2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/rsa.h>
14 #include <openssl/objects.h>
15 #include <openssl/x509.h>
16 #include "internal/x509_int.h"
19 /* Size of an SSL signature: MD5+SHA1 */
20 #define SSL_SIG_LENGTH 36
22 int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
23 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
28 unsigned char *p, *tmps = NULL;
29 const unsigned char *s = NULL;
31 ASN1_OCTET_STRING digest;
32 if (rsa->meth->rsa_sign) {
33 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
35 /* Special case: SSL signature, just check the length */
36 if (type == NID_md5_sha1) {
37 if (m_len != SSL_SIG_LENGTH) {
38 RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
45 sig.algor->algorithm = OBJ_nid2obj(type);
46 if (sig.algor->algorithm == NULL) {
47 RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
50 if (OBJ_length(sig.algor->algorithm) == 0) {
51 RSAerr(RSA_F_RSA_SIGN,
52 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
55 parameter.type = V_ASN1_NULL;
56 parameter.value.ptr = NULL;
57 sig.algor->parameter = ¶meter;
60 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
61 sig.digest->length = m_len;
63 i = i2d_X509_SIG(&sig, NULL);
66 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
67 RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
70 if (type != NID_md5_sha1) {
71 tmps = OPENSSL_malloc((unsigned int)j + 1);
73 RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
77 i2d_X509_SIG(&sig, &p);
80 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
86 if (type != NID_md5_sha1)
87 OPENSSL_clear_free(tmps, (unsigned int)j + 1);
92 * Check DigestInfo structure does not contain extraneous data by reencoding
93 * using DER and checking encoding against original.
95 static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo,
98 unsigned char *der = NULL;
101 derlen = i2d_X509_SIG(sig, &der);
104 if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
106 OPENSSL_clear_free(der, derlen);
110 int int_rsa_verify(int dtype, const unsigned char *m,
112 unsigned char *rm, size_t *prm_len,
113 const unsigned char *sigbuf, size_t siglen, RSA *rsa)
115 int i, ret = 0, sigtype;
117 X509_SIG *sig = NULL;
119 if (siglen != (unsigned int)RSA_size(rsa)) {
120 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
124 if ((dtype == NID_md5_sha1) && rm) {
125 i = RSA_public_decrypt((int)siglen,
126 sigbuf, rm, rsa, RSA_PKCS1_PADDING);
133 s = OPENSSL_malloc((unsigned int)siglen);
135 RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
138 if ((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH)) {
139 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
142 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
147 * Oddball MDC2 case: signature can be OCTET STRING. check for correct
148 * tag and length octets.
150 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
152 memcpy(rm, s + 2, 16);
155 } else if (memcmp(m, s + 2, 16)) {
156 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
160 } else if (dtype == NID_md5_sha1) {
161 /* Special case: SSL signature */
162 if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
163 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
167 const unsigned char *p = s;
168 sig = d2i_X509_SIG(NULL, &p, (long)i);
173 /* Excess data can be used to create forgeries */
174 if (p != s + i || !rsa_check_digestinfo(sig, s, i)) {
175 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
180 * Parameters to the signature algorithm can also be used to create
183 if (sig->algor->parameter
184 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
185 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
189 sigtype = OBJ_obj2nid(sig->algor->algorithm);
191 if (sigtype != dtype) {
192 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
197 md = EVP_get_digestbynid(dtype);
198 if (md && (EVP_MD_size(md) != sig->digest->length))
199 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
201 memcpy(rm, sig->digest->data, sig->digest->length);
202 *prm_len = sig->digest->length;
205 } else if (((unsigned int)sig->digest->length != m_len) ||
206 (memcmp(m, sig->digest->data, m_len) != 0)) {
207 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
213 OPENSSL_clear_free(s, (unsigned int)siglen);
217 int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
218 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
221 if (rsa->meth->rsa_verify) {
222 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
225 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);