kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
2890 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 97718f1437
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „97718f1437“
${ noResults }
boringssl/crypto/rsa/padding.c

707 řádky
18 KiB
Surový Blame Historie 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 2005.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/rsa.h>

  57. 

  58. #include <assert.h>

  59. #include <limits.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/bn.h>

  63. #include <openssl/digest.h>

  64. #include <openssl/err.h>

  65. #include <openssl/mem.h>

  66. #include <openssl/rand.h>

  67. #include <openssl/sha.h>

  68. 

  69. #include "internal.h"

  70. #include "../internal.h"

  71. 

  72. /* TODO(fork): don't the check functions have to be constant time? */

  73. 

  74. int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,

  75.                                  const uint8_t *from, unsigned from_len) {

  76.   unsigned j;

  77. 

  78.   if (to_len < RSA_PKCS1_PADDING_SIZE) {

  79.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  80.     return 0;

  81.   }

  82. 

  83.   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {

  84.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  85.     return 0;

  86.   }

  87. 

  88.   uint8_t *p = to;

  89. 

  90.   *(p++) = 0;

  91.   *(p++) = 1; /* Private Key BT (Block Type) */

  92. 

  93.   /* pad out with 0xff data */

  94.   j = to_len - 3 - from_len;

  95.   memset(p, 0xff, j);

  96.   p += j;

  97.   *(p++) = 0;

  98.   memcpy(p, from, from_len);

  99.   return 1;

  100. }

  101. 

  102. int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,

  103.                                    const uint8_t *from, unsigned from_len) {

  104.   unsigned i, j;

  105.   const uint8_t *p;

  106. 

  107.   if (from_len < 2) {

  108.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);

  109.     return -1;

  110.   }

  111. 

  112.   p = from;

  113.   if ((*(p++) != 0) || (*(p++) != 1)) {

  114.     OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);

  115.     return -1;

  116.   }

  117. 

  118.   /* scan over padding data */

  119.   j = from_len - 2; /* one for leading 00, one for type. */

  120.   for (i = 0; i < j; i++) {

  121.     /* should decrypt to 0xff */

  122.     if (*p != 0xff) {

  123.       if (*p == 0) {

  124.         p++;

  125.         break;

  126.       } else {

  127.         OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);

  128.         return -1;

  129.       }

  130.     }

  131.     p++;

  132.   }

  133. 

  134.   if (i == j) {

  135.     OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);

  136.     return -1;

  137.   }

  138. 

  139.   if (i < 8) {

  140.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);

  141.     return -1;

  142.   }

  143.   i++; /* Skip over the '\0' */

  144.   j -= i;

  145.   if (j > to_len) {

  146.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  147.     return -1;

  148.   }

  149.   memcpy(to, p, j);

  150. 

  151.   return j;

  152. }

  153. 

  154. int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,

  155.                                  const uint8_t *from, unsigned from_len) {

  156.   unsigned i, j;

  157. 

  158.   if (to_len < RSA_PKCS1_PADDING_SIZE) {

  159.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  160.     return 0;

  161.   }

  162. 

  163.   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {

  164.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  165.     return 0;

  166.   }

  167. 

  168.   uint8_t *p = to;

  169. 

  170.   *(p++) = 0;

  171.   *(p++) = 2; /* Public Key BT (Block Type) */

  172. 

  173.   /* pad out with non-zero random data */

  174.   j = to_len - 3 - from_len;

  175. 

  176.   if (!RAND_bytes(p, j)) {

  177.     return 0;

  178.   }

  179. 

  180.   for (i = 0; i < j; i++) {

  181.     while (*p == 0) {

  182.       if (!RAND_bytes(p, 1)) {

  183.         return 0;

  184.       }

  185.     }

  186.     p++;

  187.   }

  188. 

  189.   *(p++) = 0;

  190. 

  191.   memcpy(p, from, from_len);

  192.   return 1;

  193. }

  194. 

  195. int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len,

  196.                                    const uint8_t *from, unsigned from_len) {

  197.   if (from_len == 0) {

  198.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  199.     return -1;

  200.   }

  201. 

