kris
/
boringssl
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
3578 提交
12 分支
38 MiB
 
 
 
 
 
 
目录树: 8a55ce4954
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '8a55ce4954'
${ noResults }
boringssl/crypto/rsa/padding.c

709 行
18 KiB
原始文件 Blame 文件历史 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 2005.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/rsa.h>

  57. 

  58. #include <assert.h>

  59. #include <limits.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/bn.h>

  63. #include <openssl/digest.h>

  64. #include <openssl/err.h>

  65. #include <openssl/mem.h>

  66. #include <openssl/rand.h>

  67. #include <openssl/sha.h>

  68. 

  69. #include "internal.h"

  70. #include "../internal.h"

  71. 

  72. /* TODO(fork): don't the check functions have to be constant time? */

  73. 

  74. int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,

  75.                                  const uint8_t *from, unsigned from_len) {

  76.   unsigned j;

  77. 

  78.   if (to_len < RSA_PKCS1_PADDING_SIZE) {

  79.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  80.     return 0;

  81.   }

  82. 

  83.   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {

  84.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  85.     return 0;

  86.   }

  87. 

  88.   uint8_t *p = to;

  89. 

  90.   *(p++) = 0;

  91.   *(p++) = 1; /* Private Key BT (Block Type) */

  92. 

  93.   /* pad out with 0xff data */

  94.   j = to_len - 3 - from_len;

  95.   memset(p, 0xff, j);

  96.   p += j;

  97.   *(p++) = 0;

  98.   memcpy(p, from, from_len);

  99.   return 1;

  100. }

  101. 

  102. int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,

  103.                                    const uint8_t *from, unsigned from_len) {

  104.   unsigned i, j;

  105.   const uint8_t *p;

  106. 

  107.   if (from_len < 2) {

  108.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);

  109.     return -1;

  110.   }

  111. 

  112.   p = from;

  113.   if ((*(p++) != 0) || (*(p++) != 1)) {

  114.     OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);

  115.     return -1;

  116.   }

  117. 

  118.   /* scan over padding data */

  119.   j = from_len - 2; /* one for leading 00, one for type. */

  120.   for (i = 0; i < j; i++) {

  121.     /* should decrypt to 0xff */

  122.     if (*p != 0xff) {

  123.       if (*p == 0) {

  124.         p++;

  125.         break;

  126.       } else {

  127.         OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);

  128.         return -1;

  129.       }

  130.     }

  131.     p++;

  132.   }

  133. 

  134.   if (i == j) {

  135.     OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);

  136.     return -1;

  137.   }

  138. 

  139.   if (i < 8) {

  140.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);

  141.     return -1;

  142.   }

  143.   i++; /* Skip over the '\0' */

  144.   j -= i;

  145.   if (j > to_len) {

  146.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  147.     return -1;

  148.   }

  149.   memcpy(to, p, j);

  150. 

  151.   return j;

  152. }

  153. 

  154. int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,

  155.                                  const uint8_t *from, unsigned from_len) {

  156.   unsigned i, j;

  157. 

  158.   if (to_len < RSA_PKCS1_PADDING_SIZE) {

  159.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  160.     return 0;

  161.   }

  162. 

  163.   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {

  164.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  165.     return 0;

  166.   }

  167. 

  168.   uint8_t *p = to;

  169. 

  170.   *(p++) = 0;

  171.   *(p++) = 2; /* Public Key BT (Block Type) */

  172. 

  173.   /* pad out with non-zero random data */

  174.   j = to_len - 3 - from_len;

  175. 

  176.   if (!RAND_bytes(p, j)) {

  177.     return 0;

  178.   }

  179. 

  180.   for (i = 0; i < j; i++) {

  181.     while (*p == 0) {

  182.       if (!RAND_bytes(p, 1)) {

  183.         return 0;

  184.       }

  185.     }

  186.     p++;

  187.   }

  188. 

  189.   *(p++) = 0;

  190. 

  191.   memcpy(p, from, from_len);

  192.   return 1;

  193. }

  194. 

