3_224, 0x07, SHA224_DIGEST_LENGTH) 157 ENCODE_DIGESTINFO_SHA(sha3_256, 0x08, SHA256_DIGEST_LENGTH) 158 ENCODE_DIGESTINFO_SHA(sha3_384, 0x09, SHA384_DIGEST_LENGTH) 159 ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) 160 161 #define MD_CASE(name) \ 162 case NID_##name: \ 163 *len = sizeof(digestinfo_##name##_der); \ 164 return digestinfo_##name##_der; 165 166 const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len) 167 { 168 switch (md_nid) { 169 #ifndef FIPS_MODULE 170 # ifndef OPENSSL_NO_MDC2 171 MD_CASE(mdc2) 172 # endif 173 # ifndef OPENSSL_NO_MD2 174 MD_CASE(md2) 175 # endif 176 # ifndef OPENSSL_NO_MD4 177 MD_CASE(md4) 178 # endif 179 # ifndef OPENSSL_NO_MD5 180 MD_CASE(md5) 181 # endif 182 # ifndef OPENSSL_NO_RMD160 183 MD_CASE(ripemd160) 184 # endif 185 # ifndef OPENSSL_NO_SM3 186 MD_CASE(sm3) 187 # endif 188 #endif /* FIPS_MODULE */ 189 MD_CASE(sha1) 190 MD_CASE(sha224) 191 MD_CASE(sha256) 192 MD_CASE(sha384) 193 MD_CASE(sha512) 194 MD_CASE(sha512_224) 195 MD_CASE(sha512_256) 196 MD_CASE(sha3_224) 197 MD_CASE(sha3_256) 198 MD_CASE(sha3_384) 199 MD_CASE(sha3_512) 200 default: 201 return NULL; 202 } 203 } 204 205 #define MD_NID_CASE(name, sz) \ 206 case NID_##name: \ 207 return sz; 208 209 static int digest_sz_from_nid(int nid) 210 { 211 switch (nid) { 212 #ifndef FIPS_MODULE 213 # ifndef OPENSSL_NO_MDC2 214 MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH) 215 # endif 216 # ifndef OPENSSL_NO_MD2 217 MD_NID_CASE(md2, MD2_DIGEST_LENGTH) 218 # endif 219 # ifndef OPENSSL_NO_MD4 220 MD_NID_CASE(md4, MD4_DIGEST_LENGTH) 221 # endif 222 # ifndef OPENSSL_NO_MD5 223 MD_NID_CASE(md5, MD5_DIGEST_LENGTH) 224 # endif 225 # ifndef OPENSSL_NO_RMD160 226 MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH) 227 # endif 228 #endif /* FIPS_MODULE */ 229 MD_NID_CASE(sha1, SHA_DIGEST_LENGTH) 230 MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH) 231 MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH) 232 MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH) 233 MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH) 234 MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH) 235 MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH) 236 MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH) 237 MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH) 238 MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH) 239 MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH) 240 default: 241 return 0; 242 } 243 } 244 245 246 /* Size of an SSL signature: MD5+SHA1 */ 247 #define SSL_SIG_LENGTH 36 248 249 /* 250 * Encodes a DigestInfo prefix of hash |type| and digest |m|, as 251 * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This 252 * encodes the DigestInfo (T and tLen) but does not add the padding. 253 * 254 * On success, it returns one and sets |*out| to a newly allocated buffer 255 * containing the result and |*out_len| to its length. The caller must free 256 * |*out| with OPENSSL_free(). Otherwise, it returns zero. 257 */ 258 static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, 259 const unsigned char *m, size_t m_len) 260 { 261 size_t di_prefix_len, dig_info_len; 262 const unsigned char *di_prefix; 263 unsigned char *dig_info; 264 265 if (type == NID_undef) { 266 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); 267 return 0; 268 } 269 di_prefix = ossl_rsa_digestinfo_encoding(type, &di_prefix_len); 270 if (di_prefix == NULL) { 271 ERR_raise(ERR_LIB_RSA, 272 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); 273 return 0; 274 } 275 dig_info_len = di_prefix_len + m_len; 276 dig_info = OPENSSL_malloc(dig_info_len); 277 if (dig_info == NULL) 278 return 0; 279 memcpy(dig_info, di_prefix, di_prefix_len); 280 memcpy(dig_info + di_prefix_len, m, m_len); 281 282 *out = dig_info; 283 *out_len = dig_info_len; 284 return 1; 285 } 286 287 int RSA_sign(int type, const unsigned char *m, unsigned int m_len, 288 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 289 { 290 int encrypt_len, ret = 0; 291 size_t encoded_len = 0; 292 unsigned char *tmps = NULL; 293 const unsigned char *encoded = NULL; 294 295 #ifndef FIPS_MODULE 296 if (rsa->meth->rsa_sign != NULL) 297 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa) > 0; 298 #endif /* FIPS_MODULE */ 299 300 /* Compute the encoded digest. */ 301 if (type == NID_md5_sha1) { 302 /* 303 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 304 * earlier. It has no DigestInfo wrapper but otherwise is 305 * RSASSA-PKCS1-v1_5. 