  202.   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography

  203.    * Standard", section 7.2.2. */

  204.   if (from_len < RSA_PKCS1_PADDING_SIZE) {

  205.     /* |from| is zero-padded to the size of the RSA modulus, a public value, so

  206.      * this can be rejected in non-constant time. */

  207.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  208.     return -1;

  209.   }

  210. 

  211.   unsigned first_byte_is_zero = constant_time_eq(from[0], 0);

  212.   unsigned second_byte_is_two = constant_time_eq(from[1], 2);

  213. 

  214.   unsigned i, zero_index = 0, looking_for_index = ~0u;

  215.   for (i = 2; i < from_len; i++) {

  216.     unsigned equals0 = constant_time_is_zero(from[i]);

  217.     zero_index = constant_time_select(looking_for_index & equals0, (unsigned)i,

  218.                                       zero_index);

  219.     looking_for_index = constant_time_select(equals0, 0, looking_for_index);

  220.   }

  221. 

  222.   /* The input must begin with 00 02. */

  223.   unsigned valid_index = first_byte_is_zero;

  224.   valid_index &= second_byte_is_two;

  225. 

  226.   /* We must have found the end of PS. */

  227.   valid_index &= ~looking_for_index;

  228. 

  229.   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */

  230.   valid_index &= constant_time_ge(zero_index, 2 + 8);

  231. 

  232.   /* Skip the zero byte. */

  233.   zero_index++;

  234. 

  235.   /* NOTE: Although this logic attempts to be constant time, the API contracts

  236.    * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it

  237.    * impossible to completely avoid Bleichenbacher's attack. Consumers should

  238.    * use |RSA_unpad_key_pkcs1|. */

  239.   if (!valid_index) {

  240.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  241.     return -1;

  242.   }

  243. 

  244.   const unsigned msg_len = from_len - zero_index;

  245.   if (msg_len > to_len) {

  246.     /* This shouldn't happen because this function is always called with

  247.      * |to_len| as the key size and |from_len| is bounded by the key size. */

  248.     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);

  249.     return -1;

  250.   }

  251. 

  252.   if (msg_len > INT_MAX) {

  253.     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);

  254.     return -1;

  255.   }

  256. 

  257.   memcpy(to, &from[zero_index], msg_len);

  258.   return (int)msg_len;

  259. }

  260. 

  261. int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,

  262.                          unsigned from_len) {

  263.   if (from_len > to_len) {

  264.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  265.     return 0;

  266.   }

  267. 

  268.   if (from_len < to_len) {

  269.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);

  270.     return 0;

  271.   }

  272. 

  273.   memcpy(to, from, from_len);

  274.   return 1;

  275. }

  276. 

  277. static int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,

  278.                       unsigned seedlen, const EVP_MD *dgst) {

  279.   unsigned outlen = 0;

  280.   uint32_t i;

  281.   uint8_t cnt[4];

  282.   EVP_MD_CTX c;

  283.   uint8_t md[EVP_MAX_MD_SIZE];

  284.   unsigned mdlen;

  285.   int ret = -1;

  286. 

  287.   EVP_MD_CTX_init(&c);

  288.   mdlen = EVP_MD_size(dgst);

  289. 

  290.   for (i = 0; outlen < len; i++) {

  291.     cnt[0] = (uint8_t)((i >> 24) & 255);

  292.     cnt[1] = (uint8_t)((i >> 16) & 255);

  293.     cnt[2] = (uint8_t)((i >> 8)) & 255;

  294.     cnt[3] = (uint8_t)(i & 255);

  295.     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||

  296.         !EVP_DigestUpdate(&c, seed, seedlen) ||

  297.         !EVP_DigestUpdate(&c, cnt, 4)) {

  298.       goto err;

  299.     }

  300. 

  301.     if (outlen + mdlen <= len) {

  302.       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {

  303.         goto err;

  304.       }

  305.       outlen += mdlen;

  306.     } else {

  307.       if (!EVP_DigestFinal_ex(&c, md, NULL)) {

  308.         goto err;

  309.       }

  310.       memcpy(mask + outlen, md, len - outlen);

  311.       outlen = len;

  312.     }

  313.   }

  314.   ret = 0;

  315. 

