kris
/
boringssl
1
0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Версии 0 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1641 Ревизии
12 Клонове
38 MiB
 
 
 
 
 
 
ИН на ревизия: 6de0e53919
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от '6de0e53919'
${ noResults }
boringssl/crypto/rsa/padding.c

744 lines
19 KiB
Директен файл Blame История 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 2005.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/rsa.h>

  57. 

  58. #include <assert.h>

  59. #include <string.h>

  60. 

  61. #include <openssl/digest.h>

  62. #include <openssl/err.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/rand.h>

  65. #include <openssl/sha.h>

  66. 

  67. #include "internal.h"

  68. 

  69. /* TODO(fork): don't the check functions have to be constant time? */

  70. 

  71. int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,

  72.                                  const uint8_t *from, unsigned flen) {

  73.   unsigned j;

  74.   uint8_t *p;

  75. 

  76.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  77.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  78.     return 0;

  79.   }

  80. 

  81.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  82.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  83.     return 0;

  84.   }

  85. 

  86.   p = (uint8_t *)to;

  87. 

  88.   *(p++) = 0;

  89.   *(p++) = 1; /* Private Key BT (Block Type) */

  90. 

  91.   /* pad out with 0xff data */

  92.   j = tlen - 3 - flen;

  93.   memset(p, 0xff, j);

  94.   p += j;

  95.   *(p++) = 0;

  96.   memcpy(p, from, (unsigned int)flen);

  97.   return 1;

  98. }

  99. 

  100. int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,

  101.                                    const uint8_t *from, unsigned flen) {

  102.   unsigned i, j;

  103.   const uint8_t *p;

  104. 

  105.   if (flen < 2) {

  106.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);

  107.     return -1;

  108.   }

  109. 

  110.   p = from;

  111.   if ((*(p++) != 0) || (*(p++) != 1)) {

  112.     OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);

  113.     return -1;

  114.   }

  115. 

  116.   /* scan over padding data */

  117.   j = flen - 2; /* one for leading 00, one for type. */

  118.   for (i = 0; i < j; i++) {

  119.     /* should decrypt to 0xff */

  120.     if (*p != 0xff) {

  121.       if (*p == 0) {

  122.         p++;

  123.         break;

  124.       } else {

  125.         OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);

  126.         return -1;

  127.       }

  128.     }

  129.     p++;

  130.   }

  131. 

  132.   if (i == j) {

  133.     OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);

  134.     return -1;

  135.   }

  136. 

  137.   if (i < 8) {

  138.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);

  139.     return -1;

  140.   }

  141.   i++; /* Skip over the '\0' */

  142.   j -= i;

  143.   if (j > tlen) {

  144.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  145.     return -1;

  146.   }

  147.   memcpy(to, p, j);

  148. 

  149.   return j;

  150. }

  151. 

  152. int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,

  153.                                  const uint8_t *from, unsigned flen) {

  154.   unsigned i, j;

  155.   uint8_t *p;

  156. 

  157.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  158.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  159.     return 0;

  160.   }

  161. 

  162.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  163.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  164.     return 0;

  165.   }

  166. 

  167.   p = (unsigned char *)to;

  168. 

  169.   *(p++) = 0;

  170.   *(p++) = 2; /* Public Key BT (Block Type) */

  171. 

  172.   /* pad out with non-zero random data */

  173.   j = tlen - 3 - flen;

  174. 

  175.   if (!RAND_bytes(p, j)) {

  176.     return 0;

  177.   }

  178. 

  179.   for (i = 0; i < j; i++) {

  180.     while (*p == 0) {

  181.       if (!RAND_bytes(p, 1)) {

  182.         return 0;

  183.       }

  184.     }

  185.     p++;

  186.   }

  187. 

  188.   *(p++) = 0;

  189. 

  190.   memcpy(p, from, (unsigned int)flen);

  191.   return 1;

  192. }

  193. 

  194. /* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */

  195. static int constant_time_byte_eq(unsigned char a, unsigned char b) {

  196.   unsigned char z = ~(a ^ b);

  197.   z &= z >> 4;

  198.   z &= z >> 2;

  199.   z &= z >> 1;

  200. 

  201.   return z;

  202. }

  203. 

  204. /* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.

