• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2005.
3  */
4 /* ====================================================================
5  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/rsa.h>
57 
58 #include <assert.h>
59 #include <limits.h>
60 #include <string.h>
61 
62 #include <openssl/digest.h>
63 #include <openssl/err.h>
64 #include <openssl/mem.h>
65 #include <openssl/rand.h>
66 #include <openssl/sha.h>
67 
68 #include "internal.h"
69 #include "../internal.h"
70 
71 /* TODO(fork): don't the check functions have to be constant time? */
72 
RSA_padding_add_PKCS1_type_1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)73 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,
74                                  const uint8_t *from, unsigned from_len) {
75   unsigned j;
76   uint8_t *p;
77 
78   if (to_len < RSA_PKCS1_PADDING_SIZE) {
79     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
80     return 0;
81   }
82 
83   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
84     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
85     return 0;
86   }
87 
88   p = (uint8_t *)to;
89 
90   *(p++) = 0;
91   *(p++) = 1; /* Private Key BT (Block Type) */
92 
93   /* pad out with 0xff data */
94   j = to_len - 3 - from_len;
95   memset(p, 0xff, j);
96   p += j;
97   *(p++) = 0;
98   memcpy(p, from, (unsigned int)from_len);
99   return 1;
100 }
101 
RSA_padding_check_PKCS1_type_1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)102 int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,
103                                    const uint8_t *from, unsigned from_len) {
104   unsigned i, j;
105   const uint8_t *p;
106 
107   if (from_len < 2) {
108     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
109     return -1;
110   }
111 
112   p = from;
113   if ((*(p++) != 0) || (*(p++) != 1)) {
114     OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
115     return -1;
116   }
117 
118   /* scan over padding data */
119   j = from_len - 2; /* one for leading 00, one for type. */
120   for (i = 0; i < j; i++) {
121     /* should decrypt to 0xff */
122     if (*p != 0xff) {
123       if (*p == 0) {
124         p++;
125         break;
126       } else {
127         OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
128         return -1;
129       }
130     }
131     p++;
132   }
133 
134   if (i == j) {
135     OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
136     return -1;
137   }
138 
139   if (i < 8) {
140     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
141     return -1;
142   }
143   i++; /* Skip over the '\0' */
144   j -= i;
145   if (j > to_len) {
146     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
147     return -1;
148   }
149   memcpy(to, p, j);
150 
151   return j;
152 }
153 
RSA_padding_add_PKCS1_type_2(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)154 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,
155                                  const uint8_t *from, unsigned from_len) {
156   unsigned i, j;
157   uint8_t *p;
158 
159   if (to_len < RSA_PKCS1_PADDING_SIZE) {
160     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
161     return 0;
162   }
163 
164   if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
165     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
166     return 0;
167   }
168 
169   p = (unsigned char *)to;
170 
171   *(p++) = 0;
172   *(p++) = 2; /* Public Key BT (Block Type) */
173 
174   /* pad out with non-zero random data */
175   j = to_len - 3 - from_len;
176 
177   if (!RAND_bytes(p, j)) {
178     return 0;
179   }
180 
181   for (i = 0; i < j; i++) {
182     while (*p == 0) {
183       if (!RAND_bytes(p, 1)) {
184         return 0;
185       }
186     }
187     p++;
188   }
189 
190   *(p++) = 0;
191 
192   memcpy(p, from, (unsigned int)from_len);
193   return 1;
194 }
195 
RSA_padding_check_PKCS1_type_2(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)196 int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len,
197                                    const uint8_t *from, unsigned from_len) {
198   if (from_len == 0) {
199     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
200     return -1;
201   }
202 
203   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
204    * Standard", section 7.2.2. */
205   if (from_len < RSA_PKCS1_PADDING_SIZE) {
206     /* |from| is zero-padded to the size of the RSA modulus, a public value, so
207      * this can be rejected in non-constant time. */
208     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
209     return -1;
210   }
211 
212   unsigned first_byte_is_zero = constant_time_eq(from[0], 0);
213   unsigned second_byte_is_two = constant_time_eq(from[1], 2);
214 
215   unsigned i, zero_index = 0, looking_for_index = ~0u;
216   for (i = 2; i < from_len; i++) {
217     unsigned equals0 = constant_time_is_zero(from[i]);
218     zero_index = constant_time_select(looking_for_index & equals0, (unsigned)i,