  316. err:

  317.   EVP_MD_CTX_cleanup(&c);

  318.   return ret;

  319. }

  320. 

  321. int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,

  322.                                     const uint8_t *from, unsigned from_len,

  323.                                     const uint8_t *param, unsigned param_len,

  324.                                     const EVP_MD *md, const EVP_MD *mgf1md) {

  325.   unsigned i, emlen, mdlen;

  326.   uint8_t *db, *seed;

  327.   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];

  328.   int ret = 0;

  329. 

  330.   if (md == NULL) {

  331.     md = EVP_sha1();

  332.   }

  333.   if (mgf1md == NULL) {

  334.     mgf1md = md;

  335.   }

  336. 

  337.   mdlen = EVP_MD_size(md);

  338. 

  339.   if (to_len < 2 * mdlen + 2) {

  340.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  341.     return 0;

  342.   }

  343. 

  344.   emlen = to_len - 1;

  345.   if (from_len > emlen - 2 * mdlen - 1) {

  346.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  347.     return 0;

  348.   }

  349. 

  350.   if (emlen < 2 * mdlen + 1) {

  351.     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);

  352.     return 0;

  353.   }

  354. 

  355.   to[0] = 0;

  356.   seed = to + 1;

  357.   db = to + mdlen + 1;

  358. 

  359.   if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {

  360.     return 0;

  361.   }

  362.   memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);

  363.   db[emlen - from_len - mdlen - 1] = 0x01;

  364.   memcpy(db + emlen - from_len - mdlen, from, from_len);

  365.   if (!RAND_bytes(seed, mdlen)) {

  366.     return 0;

  367.   }

  368. 

  369.   dbmask = OPENSSL_malloc(emlen - mdlen);

  370.   if (dbmask == NULL) {

  371.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  372.     return 0;

  373.   }

  374. 

  375.   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {

  376.     goto out;

  377.   }

  378.   for (i = 0; i < emlen - mdlen; i++) {

  379.     db[i] ^= dbmask[i];

  380.   }

  381. 

  382.   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {

  383.     goto out;

  384.   }

  385.   for (i = 0; i < mdlen; i++) {

  386.     seed[i] ^= seedmask[i];

  387.   }

  388.   ret = 1;

  389. 

  390. out:

  391.   OPENSSL_free(dbmask);

  392.   return ret;

  393. }

  394. 

  395. int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,

  396.                                       const uint8_t *from, unsigned from_len,

  397.                                       const uint8_t *param, unsigned param_len,

  398.                                       const EVP_MD *md, const EVP_MD *mgf1md) {

  399.   unsigned i, dblen, mlen = -1, mdlen, bad, looking_for_one_byte, one_index = 0;

  400.   const uint8_t *maskeddb, *maskedseed;

  401.   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

  402. 

  403.   if (md == NULL) {

  404.     md = EVP_sha1();

  405.   }

  406.   if (mgf1md == NULL) {

  407.     mgf1md = md;

  408.   }

  409. 

  410.   mdlen = EVP_MD_size(md);

  411. 

  412.   /* The encoded message is one byte smaller than the modulus to ensure that it

  413.    * doesn't end up greater than the modulus. Thus there's an extra "+1" here

  414.    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */

  415.   if (from_len < 1 + 2*mdlen + 1) {

  416.     /* 'from_len' is the length of the modulus, i.e. does not depend on the

  417.      * particular ciphertext. */

  418.     goto decoding_err;

  419.   }

  420. 

  421.   dblen = from_len - mdlen - 1;

  422.   db = OPENSSL_malloc(dblen);

  423.   if (db == NULL) {

  424.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  425.     goto err;

  426.   }

  427. 

  428.   maskedseed = from + 1;

  429.   maskeddb = from + 1 + mdlen;

  430. 

  431.   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {

  432.     goto err;

  433.   }

  434.   for (i = 0; i < mdlen; i++) {

  435.     seed[i] ^= maskedseed[i];

  436.   }

  437. 