  205.  * Its behavior is undefined if |v| takes any other value. */

  206. static int constant_time_select(int v, int x, int y) {

  207.   return ((~(v - 1)) & x) | ((v - 1) & y);

  208. }

  209. 

  210. /* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.

  211.  * |x| and |y| must be positive. */

  212. static int constant_time_le(int x, int y) {

  213.   return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;

  214. }

  215. 

  216. int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,

  217.                                    size_t *out_index) {

  218.   size_t i;

  219.   int first_byte_is_zero, second_byte_is_two, looking_for_index;

  220.   int valid_index, zero_index = 0;

  221. 

  222.   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography

  223.    * Standard", section 7.2.2. */

  224.   if (from_len < RSA_PKCS1_PADDING_SIZE) {

  225.     /* |from| is zero-padded to the size of the RSA modulus, a public value, so

  226.      * this can be rejected in non-constant time. */

  227.     *out_index = 0;

  228.     return 0;

  229.   }

  230. 

  231.   first_byte_is_zero = constant_time_byte_eq(from[0], 0);

  232.   second_byte_is_two = constant_time_byte_eq(from[1], 2);

  233. 

  234.   looking_for_index = 1;

  235.   for (i = 2; i < from_len; i++) {

  236.     int equals0 = constant_time_byte_eq(from[i], 0);

  237.     zero_index =

  238.         constant_time_select(looking_for_index & equals0, i, zero_index);

  239.     looking_for_index = constant_time_select(equals0, 0, looking_for_index);

  240.   }

  241. 

  242.   /* The input must begin with 00 02. */

  243.   valid_index = first_byte_is_zero;

  244.   valid_index &= second_byte_is_two;

  245. 

  246.   /* We must have found the end of PS. */

  247.   valid_index &= ~looking_for_index;

  248. 

  249.   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */

  250.   valid_index &= constant_time_le(2 + 8, zero_index);

  251. 

  252.   /* Skip the zero byte. */

  253.   zero_index++;

  254. 

  255.   *out_index = constant_time_select(valid_index, zero_index, 0);

  256.   return valid_index;

  257. }

  258. 

  259. int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,

  260.                                    const uint8_t *from, unsigned flen) {

  261.   size_t msg_index, msg_len;

  262. 

  263.   if (flen == 0) {

  264.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  265.     return -1;

  266.   }

  267. 

  268.   /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,

  269.    * the API contracts of this function and |RSA_decrypt| with

  270.    * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's

  271.    * attack. */

  272.   if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {

  273.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  274.     return -1;

  275.   }

  276. 

  277.   msg_len = flen - msg_index;

  278.   if (msg_len > tlen) {

  279.     /* This shouldn't happen because this function is always called with |tlen|

  280.      * the key size and |flen| is bounded by the key size. */

  281.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  282.     return -1;

  283.   }

  284.   memcpy(to, &from[msg_index], msg_len);

  285.   return msg_len;

  286. }

  287. 

  288. int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {

  289.   if (flen > tlen) {

  290.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  291.     return 0;

  292.   }

  293. 

  294.   if (flen < tlen) {

  295.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);

  296.     return 0;

  297.   }

  298. 

  299.   memcpy(to, from, (unsigned int)flen);

  300.   return 1;

  301. }

  302. 

  303. int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,

  304.                            unsigned flen) {

  305.   if (flen > tlen) {

  306.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  307.     return -1;

  308.   }

  309. 

  310.   memcpy(to, from, flen);

  311.   return flen;

  312. }

  313. 

  314. int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,

  315.                unsigned seedlen, const EVP_MD *dgst) {

  316.   unsigned outlen = 0;

  317.   uint32_t i;

  318.   uint8_t cnt[4];

  319.   EVP_MD_CTX c;

  320.   uint8_t md[EVP_MAX_MD_SIZE];

  321.   unsigned mdlen;

  322.   int ret = -1;

  323. 

  324.   EVP_MD_CTX_init(&c);

  325.   mdlen = EVP_MD_size(dgst);

  326. 

  327.   for (i = 0; outlen < len; i++) {

  328.     cnt[0] = (uint8_t)((i >> 24) & 255);

  329.     cnt[1] = (uint8_t)((i >> 16) & 255);

  330.     cnt[2] = (uint8_t)((i >> 8)) & 255;

  331.     cnt[3] = (uint8_t)(i & 255);

  332.     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||

  333.         !EVP_DigestUpdate(&c, seed, seedlen) || !EVP_DigestUpdate(&c, cnt, 4)) {

  334.       goto err;

  335.     }

  336. 