  195. int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len,

  196.                                    const uint8_t *from, unsigned from_len) {

  197.   if (from_len == 0) {

  198.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  199.     return -1;

  200.   }

  201. 

  202.   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography

  203.    * Standard", section 7.2.2. */

  204.   if (from_len < RSA_PKCS1_PADDING_SIZE) {

  205.     /* |from| is zero-padded to the size of the RSA modulus, a public value, so

  206.      * this can be rejected in non-constant time. */

  207.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  208.     return -1;

  209.   }

  210. 

  211.   unsigned first_byte_is_zero = constant_time_eq(from[0], 0);

  212.   unsigned second_byte_is_two = constant_time_eq(from[1], 2);

  213. 

  214.   unsigned i, zero_index = 0, looking_for_index = ~0u;

  215.   for (i = 2; i < from_len; i++) {

  216.     unsigned equals0 = constant_time_is_zero(from[i]);

  217.     zero_index = constant_time_select(looking_for_index & equals0, (unsigned)i,

  218.                                       zero_index);

  219.     looking_for_index = constant_time_select(equals0, 0, looking_for_index);

  220.   }

  221. 

  222.   /* The input must begin with 00 02. */

  223.   unsigned valid_index = first_byte_is_zero;

  224.   valid_index &= second_byte_is_two;

  225. 

  226.   /* We must have found the end of PS. */

  227.   valid_index &= ~looking_for_index;

  228. 

  229.   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */

  230.   valid_index &= constant_time_ge(zero_index, 2 + 8);

  231. 

  232.   /* Skip the zero byte. */

  233.   zero_index++;

  234. 

  235.   /* NOTE: Although this logic attempts to be constant time, the API contracts

  236.    * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it

  237.    * impossible to completely avoid Bleichenbacher's attack. Consumers should

  238.    * use |RSA_unpad_key_pkcs1|. */

  239.   if (!valid_index) {

  240.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  241.     return -1;

  242.   }

  243. 

  244.   const unsigned msg_len = from_len - zero_index;

  245.   if (msg_len > to_len) {

  246.     /* This shouldn't happen because this function is always called with

  247.      * |to_len| as the key size and |from_len| is bounded by the key size. */

  248.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  249.     return -1;

  250.   }

  251. 

  252.   if (msg_len > INT_MAX) {

  253.     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);

  254.     return -1;

  255.   }

  256. 

  257.   memcpy(to, &from[zero_index], msg_len);

  258.   return (int)msg_len;

  259. }

  260. 

  261. int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,

  262.                          unsigned from_len) {

  263.   if (from_len > to_len) {

  264.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  265.     return 0;

  266.   }

  267. 

  268.   if (from_len < to_len) {

  269.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);

  270.     return 0;

  271.   }

  272. 

  273.   memcpy(to, from, from_len);

  274.   return 1;

  275. }

  276. 

  277. static int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed,

  278.                       size_t seed_len, const EVP_MD *md) {

  279.   int ret = 0;

  280.   EVP_MD_CTX ctx;

  281.   EVP_MD_CTX_init(&ctx);

  282. 

  283.   size_t md_len = EVP_MD_size(md);

  284. 

  285.   for (uint32_t i = 0; len > 0; i++) {

  286.     uint8_t counter[4];

  287.     counter[0] = (uint8_t)(i >> 24);

  288.     counter[1] = (uint8_t)(i >> 16);

  289.     counter[2] = (uint8_t)(i >> 8);

  290.     counter[3] = (uint8_t)i;

  291.     if (!EVP_DigestInit_ex(&ctx, md, NULL) ||

  292.         !EVP_DigestUpdate(&ctx, seed, seed_len) ||

  293.         !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {

  294.       goto err;

  295.     }

  296. 

  297.     if (md_len <= len) {

  298.       if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {

  299.         goto err;

  300.       }

  301.       out += md_len;

  302.       len -= md_len;

  303.     } else {

  304.       uint8_t digest[EVP_MAX_MD_SIZE];

  305.       if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {

  306.         goto err;

  307.       }

  308.       memcpy(out, digest, len);

  309.       len = 0;

  310.     }

  311.   }

  312. 