219                                       zero_index);
220     looking_for_index = constant_time_select(equals0, 0, looking_for_index);
221   }
222 
223   /* The input must begin with 00 02. */
224   unsigned valid_index = first_byte_is_zero;
225   valid_index &= second_byte_is_two;
226 
227   /* We must have found the end of PS. */
228   valid_index &= ~looking_for_index;
229 
230   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
231   valid_index &= constant_time_ge(zero_index, 2 + 8);
232 
233   /* Skip the zero byte. */
234   zero_index++;
235 
236   /* NOTE: Although this logic attempts to be constant time, the API contracts
237    * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
238    * impossible to completely avoid Bleichenbacher's attack. Consumers should
239    * use |RSA_unpad_key_pkcs1|. */
240   if (!valid_index) {
241     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
242     return -1;
243   }
244 
245   const unsigned msg_len = from_len - zero_index;
246   if (msg_len > to_len) {
247     /* This shouldn't happen because this function is always called with
248      * |to_len| as the key size and |from_len| is bounded by the key size. */
249     OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
250     return -1;
251   }
252 
253   if (msg_len > INT_MAX) {
254     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
255     return -1;
256   }
257 
258   memcpy(to, &from[zero_index], msg_len);
259   return (int)msg_len;
260 }
261 
RSA_padding_add_none(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)262 int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,
263                          unsigned from_len) {
264   if (from_len > to_len) {
265     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
266     return 0;
267   }
268 
269   if (from_len < to_len) {
270     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
271     return 0;
272   }
273 
274   memcpy(to, from, (unsigned int)from_len);
275   return 1;
276 }
277 
PKCS1_MGF1(uint8_t * mask,unsigned len,const uint8_t * seed,unsigned seedlen,const EVP_MD * dgst)278 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
279                unsigned seedlen, const EVP_MD *dgst) {
280   unsigned outlen = 0;
281   uint32_t i;
282   uint8_t cnt[4];
283   EVP_MD_CTX c;
284   uint8_t md[EVP_MAX_MD_SIZE];
285   unsigned mdlen;
286   int ret = -1;
287 
288   EVP_MD_CTX_init(&c);
289   mdlen = EVP_MD_size(dgst);
290 
291   for (i = 0; outlen < len; i++) {
292     cnt[0] = (uint8_t)((i >> 24) & 255);
293     cnt[1] = (uint8_t)((i >> 16) & 255);
294     cnt[2] = (uint8_t)((i >> 8)) & 255;
295     cnt[3] = (uint8_t)(i & 255);
296     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
297         !EVP_DigestUpdate(&c, seed, seedlen) ||
298         !EVP_DigestUpdate(&c, cnt, 4)) {
299       goto err;
300     }
301 
302     if (outlen + mdlen <= len) {
303       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {
304         goto err;
305       }
306       outlen += mdlen;
307     } else {
308       if (!EVP_DigestFinal_ex(&c, md, NULL)) {
309         goto err;
310       }
311       memcpy(mask + outlen, md, len - outlen);
312       outlen = len;
313     }
314   }
315   ret = 0;
316 
317 err:
318   EVP_MD_CTX_cleanup(&c);
319   return ret;
320 }
321 
RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len,const uint8_t * param,unsigned param_len,const EVP_MD * md,const EVP_MD * mgf1md)322 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
323                                     const uint8_t *from, unsigned from_len,
324                                     const uint8_t *param, unsigned param_len,
325                                     const EVP_MD *md, const EVP_MD *mgf1md) {
326   unsigned i, emlen, mdlen;
327   uint8_t *db, *seed;
328   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];
329   int ret = 0;
330 
331   if (md == NULL) {
332     md = EVP_sha1();
333   }
334   if (mgf1md == NULL) {
335     mgf1md = md;
336   }
337 
338   mdlen = EVP_MD_size(md);
339 
340   if (to_len < 2 * mdlen + 2) {
341     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
342     return 0;
343   }
344 
345   emlen = to_len - 1;
346   if (from_len > emlen - 2 * mdlen - 1) {
347     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
348     return 0;
349   }
350 
351   if (emlen < 2 * mdlen + 1) {
352     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
353     return 0;
354   }
355 
356   to[0] = 0;
357   seed = to + 1;
358   db = to + mdlen + 1;
359 
360   if (!EVP_Digest((void *)param, param_len, db, NULL, md, NULL)) {
361     return 0;
362   }
363   memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
364   db[emlen - from_len - mdlen - 1] = 0x01;
365   memcpy(db + emlen - from_len - mdlen, from, from_len);
366   if (!RAND_bytes(seed, mdlen)) {
367     return 0;
368   }
369 
370   dbmask = OPENSSL_malloc(emlen - mdlen);