306 */ 307 if (m_len != SSL_SIG_LENGTH) { 308 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 309 return 0; 310 } 311 encoded_len = SSL_SIG_LENGTH; 312 encoded = m; 313 } else { 314 if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) 315 goto err; 316 encoded = tmps; 317 } 318 319 if (encoded_len + RSA_PKCS1_PADDING_SIZE > (size_t)RSA_size(rsa)) { 320 ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 321 goto err; 322 } 323 encrypt_len = RSA_private_encrypt((int)encoded_len, encoded, sigret, rsa, 324 RSA_PKCS1_PADDING); 325 if (encrypt_len <= 0) 326 goto err; 327 328 *siglen = encrypt_len; 329 ret = 1; 330 331 err: 332 OPENSSL_clear_free(tmps, encoded_len); 333 return ret; 334 } 335 336 /* 337 * Verify an RSA signature in |sigbuf| using |rsa|. 338 * |type| is the NID of the digest algorithm to use. 339 * If |rm| is NULL, it verifies the signature for digest |m|, otherwise 340 * it recovers the digest from the signature, writing the digest to |rm| and 341 * the length to |*prm_len|. 342 * 343 * It returns one on successful verification or zero otherwise. 344 */ 345 int ossl_rsa_verify(int type, const unsigned char *m, unsigned int m_len, 346 unsigned char *rm, size_t *prm_len, 347 const unsigned char *sigbuf, size_t siglen, RSA *rsa) 348 { 349 int len, ret = 0; 350 size_t decrypt_len, encoded_len = 0; 351 unsigned char *decrypt_buf = NULL, *encoded = NULL; 352 353 if (siglen != (size_t)RSA_size(rsa)) { 354 ERR_raise(ERR_LIB_RSA, RSA_R_WRONG_SIGNATURE_LENGTH); 355 return 0; 356 } 357 358 /* Recover the encoded digest. */ 359 decrypt_buf = OPENSSL_malloc(siglen); 360 if (decrypt_buf == NULL) 361 goto err; 362 363 len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, 364 RSA_PKCS1_PADDING); 365 if (len <= 0) 366 goto err; 367 decrypt_len = len; 368 369 #ifndef FIPS_MODULE 370 if (type == NID_md5_sha1) { 371 /* 372 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and 373 * earlier. It has no DigestInfo wrapper but otherwise is 374 * RSASSA-PKCS1-v1_5. 375 */ 376 if (decrypt_len != SSL_SIG_LENGTH) { 377 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 378 goto err; 379 } 380 381 if (rm != NULL) { 382 memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); 383 *prm_len = SSL_SIG_LENGTH; 384 } else { 385 if (m_len != SSL_SIG_LENGTH) { 386 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 387 goto err; 388 } 389 390 if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { 391 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 392 goto err; 393 } 394 } 395 } else if (type == NID_mdc2 && decrypt_len == 2 + 16 396 && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) { 397 /* 398 * Oddball MDC2 case: signature can be OCTET STRING. check for correct 399 * tag and length octets. 400 */ 401 if (rm != NULL) { 402 memcpy(rm, decrypt_buf + 2, 16); 403 *prm_len = 16; 404 } else { 405 if (m_len != 16) { 406 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH); 407 goto err; 408 } 409 410 if (memcmp(m, decrypt_buf + 2, 16) != 0) { 411 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 412 goto err; 413 } 414 } 415 } else 416 #endif /* FIPS_MODULE */ 417 { 418 /* 419 * If recovering the digest, extract a digest-sized output from the end 420 * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption 421 * output as in a standard verification. 422 */ 423 if (rm != NULL) { 424 len = digest_sz_from_nid(type); 425 426 if (len <= 0) 427 goto err; 428 m_len = (unsigned int)len; 429 if (m_len > decrypt_len) { 430 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); 431 goto err; 432 } 433 m = decrypt_buf + decrypt_len - m_len; 434 } 435 436 /* Construct the encoded digest and ensure it matches. */ 437 if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) 438 goto err; 439 440 if (encoded_len != decrypt_len 441 || memcmp(encoded, decrypt_buf, encoded_len) != 0) { 442 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE); 443 goto err; 444 } 445 446 /* Output the recovered digest. */ 447 if (rm != NULL) { 448 memcpy(rm, m, m_len); 449 *prm_len = m_len; 450 } 451 } 452 453 ret = 1; 454 455 err: 456 OPENSSL_clear_free(encoded, encoded_len); 457 OPENSSL_clear_free(decrypt_buf, siglen); 458 return ret; 459 } 460 461 int RSA_verify(int type, const unsigned char *m, unsigned int m_len, 462 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) 463 { 464 465 if (rsa->meth->rsa_verify != NULL) 466 return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa); 467 468 return ossl_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa); 469 } 470