  313.   ret = 1;

  314. 

  315. err:

  316.   EVP_MD_CTX_cleanup(&ctx);

  317.   return ret;

  318. }

  319. 

  320. int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,

  321.                                     const uint8_t *from, unsigned from_len,

  322.                                     const uint8_t *param, unsigned param_len,

  323.                                     const EVP_MD *md, const EVP_MD *mgf1md) {

  324.   unsigned i, emlen, mdlen;

  325.   uint8_t *db, *seed;

  326.   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];

  327.   int ret = 0;

  328. 

  329.   if (md == NULL) {

  330.     md = EVP_sha1();

  331.   }

  332.   if (mgf1md == NULL) {

  333.     mgf1md = md;

  334.   }

  335. 

  336.   mdlen = EVP_MD_size(md);

  337. 

  338.   if (to_len < 2 * mdlen + 2) {

  339.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  340.     return 0;

  341.   }

  342. 

  343.   emlen = to_len - 1;

  344.   if (from_len > emlen - 2 * mdlen - 1) {

  345.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  346.     return 0;

  347.   }

  348. 

  349.   if (emlen < 2 * mdlen + 1) {

  350.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  351.     return 0;

  352.   }

  353. 

  354.   to[0] = 0;

  355.   seed = to + 1;

  356.   db = to + mdlen + 1;

  357. 

  358.   if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {

  359.     return 0;

  360.   }

  361.   memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);

  362.   db[emlen - from_len - mdlen - 1] = 0x01;

  363.   memcpy(db + emlen - from_len - mdlen, from, from_len);

  364.   if (!RAND_bytes(seed, mdlen)) {

  365.     return 0;

  366.   }

  367. 

  368.   dbmask = OPENSSL_malloc(emlen - mdlen);

  369.   if (dbmask == NULL) {

  370.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  371.     return 0;

  372.   }

  373. 

  374.   if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {

  375.     goto out;

  376.   }

  377.   for (i = 0; i < emlen - mdlen; i++) {

  378.     db[i] ^= dbmask[i];

  379.   }

  380. 

  381.   if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) {

  382.     goto out;

  383.   }

  384.   for (i = 0; i < mdlen; i++) {

  385.     seed[i] ^= seedmask[i];

  386.   }

  387.   ret = 1;

  388. 

  389. out:

  390.   OPENSSL_free(dbmask);

  391.   return ret;

  392. }

  393. 

  394. int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,

  395.                                       const uint8_t *from, unsigned from_len,

  396.                                       const uint8_t *param, unsigned param_len,

  397.                                       const EVP_MD *md, const EVP_MD *mgf1md) {

  398.   unsigned i, dblen, mlen = -1, mdlen, bad, looking_for_one_byte, one_index = 0;

  399.   const uint8_t *maskeddb, *maskedseed;

  400.   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

  401. 

  402.   if (md == NULL) {

  403.     md = EVP_sha1();

  404.   }

  405.   if (mgf1md == NULL) {

  406.     mgf1md = md;

  407.   }

  408. 

  409.   mdlen = EVP_MD_size(md);

  410. 

  411.   /* The encoded message is one byte smaller than the modulus to ensure that it

  412.    * doesn't end up greater than the modulus. Thus there's an extra "+1" here

  413.    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */

  414.   if (from_len < 1 + 2*mdlen + 1) {

  415.     /* 'from_len' is the length of the modulus, i.e. does not depend on the

  416.      * particular ciphertext. */

  417.     goto decoding_err;

  418.   }

  419. 

  420.   dblen = from_len - mdlen - 1;

  421.   db = OPENSSL_malloc(dblen);

  422.   if (db == NULL) {

  423.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  424.     goto err;

  425.   }

  426. 

  427.   maskedseed = from + 1;

  428.   maskeddb = from + 1 + mdlen;

  429. 

  430.   if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {

  431.     goto err;

  432.   }

  433.   for (i = 0; i < mdlen; i++) {

  434.     seed[i] ^= maskedseed[i];

  435.   }

  436. 