371   if (dbmask == NULL) {
372     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
373     return 0;
374   }
375 
376   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
377     goto out;
378   }
379   for (i = 0; i < emlen - mdlen; i++) {
380     db[i] ^= dbmask[i];
381   }
382 
383   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
384     goto out;
385   }
386   for (i = 0; i < mdlen; i++) {
387     seed[i] ^= seedmask[i];
388   }
389   ret = 1;
390 
391 out:
392   OPENSSL_free(dbmask);
393   return ret;
394 }
395 
RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len,const uint8_t * param,unsigned param_len,const EVP_MD * md,const EVP_MD * mgf1md)396 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
397                                       const uint8_t *from, unsigned from_len,
398                                       const uint8_t *param, unsigned param_len,
399                                       const EVP_MD *md, const EVP_MD *mgf1md) {
400   unsigned i, dblen, mlen = -1, mdlen, bad, looking_for_one_byte, one_index = 0;
401   const uint8_t *maskeddb, *maskedseed;
402   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
403 
404   if (md == NULL) {
405     md = EVP_sha1();
406   }
407   if (mgf1md == NULL) {
408     mgf1md = md;
409   }
410 
411   mdlen = EVP_MD_size(md);
412 
413   /* The encoded message is one byte smaller than the modulus to ensure that it
414    * doesn't end up greater than the modulus. Thus there's an extra "+1" here
415    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
416   if (from_len < 1 + 2*mdlen + 1) {
417     /* 'from_len' is the length of the modulus, i.e. does not depend on the
418      * particular ciphertext. */
419     goto decoding_err;
420   }
421 
422   dblen = from_len - mdlen - 1;
423   db = OPENSSL_malloc(dblen);
424   if (db == NULL) {
425     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
426     goto err;
427   }
428 
429   maskedseed = from + 1;
430   maskeddb = from + 1 + mdlen;
431 
432   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
433     goto err;
434   }
435   for (i = 0; i < mdlen; i++) {
436     seed[i] ^= maskedseed[i];
437   }
438 
439   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
440     goto err;
441   }
442   for (i = 0; i < dblen; i++) {
443     db[i] ^= maskeddb[i];
444   }
445 
446   if (!EVP_Digest((void *)param, param_len, phash, NULL, md, NULL)) {
447     goto err;
448   }
449 
450   bad = ~constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));
451   bad |= ~constant_time_is_zero(from[0]);
452 
453   looking_for_one_byte = ~0u;
454   for (i = mdlen; i < dblen; i++) {
455     unsigned equals1 = constant_time_eq(db[i], 1);
456     unsigned equals0 = constant_time_eq(db[i], 0);
457     one_index = constant_time_select(looking_for_one_byte & equals1, i,
458                                      one_index);
459     looking_for_one_byte =
460         constant_time_select(equals1, 0, looking_for_one_byte);
461     bad |= looking_for_one_byte & ~equals0;
462   }
463 
464   bad |= looking_for_one_byte;
465 
466   if (bad) {
467     goto decoding_err;
468   }
469 
470   one_index++;
471   mlen = dblen - one_index;
472   if (to_len < mlen) {
473     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
474     mlen = -1;
475   } else {
476     memcpy(to, db + one_index, mlen);
477   }
478 
479   OPENSSL_free(db);
480   return mlen;
481 
482 decoding_err:
483   /* to avoid chosen ciphertext attacks, the error message should not reveal
484    * which kind of decoding error happened */
485   OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
486  err:
487   OPENSSL_free(db);
488   return -1;
489 }
490 
491 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
492 
RSA_verify_PKCS1_PSS_mgf1(RSA * rsa,const uint8_t * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const uint8_t * EM,int sLen)493 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
494                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,
495                               const uint8_t *EM, int sLen) {
496   int i;
497   int ret = 0;
498   int maskedDBLen, MSBits, emLen;
499   size_t hLen;
500   const uint8_t *H;
501   uint8_t *DB = NULL;
502   EVP_MD_CTX ctx;
503   uint8_t H_[EVP_MAX_MD_SIZE];
504   EVP_MD_CTX_init(&ctx);
505 
506   if (mgf1Hash == NULL) {
507     mgf1Hash = Hash;
508   }
509 
510   hLen = EVP_MD_size(Hash);
511 
512   /* Negative sLen has special meanings:
513    *	-1	sLen == hLen
514    *	-2	salt length is autorecovered from signature
515    *	-N	reserved */
516   if (sLen == -1) {
517     sLen = hLen;
518   } else if (sLen == -2) {
519     sLen = -2;
520   } else if (sLen < -2) {
521     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
522     goto err;
523   }
524 
525   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
526   emLen = RSA_size(rsa);
527   if (EM[0] & (0xFF << MSBits)) {