  337.     if (outlen + mdlen <= len) {

  338.       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {

  339.         goto err;

  340.       }

  341.       outlen += mdlen;

  342.     } else {

  343.       if (!EVP_DigestFinal_ex(&c, md, NULL)) {

  344.         goto err;

  345.       }

  346.       memcpy(mask + outlen, md, len - outlen);

  347.       outlen = len;

  348.     }

  349.   }

  350.   ret = 0;

  351. 

  352. err:

  353.   EVP_MD_CTX_cleanup(&c);

  354.   return ret;

  355. }

  356. 

  357. int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  358.                                     const uint8_t *from, unsigned flen,

  359.                                     const uint8_t *param, unsigned plen,

  360.                                     const EVP_MD *md, const EVP_MD *mgf1md) {

  361.   unsigned i, emlen, mdlen;

  362.   uint8_t *db, *seed;

  363.   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];

  364.   int ret = 0;

  365. 

  366.   if (md == NULL) {

  367.     md = EVP_sha1();

  368.   }

  369.   if (mgf1md == NULL) {

  370.     mgf1md = md;

  371.   }

  372. 

  373.   mdlen = EVP_MD_size(md);

  374. 

  375.   if (tlen < 2 * mdlen + 2) {

  376.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  377.     return 0;

  378.   }

  379. 

  380.   emlen = tlen - 1;

  381.   if (flen > emlen - 2 * mdlen - 1) {

  382.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  383.     return 0;

  384.   }

  385. 

  386.   if (emlen < 2 * mdlen + 1) {

  387.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  388.     return 0;

  389.   }

  390. 

  391.   to[0] = 0;

  392.   seed = to + 1;

  393.   db = to + mdlen + 1;

  394. 

  395.   if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {

  396.     return 0;

  397.   }

  398.   memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);

  399.   db[emlen - flen - mdlen - 1] = 0x01;

  400.   memcpy(db + emlen - flen - mdlen, from, flen);

  401.   if (!RAND_bytes(seed, mdlen)) {

  402.     return 0;

  403.   }

  404. 

  405.   dbmask = OPENSSL_malloc(emlen - mdlen);

  406.   if (dbmask == NULL) {

  407.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  408.     return 0;

  409.   }

  410. 

  411.   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {

  412.     goto out;

  413.   }

  414.   for (i = 0; i < emlen - mdlen; i++) {

  415.     db[i] ^= dbmask[i];

  416.   }

  417. 

  418.   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {

  419.     goto out;

  420.   }

  421.   for (i = 0; i < mdlen; i++) {

  422.     seed[i] ^= seedmask[i];

  423.   }

  424.   ret = 1;

  425. 

  426. out:

  427.   OPENSSL_free(dbmask);

  428.   return ret;

  429. }

  430. 

  431. int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  432.                                       const uint8_t *from, unsigned flen,

  433.                                       const uint8_t *param, unsigned plen,

  434.                                       const EVP_MD *md, const EVP_MD *mgf1md) {

  435.   unsigned i, dblen, mlen = -1, mdlen;

  436.   const uint8_t *maskeddb, *maskedseed;

  437.   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

  438.   int bad, looking_for_one_byte, one_index = 0;

  439. 

  440.   if (md == NULL) {

  441.     md = EVP_sha1();

  442.   }

  443.   if (mgf1md == NULL) {

  444.     mgf1md = md;

  445.   }

  446. 

  447.   mdlen = EVP_MD_size(md);

  448. 

  449.   /* The encoded message is one byte smaller than the modulus to ensure that it

  450.    * doesn't end up greater than the modulus. Thus there's an extra "+1" here

  451.    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */

  452.   if (flen < 1 + 2*mdlen + 1) {

  453.     /* 'flen' is the length of the modulus, i.e. does not depend on the

  454.      * particular ciphertext. */

  455.     goto decoding_err;

  456.   }

  457. 

  458.   dblen = flen - mdlen - 1;

  459.   db = OPENSSL_malloc(dblen);

  460.   if (db == NULL) {

  461.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  462.     goto err;

  463.   }

  464. 