  437.   if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {

  438.     goto err;

  439.   }

  440.   for (i = 0; i < dblen; i++) {

  441.     db[i] ^= maskeddb[i];

  442.   }

  443. 

  444.   if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {

  445.     goto err;

  446.   }

  447. 

  448.   bad = ~constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));

  449.   bad |= ~constant_time_is_zero(from[0]);

  450. 

  451.   looking_for_one_byte = ~0u;

  452.   for (i = mdlen; i < dblen; i++) {

  453.     unsigned equals1 = constant_time_eq(db[i], 1);

  454.     unsigned equals0 = constant_time_eq(db[i], 0);

  455.     one_index = constant_time_select(looking_for_one_byte & equals1, i,

  456.                                      one_index);

  457.     looking_for_one_byte =

  458.         constant_time_select(equals1, 0, looking_for_one_byte);

  459.     bad |= looking_for_one_byte & ~equals0;

  460.   }

  461. 

  462.   bad |= looking_for_one_byte;

  463. 

  464.   if (bad) {

  465.     goto decoding_err;

  466.   }

  467. 

  468.   one_index++;

  469.   mlen = dblen - one_index;

  470.   if (to_len < mlen) {

  471.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  472.     mlen = -1;

  473.   } else {

  474.     memcpy(to, db + one_index, mlen);

  475.   }

  476. 

  477.   OPENSSL_free(db);

  478.   return mlen;

  479. 

  480. decoding_err:

  481.   /* to avoid chosen ciphertext attacks, the error message should not reveal

  482.    * which kind of decoding error happened */

  483.   OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);

  484.  err:

  485.   OPENSSL_free(db);

  486.   return -1;

  487. }

  488. 

  489. static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

  490. 

  491. int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,

  492.                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  493.                               const uint8_t *EM, int sLen) {

  494.   int i;

  495.   int ret = 0;

  496.   int maskedDBLen, MSBits, emLen;

  497.   size_t hLen;

  498.   const uint8_t *H;

  499.   uint8_t *DB = NULL;

  500.   EVP_MD_CTX ctx;

  501.   uint8_t H_[EVP_MAX_MD_SIZE];

  502.   EVP_MD_CTX_init(&ctx);

  503. 

  504.   if (mgf1Hash == NULL) {

  505.     mgf1Hash = Hash;

  506.   }

  507. 

  508.   hLen = EVP_MD_size(Hash);

  509. 

  510.   /* Negative sLen has special meanings:

  511.    *	-1	sLen == hLen

  512.    *	-2	salt length is autorecovered from signature

  513.    *	-N	reserved */

  514.   if (sLen == -1) {

  515.     sLen = hLen;

  516.   } else if (sLen == -2) {

  517.     sLen = -2;

  518.   } else if (sLen < -2) {

  519.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  520.     goto err;

  521.   }

  522. 

  523.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  524.   emLen = RSA_size(rsa);

  525.   if (EM[0] & (0xFF << MSBits)) {

  526.     OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);

  527.     goto err;

  528.   }

  529.   if (MSBits == 0) {

  530.     EM++;

  531.     emLen--;

  532.   }

  533.   if (emLen < ((int)hLen + sLen + 2)) {

  534.     /* sLen can be small negative */

  535.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  536.     goto err;

  537.   }

  538.   if (EM[emLen - 1] != 0xbc) {

  539.     OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);

  540.     goto err;

  541.   }

  542.   maskedDBLen = emLen - hLen - 1;

  543.   H = EM + maskedDBLen;

  544.   DB = OPENSSL_malloc(maskedDBLen);

  545.   if (!DB) {

  546.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  547.     goto err;

  548.   }

  549.   if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {

  550.     goto err;

  551.   }

  552.   for (i = 0; i < maskedDBLen; i++) {

  553.     DB[i] ^= EM[i];

  554.   }

  555.   if (MSBits) {

  556.     DB[0] &= 0xFF >> (8 - MSBits);

  557.   }

  558.   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {

  559.     ;

  560.   }

  561.   if (DB[i++] != 0x1) {

  562.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);

  563.     goto err;

  564.   }

  565.   if (sLen >= 0 && (maskedDBLen - i) != sLen) {

  566.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  567.     goto err;

  568.   }

  569.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  570.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  571.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  572.     goto err;

  573.   }

  574.   if (maskedDBLen - i) {

  575.     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {

  576.       goto err;

  577.     }

  578.   }

  579.   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {

  580.     goto err;

  581.   }

  582.   if (memcmp(H_, H, hLen)) {

  583.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);

  584.     ret = 0;

  585.   } else {

  586.     ret = 1;

  587.   }

  588. 