  438.   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {

  439.     goto err;

  440.   }

  441.   for (i = 0; i < dblen; i++) {

  442.     db[i] ^= maskeddb[i];

  443.   }

  444. 

  445.   if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {

  446.     goto err;

  447.   }

  448. 

  449.   bad = ~constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));

  450.   bad |= ~constant_time_is_zero(from[0]);

  451. 

  452.   looking_for_one_byte = ~0u;

  453.   for (i = mdlen; i < dblen; i++) {

  454.     unsigned equals1 = constant_time_eq(db[i], 1);

  455.     unsigned equals0 = constant_time_eq(db[i], 0);

  456.     one_index = constant_time_select(looking_for_one_byte & equals1, i,

  457.                                      one_index);

  458.     looking_for_one_byte =

  459.         constant_time_select(equals1, 0, looking_for_one_byte);

  460.     bad |= looking_for_one_byte & ~equals0;

  461.   }

  462. 

  463.   bad |= looking_for_one_byte;

  464. 

  465.   if (bad) {

  466.     goto decoding_err;

  467.   }

  468. 

  469.   one_index++;

  470.   mlen = dblen - one_index;

  471.   if (to_len < mlen) {

  472.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  473.     mlen = -1;

  474.   } else {

  475.     memcpy(to, db + one_index, mlen);

  476.   }

  477. 

  478.   OPENSSL_free(db);

  479.   return mlen;

  480. 

  481. decoding_err:

  482.   /* to avoid chosen ciphertext attacks, the error message should not reveal

  483.    * which kind of decoding error happened */

  484.   OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);

  485.  err:

  486.   OPENSSL_free(db);

  487.   return -1;

  488. }

  489. 

  490. static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

  491. 

  492. int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,

  493.                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  494.                               const uint8_t *EM, int sLen) {

  495.   int i;

  496.   int ret = 0;

  497.   int maskedDBLen, MSBits, emLen;

  498.   size_t hLen;

  499.   const uint8_t *H;

  500.   uint8_t *DB = NULL;

  501.   EVP_MD_CTX ctx;

  502.   uint8_t H_[EVP_MAX_MD_SIZE];

  503.   EVP_MD_CTX_init(&ctx);

  504. 

  505.   if (mgf1Hash == NULL) {

  506.     mgf1Hash = Hash;

  507.   }

  508. 

  509.   hLen = EVP_MD_size(Hash);

  510. 

  511.   /* Negative sLen has special meanings:

  512.    *	-1	sLen == hLen

  513.    *	-2	salt length is autorecovered from signature

  514.    *	-N	reserved */

  515.   if (sLen == -1) {

  516.     sLen = hLen;

  517.   } else if (sLen == -2) {

  518.     sLen = -2;

  519.   } else if (sLen < -2) {

  520.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  521.     goto err;

  522.   }

  523. 

  524.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  525.   emLen = RSA_size(rsa);

  526.   if (EM[0] & (0xFF << MSBits)) {

  527.     OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);

  528.     goto err;

  529.   }

  530.   if (MSBits == 0) {

  531.     EM++;

  532.     emLen--;

  533.   }

  534.   if (emLen < ((int)hLen + sLen + 2)) {

  535.     /* sLen can be small negative */

  536.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);

  537.     goto err;

  538.   }

  539.   if (EM[emLen - 1] != 0xbc) {

  540.     OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);

  541.     goto err;

  542.   }

  543.   maskedDBLen = emLen - hLen - 1;

  544.   H = EM + maskedDBLen;

  545.   DB = OPENSSL_malloc(maskedDBLen);

  546.   if (!DB) {

  547.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  548.     goto err;

  549.   }

  550.   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {

  551.     goto err;

  552.   }

  553.   for (i = 0; i < maskedDBLen; i++) {

  554.     DB[i] ^= EM[i];

  555.   }

  556.   if (MSBits) {

  557.     DB[0] &= 0xFF >> (8 - MSBits);

  558.   }

  559.   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {

  560.     ;

  561.   }

  562.   if (DB[i++] != 0x1) {

  563.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);

  564.     goto err;

  565.   }

  566.   if (sLen >= 0 && (maskedDBLen - i) != sLen) {

  567.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  568.     goto err;

  569.   }

  570.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  571.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  572.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  573.     goto err;

  574.   }

  575.   if (maskedDBLen - i) {

  576.     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {

  577.       goto err;

  578.     }

  579.   }

  580.   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {

  581.     goto err;

  582.   }

  583.   if (memcmp(H_, H, hLen)) {

  584.     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);

  585.     ret = 0;

  586.   } else {

  587.     ret = 1;

  588.   }

  589. 