  465.   maskedseed = from + 1;

  466.   maskeddb = from + 1 + mdlen;

  467. 

  468.   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {

  469.     goto err;

  470.   }

  471.   for (i = 0; i < mdlen; i++) {

  472.     seed[i] ^= maskedseed[i];

  473.   }

  474. 

  475.   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {

  476.     goto err;

  477.   }

  478.   for (i = 0; i < dblen; i++) {

  479.     db[i] ^= maskeddb[i];

  480.   }

  481. 

  482.   if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {

  483.     goto err;

  484.   }

  485. 

  486.   bad = CRYPTO_memcmp(db, phash, mdlen);

  487.   bad |= from[0];

  488. 

  489.   looking_for_one_byte = 1;

  490.   for (i = mdlen; i < dblen; i++) {

  491.     int equals1 = constant_time_byte_eq(db[i], 1);

  492.     int equals0 = constant_time_byte_eq(db[i], 0);

  493.     one_index =

  494.         constant_time_select(looking_for_one_byte & equals1, i, one_index);

  495.     looking_for_one_byte =

  496.         constant_time_select(equals1, 0, looking_for_one_byte);

  497.     bad |= looking_for_one_byte & ~equals0;

  498.   }

  499. 

  500.   bad |= looking_for_one_byte;

  501. 

  502.   if (bad) {

  503.     goto decoding_err;

  504.   }

  505. 

  506.   one_index++;

  507.   mlen = dblen - one_index;

  508.   if (tlen < mlen) {

  509.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  510.     mlen = -1;

  511.   } else {

  512.     memcpy(to, db + one_index, mlen);

  513.   }

  514. 

  515.   OPENSSL_free(db);

  516.   return mlen;

  517. 

  518. decoding_err:

  519.   /* to avoid chosen ciphertext attacks, the error message should not reveal

  520.    * which kind of decoding error happened */

  521.   OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);

  522.  err:

  523.   OPENSSL_free(db);

  524.   return -1;

  525. }

  526. 

  527. static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

  528. 

  529. int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,

  530.                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  531.                               const uint8_t *EM, int sLen) {

  532.   int i;

  533.   int ret = 0;

  534.   int maskedDBLen, MSBits, emLen;

  535.   size_t hLen;

  536.   const uint8_t *H;

  537.   uint8_t *DB = NULL;

  538.   EVP_MD_CTX ctx;

  539.   uint8_t H_[EVP_MAX_MD_SIZE];

  540.   EVP_MD_CTX_init(&ctx);

  541. 

  542.   if (mgf1Hash == NULL) {

  543.     mgf1Hash = Hash;

  544.   }

  545. 

  546.   hLen = EVP_MD_size(Hash);

  547. 

  548.   /* Negative sLen has special meanings:

  549.    *	-1	sLen == hLen

  550.    *	-2	salt length is autorecovered from signature

  551.    *	-N	reserved */

  552.   if (sLen == -1) {

  553.     sLen = hLen;

  554.   } else if (sLen == -2) {

  555.     sLen = -2;

  556.   } else if (sLen < -2) {

  557.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  558.     goto err;

  559.   }

  560. 

  561.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  562.   emLen = RSA_size(rsa);

  563.   if (EM[0] & (0xFF << MSBits)) {

  564.     OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);

  565.     goto err;

  566.   }

  567.   if (MSBits == 0) {

  568.     EM++;

  569.     emLen--;

  570.   }

  571.   if (emLen < ((int)hLen + sLen + 2)) {

  572.     /* sLen can be small negative */

  573.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  574.     goto err;

  575.   }

  576.   if (EM[emLen - 1] != 0xbc) {

  577.     OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);

  578.     goto err;

  579.   }

  580.   maskedDBLen = emLen - hLen - 1;

  581.   H = EM + maskedDBLen;

  582.   DB = OPENSSL_malloc(maskedDBLen);

  583.   if (!DB) {

  584.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  585.     goto err;

  586.   }

  587.   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {

  588.     goto err;

  589.   }

  590.   for (i = 0; i < maskedDBLen; i++) {

  591.     DB[i] ^= EM[i];

  592.   }

  593.   if (MSBits) {

  594.     DB[0] &= 0xFF >> (8 - MSBits);

  595.   }

  596.   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {

  597.     ;