  589. err:

  590.   OPENSSL_free(DB);

  591.   EVP_MD_CTX_cleanup(&ctx);

  592. 

  593.   return ret;

  594. }

  595. 

  596. int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,

  597.                                    const unsigned char *mHash,

  598.                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  599.                                    int sLenRequested) {

  600.   int ret = 0;

  601.   size_t maskedDBLen, MSBits, emLen;

  602.   size_t hLen;

  603.   unsigned char *H, *salt = NULL, *p;

  604.   EVP_MD_CTX ctx;

  605. 

  606.   if (mgf1Hash == NULL) {

  607.     mgf1Hash = Hash;

  608.   }

  609. 

  610.   hLen = EVP_MD_size(Hash);

  611. 

  612.   if (BN_is_zero(rsa->n)) {

  613.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  614.     goto err;

  615.   }

  616. 

  617.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  618.   emLen = RSA_size(rsa);

  619.   if (MSBits == 0) {

  620.     assert(emLen >= 1);

  621.     *EM++ = 0;

  622.     emLen--;

  623.   }

  624. 

  625.   if (emLen < hLen + 2) {

  626.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  627.     goto err;

  628.   }

  629. 

  630.   /* Negative sLenRequested has special meanings:

  631.    *   -1  sLen == hLen

  632.    *   -2  salt length is maximized

  633.    *   -N  reserved */

  634.   size_t sLen;

  635.   if (sLenRequested == -1) {

  636.     sLen = hLen;

  637.   } else if (sLenRequested == -2) {

  638.     sLen = emLen - hLen - 2;

  639.   } else if (sLenRequested < 0) {

  640.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  641.     goto err;

  642.   } else {

  643.     sLen = (size_t)sLenRequested;

  644.   }

  645. 

  646.   if (emLen - hLen - 2 < sLen) {

  647.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  648.     goto err;

  649.   }

  650. 

  651.   if (sLen > 0) {

  652.     salt = OPENSSL_malloc(sLen);

  653.     if (!salt) {

  654.       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  655.       goto err;

  656.     }

  657.     if (!RAND_bytes(salt, sLen)) {

  658.       goto err;

  659.     }

  660.   }

  661.   maskedDBLen = emLen - hLen - 1;

  662.   H = EM + maskedDBLen;

  663.   EVP_MD_CTX_init(&ctx);

  664.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  665.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  666.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  667.     goto err;

  668.   }

  669.   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {

  670.     goto err;

  671.   }

  672.   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {

  673.     goto err;

  674.   }

  675.   EVP_MD_CTX_cleanup(&ctx);

  676. 

  677.   /* Generate dbMask in place then perform XOR on it */

  678.   if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {

  679.     goto err;

  680.   }

  681. 

  682.   p = EM;

  683. 

  684.   /* Initial PS XORs with all zeroes which is a NOP so just update

  685.    * pointer. Note from a test above this value is guaranteed to

  686.    * be non-negative. */

  687.   p += emLen - sLen - hLen - 2;

  688.   *p++ ^= 0x1;

  689.   if (sLen > 0) {

  690.     for (size_t i = 0; i < sLen; i++) {

  691.       *p++ ^= salt[i];

  692.     }

  693.   }

  694.   if (MSBits) {

  695.     EM[0] &= 0xFF >> (8 - MSBits);

  696.   }

  697. 

  698.   /* H is already in place so just set final 0xbc */

  699. 

  700.   EM[emLen - 1] = 0xbc;

  701. 

  702.   ret = 1;

  703. 

  704. err:

  705.   OPENSSL_free(salt);

  706. 

  707.   return ret;

  708. }