51     int mdlen, dbmask_len = 0;  in RSA_padding_add_PKCS1_OAEP_mgf1()  local
58     mdlen = EVP_MD_size(md);  in RSA_padding_add_PKCS1_OAEP_mgf1()
60     if (flen > emlen - 2 * mdlen - 1) {  in RSA_padding_add_PKCS1_OAEP_mgf1()
66     if (emlen < 2 * mdlen + 1) {  in RSA_padding_add_PKCS1_OAEP_mgf1()
74     db = to + mdlen + 1;  in RSA_padding_add_PKCS1_OAEP_mgf1()
78     memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);  in RSA_padding_add_PKCS1_OAEP_mgf1()
79     db[emlen - flen - mdlen - 1] = 0x01;  in RSA_padding_add_PKCS1_OAEP_mgf1()
80     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);  in RSA_padding_add_PKCS1_OAEP_mgf1()
81     if (RAND_bytes(seed, mdlen) <= 0)  in RSA_padding_add_PKCS1_OAEP_mgf1()
84     dbmask_len = emlen - mdlen;  in RSA_padding_add_PKCS1_OAEP_mgf1()
91     if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0)  in RSA_padding_add_PKCS1_OAEP_mgf1()
96     if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0)  in RSA_padding_add_PKCS1_OAEP_mgf1()
98     for (i = 0; i < mdlen; i++)  in RSA_padding_add_PKCS1_OAEP_mgf1()
131     int mdlen;  in RSA_padding_check_PKCS1_OAEP_mgf1()  local
138     mdlen = EVP_MD_size(md);  in RSA_padding_check_PKCS1_OAEP_mgf1()
150     if (num < flen || num < 2 * mdlen + 2) {  in RSA_padding_check_PKCS1_OAEP_mgf1()
156     dblen = num - mdlen - 1;  in RSA_padding_check_PKCS1_OAEP_mgf1()
191     maskeddb = em + 1 + mdlen;  in RSA_padding_check_PKCS1_OAEP_mgf1()
193     if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))  in RSA_padding_check_PKCS1_OAEP_mgf1()
195     for (i = 0; i < mdlen; i++)  in RSA_padding_check_PKCS1_OAEP_mgf1()
198     if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))  in RSA_padding_check_PKCS1_OAEP_mgf1()
206     good &= constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));  in RSA_padding_check_PKCS1_OAEP_mgf1()
209     for (i = mdlen; i < dblen; i++) {  in RSA_padding_check_PKCS1_OAEP_mgf1()
246     tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),  in RSA_padding_check_PKCS1_OAEP_mgf1()
247                                     dblen - mdlen - 1, tlen);  in RSA_padding_check_PKCS1_OAEP_mgf1()
248     for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {  in RSA_padding_check_PKCS1_OAEP_mgf1()
249         mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);  in RSA_padding_check_PKCS1_OAEP_mgf1()
250         for (i = mdlen + 1; i < dblen - msg_index; i++)  in RSA_padding_check_PKCS1_OAEP_mgf1()
255         to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);  in RSA_padding_check_PKCS1_OAEP_mgf1()
280     int mdlen;  in PKCS1_MGF1()  local
285     mdlen = EVP_MD_size(dgst);  in PKCS1_MGF1()
286     if (mdlen < 0)  in PKCS1_MGF1()
297         if (outlen + mdlen <= len) {  in PKCS1_MGF1()
300             outlen += mdlen;  in PKCS1_MGF1()