528     OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
529     goto err;
530   }
531   if (MSBits == 0) {
532     EM++;
533     emLen--;
534   }
535   if (emLen < ((int)hLen + sLen + 2)) {
536     /* sLen can be small negative */
537     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
538     goto err;
539   }
540   if (EM[emLen - 1] != 0xbc) {
541     OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
542     goto err;
543   }
544   maskedDBLen = emLen - hLen - 1;
545   H = EM + maskedDBLen;
546   DB = OPENSSL_malloc(maskedDBLen);
547   if (!DB) {
548     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
549     goto err;
550   }
551   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
552     goto err;
553   }
554   for (i = 0; i < maskedDBLen; i++) {
555     DB[i] ^= EM[i];
556   }
557   if (MSBits) {
558     DB[0] &= 0xFF >> (8 - MSBits);
559   }
560   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
561     ;
562   }
563   if (DB[i++] != 0x1) {
564     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
565     goto err;
566   }
567   if (sLen >= 0 && (maskedDBLen - i) != sLen) {
568     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
569     goto err;
570   }
571   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
572       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
573       !EVP_DigestUpdate(&ctx, mHash, hLen)) {
574     goto err;
575   }
576   if (maskedDBLen - i) {
577     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {
578       goto err;
579     }
580   }
581   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
582     goto err;
583   }
584   if (memcmp(H_, H, hLen)) {
585     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
586     ret = 0;
587   } else {
588     ret = 1;
589   }
590 
591 err:
592   OPENSSL_free(DB);
593   EVP_MD_CTX_cleanup(&ctx);
594 
595   return ret;
596 }
597 
RSA_padding_add_PKCS1_PSS_mgf1(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLen)598 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
599                                    const unsigned char *mHash,
600                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
601                                    int sLen) {
602   int i;
603   int ret = 0;
604   size_t maskedDBLen, MSBits, emLen;
605   size_t hLen;
606   unsigned char *H, *salt = NULL, *p;
607   EVP_MD_CTX ctx;
608 
609   if (mgf1Hash == NULL) {
610     mgf1Hash = Hash;
611   }
612 
613   hLen = EVP_MD_size(Hash);
614 
615   /* Negative sLen has special meanings:
616    *	-1	sLen == hLen
617    *	-2	salt length is maximized
618    *	-N	reserved */
619   if (sLen == -1) {
620     sLen = hLen;
621   } else if (sLen == -2) {
622     sLen = -2;
623   } else if (sLen < -2) {
624     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
625     goto err;
626   }
627 
628   if (BN_is_zero(rsa->n)) {
629     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
630     goto err;
631   }
632 
633   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
634   emLen = RSA_size(rsa);
635   if (MSBits == 0) {
636     assert(emLen >= 1);
637     *EM++ = 0;
638     emLen--;
639   }
640   if (sLen == -2) {
641     if (emLen < hLen + 2) {
642       OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
643       goto err;
644     }
645     sLen = emLen - hLen - 2;
646   } else if (emLen < hLen + sLen + 2) {
647     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
648     goto err;
649   }
650   if (sLen > 0) {
651     salt = OPENSSL_malloc(sLen);
652     if (!salt) {
653       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
654       goto err;
655     }
656     if (!RAND_bytes(salt, sLen)) {
657       goto err;
658     }
659   }
660   maskedDBLen = emLen - hLen - 1;
661   H = EM + maskedDBLen;
662   EVP_MD_CTX_init(&ctx);
663   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
664       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
665       !EVP_DigestUpdate(&ctx, mHash, hLen)) {
666     goto err;
667   }
668   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {
669     goto err;
670   }
671   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {
672     goto err;
673   }
674   EVP_MD_CTX_cleanup(&ctx);
675 
676   /* Generate dbMask in place then perform XOR on it */
677   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
678     goto err;
679   }
680 
681   p = EM;
682 
683   /* Initial PS XORs with all zeroes which is a NOP so just update
684    * pointer. Note from a test above this value is guaranteed to
685    * be non-negative. */
686   p += emLen - sLen - hLen - 2;
687   *p++ ^= 0x1;
688   if (sLen > 0) {
689     for (i = 0; i < sLen; i++) {
690       *p++ ^= salt[i];
691     }
692   }
693   if (MSBits) {
694     EM[0] &= 0xFF >> (8 - MSBits);
695   }
696 
697   /* H is already in place so just set final 0xbc */
698 
699   EM[emLen - 1] = 0xbc;
700 
701   ret = 1;
702 
703 err:
704   OPENSSL_free(salt);
705 
706   return ret;
707 }
708