  598.   }

  599.   if (DB[i++] != 0x1) {

  600.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);

  601.     goto err;

  602.   }

  603.   if (sLen >= 0 && (maskedDBLen - i) != sLen) {

  604.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  605.     goto err;

  606.   }

  607.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  608.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  609.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  610.     goto err;

  611.   }

  612.   if (maskedDBLen - i) {

  613.     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {

  614.       goto err;

  615.     }

  616.   }

  617.   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {

  618.     goto err;

  619.   }

  620.   if (memcmp(H_, H, hLen)) {

  621.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);

  622.     ret = 0;

  623.   } else {

  624.     ret = 1;

  625.   }

  626. 

  627. err:

  628.   OPENSSL_free(DB);

  629.   EVP_MD_CTX_cleanup(&ctx);

  630. 

  631.   return ret;

  632. }

  633. 

  634. int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,

  635.                                    const unsigned char *mHash,

  636.                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  637.                                    int sLen) {

  638.   int i;

  639.   int ret = 0;

  640.   size_t maskedDBLen, MSBits, emLen;

  641.   size_t hLen;

  642.   unsigned char *H, *salt = NULL, *p;

  643.   EVP_MD_CTX ctx;

  644. 

  645.   if (mgf1Hash == NULL) {

  646.     mgf1Hash = Hash;

  647.   }

  648. 

  649.   hLen = EVP_MD_size(Hash);

  650. 

  651.   /* Negative sLen has special meanings:

  652.    *	-1	sLen == hLen

  653.    *	-2	salt length is maximized

  654.    *	-N	reserved */

  655.   if (sLen == -1) {

  656.     sLen = hLen;

  657.   } else if (sLen == -2) {

  658.     sLen = -2;

  659.   } else if (sLen < -2) {

  660.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  661.     goto err;

  662.   }

  663. 

  664.   if (BN_is_zero(rsa->n)) {

  665.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  666.     goto err;

  667.   }

  668. 

  669.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  670.   emLen = RSA_size(rsa);

  671.   if (MSBits == 0) {

  672.     assert(emLen >= 1);

  673.     *EM++ = 0;

  674.     emLen--;

  675.   }

  676.   if (sLen == -2) {

  677.     if (emLen < hLen + 2) {

  678.       OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  679.       goto err;

  680.     }

  681.     sLen = emLen - hLen - 2;

  682.   } else if (emLen < hLen + sLen + 2) {

  683.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  684.     goto err;

  685.   }

  686.   if (sLen > 0) {

  687.     salt = OPENSSL_malloc(sLen);

  688.     if (!salt) {

  689.       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  690.       goto err;

  691.     }

  692.     if (!RAND_bytes(salt, sLen)) {

  693.       goto err;

  694.     }

  695.   }

  696.   maskedDBLen = emLen - hLen - 1;

  697.   H = EM + maskedDBLen;

  698.   EVP_MD_CTX_init(&ctx);

  699.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  700.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  701.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  702.     goto err;

  703.   }

  704.   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {

  705.     goto err;

  706.   }

  707.   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {

  708.     goto err;

  709.   }

  710.   EVP_MD_CTX_cleanup(&ctx);

  711. 

  712.   /* Generate dbMask in place then perform XOR on it */

  713.   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {

  714.     goto err;

  715.   }

  716. 

  717.   p = EM;

  718. 

  719.   /* Initial PS XORs with all zeroes which is a NOP so just update

  720.    * pointer. Note from a test above this value is guaranteed to

  721.    * be non-negative. */

  722.   p += emLen - sLen - hLen - 2;

  723.   *p++ ^= 0x1;

  724.   if (sLen > 0) {

  725.     for (i = 0; i < sLen; i++) {

  726.       *p++ ^= salt[i];

  727.     }

  728.   }

  729.   if (MSBits) {

  730.     EM[0] &= 0xFF >> (8 - MSBits);

  731.   }

  732. 

  733.   /* H is already in place so just set final 0xbc */

  734. 

  735.   EM[emLen - 1] = 0xbc;

  736. 

  737.   ret = 1;

  738. 

  739. err:

  740.   OPENSSL_free(salt);

  741. 

  742.   return ret;

  743. }