  590. err:

  591.   OPENSSL_free(DB);

  592.   EVP_MD_CTX_cleanup(&ctx);

  593. 

  594.   return ret;

  595. }

  596. 

  597. int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,

  598.                                    const unsigned char *mHash,

  599.                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  600.                                    int sLen) {

  601.   int i;

  602.   int ret = 0;

  603.   size_t maskedDBLen, MSBits, emLen;

  604.   size_t hLen;

  605.   unsigned char *H, *salt = NULL, *p;

  606.   EVP_MD_CTX ctx;

  607. 

  608.   if (mgf1Hash == NULL) {

  609.     mgf1Hash = Hash;

  610.   }

  611. 

  612.   hLen = EVP_MD_size(Hash);

  613. 

  614.   /* Negative sLen has special meanings:

  615.    *	-1	sLen == hLen

  616.    *	-2	salt length is maximized

  617.    *	-N	reserved */

  618.   if (sLen == -1) {

  619.     sLen = hLen;

  620.   } else if (sLen == -2) {

  621.     sLen = -2;

  622.   } else if (sLen < -2) {

  623.     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);

  624.     goto err;

  625.   }

  626. 

  627.   if (BN_is_zero(rsa->n)) {

  628.     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);

  629.     goto err;

  630.   }

  631. 

  632.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  633.   emLen = RSA_size(rsa);

  634.   if (MSBits == 0) {

  635.     assert(emLen >= 1);

  636.     *EM++ = 0;

  637.     emLen--;

  638.   }

  639.   if (sLen == -2) {

  640.     if (emLen < hLen + 2) {

  641.       OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  642.       goto err;

  643.     }

  644.     sLen = emLen - hLen - 2;

  645.   } else if (emLen < hLen + sLen + 2) {

  646.     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  647.     goto err;

  648.   }

  649.   if (sLen > 0) {

  650.     salt = OPENSSL_malloc(sLen);

  651.     if (!salt) {

  652.       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  653.       goto err;

  654.     }

  655.     if (!RAND_bytes(salt, sLen)) {

  656.       goto err;

  657.     }

  658.   }

  659.   maskedDBLen = emLen - hLen - 1;

  660.   H = EM + maskedDBLen;

  661.   EVP_MD_CTX_init(&ctx);

  662.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  663.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  664.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  665.     goto err;

  666.   }

  667.   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {

  668.     goto err;

  669.   }

  670.   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {

  671.     goto err;

  672.   }

  673.   EVP_MD_CTX_cleanup(&ctx);

  674. 

  675.   /* Generate dbMask in place then perform XOR on it */

  676.   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {

  677.     goto err;

  678.   }

  679. 

  680.   p = EM;

  681. 

  682.   /* Initial PS XORs with all zeroes which is a NOP so just update

  683.    * pointer. Note from a test above this value is guaranteed to

  684.    * be non-negative. */

  685.   p += emLen - sLen - hLen - 2;

  686.   *p++ ^= 0x1;

  687.   if (sLen > 0) {

  688.     for (i = 0; i < sLen; i++) {

  689.       *p++ ^= salt[i];

  690.     }

  691.   }

  692.   if (MSBits) {

  693.     EM[0] &= 0xFF >> (8 - MSBits);

  694.   }

  695. 

  696.   /* H is already in place so just set final 0xbc */

  697. 

  698.   EM[emLen - 1] = 0xbc;

  699. 

  700.   ret = 1;

  701. 

  702. err:

  703.   OPENSSL_free(salt);

  704. 

  705.   return ret;

  706. }