/src/boringssl/crypto/fipsmodule/rsa/padding.c.inc

Source (jump to first uncovered line)
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
/* ====================================================================
 * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com). */

#include <openssl/rsa.h>

#include <assert.h>
#include <limits.h>
#include <string.h>

#include <openssl/bn.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/mem.h>

#include "internal.h"
#include "../service_indicator/internal.h"
#include "../bcm_interface.h"
#include "../../internal.h"


int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
                                 const uint8_t *from, size_t from_len) {
  // See RFC 8017, section 9.2.
  if (to_len < RSA_PKCS1_PADDING_SIZE) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
    return 0;
  }

  if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
    return 0;
  }

  to[0] = 0;
  to[1] = 1;
  OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len);
  to[to_len - from_len - 1] = 0;
  OPENSSL_memcpy(to + to_len - from_len, from, from_len);
  return 1;
}

int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
                                   size_t max_out, const uint8_t *from,
                                   size_t from_len) {
  // See RFC 8017, section 9.2. This is part of signature verification and thus
  // does not need to run in constant-time.
  if (from_len < 2) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
    return 0;
  }

  // Check the header.
  if (from[0] != 0 || from[1] != 1) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
    return 0;
  }

  // Scan over padded data, looking for the 00.
  size_t pad;
  for (pad = 2 /* header */; pad < from_len; pad++) {
    if (from[pad] == 0x00) {
      break;
    }

    if (from[pad] != 0xff) {
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
      return 0;
    }
  }

  if (pad == from_len) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
    return 0;
  }

  if (pad < 2 /* header */ + 8) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
    return 0;
  }

  // Skip over the 00.
  pad++;

  if (from_len - pad > max_out) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
    return 0;
  }

  OPENSSL_memcpy(out, from + pad, from_len - pad);
  *out_len = from_len - pad;
  return 1;
}

int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
                         size_t from_len) {
  if (from_len > to_len) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    return 0;
  }

  if (from_len < to_len) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
    return 0;
  }

  OPENSSL_memcpy(to, from, from_len);
  return 1;
}

int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,
               const EVP_MD *md) {
  int ret = 0;
  EVP_MD_CTX ctx;
  EVP_MD_CTX_init(&ctx);
  FIPS_service_indicator_lock_state();

  size_t md_len = EVP_MD_size(md);

  for (uint32_t i = 0; len > 0; i++) {
    uint8_t counter[4];
    counter[0] = (uint8_t)(i >> 24);
    counter[1] = (uint8_t)(i >> 16);
    counter[2] = (uint8_t)(i >> 8);
    counter[3] = (uint8_t)i;
    if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
        !EVP_DigestUpdate(&ctx, seed, seed_len) ||
        !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {
      goto err;
    }

    if (md_len <= len) {
      if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {
        goto err;
      }
      out += md_len;
      len -= md_len;
    } else {
      uint8_t digest[EVP_MAX_MD_SIZE];
      if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {
        goto err;
      }
      OPENSSL_memcpy(out, digest, len);
      len = 0;
    }
  }

  ret = 1;

err:
  EVP_MD_CTX_cleanup(&ctx);
  FIPS_service_indicator_unlock_state();
  return ret;
}

static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};

int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const uint8_t *EM, int sLen) {
  if (mgf1Hash == NULL) {
    mgf1Hash = Hash;
  }

  int ret = 0;
  uint8_t *DB = NULL;
  EVP_MD_CTX ctx;
  EVP_MD_CTX_init(&ctx);
  FIPS_service_indicator_lock_state();

  // Negative sLen has special meanings:
  //   -1      sLen == hLen
  //   -2      salt length is autorecovered from signature
  //   -N      reserved
  size_t hLen = EVP_MD_size(Hash);
  if (sLen == -1) {
    sLen = (int)hLen;
  } else if (sLen == -2) {
    sLen = -2;
  } else if (sLen < -2) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
    goto err;
  }

  unsigned MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
  size_t emLen = RSA_size(rsa);
  if (EM[0] & (0xFF << MSBits)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
    goto err;
  }
  if (MSBits == 0) {
    EM++;
    emLen--;
  }
  // |sLen| may be -2 for the non-standard salt length recovery mode.
  if (emLen < hLen + 2 ||
      (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
    goto err;
  }
  if (EM[emLen - 1] != 0xbc) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
    goto err;
  }
  size_t maskedDBLen = emLen - hLen - 1;
  const uint8_t *H = EM + maskedDBLen;
  DB = OPENSSL_malloc(maskedDBLen);
  if (!DB) {
    goto err;
  }
  if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {
    goto err;
  }
  for (size_t i = 0; i < maskedDBLen; i++) {
    DB[i] ^= EM[i];
  }
  if (MSBits) {
    DB[0] &= 0xFF >> (8 - MSBits);
  }
  // This step differs slightly from EMSA-PSS-VERIFY (RFC 8017) step 10 because
  // it accepts a non-standard salt recovery flow. DB should be some number of
  // zeros, a one, then the salt.
  size_t salt_start;
  for (salt_start = 0; DB[salt_start] == 0 && salt_start < maskedDBLen - 1;
       salt_start++) {
    ;
  }
  if (DB[salt_start] != 0x1) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
    goto err;
  }
  salt_start++;
  // If a salt length was specified, check it matches.
  if (sLen >= 0 && maskedDBLen - salt_start != (size_t)sLen) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
    goto err;
  }
  uint8_t H_[EVP_MAX_MD_SIZE];
  if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
      !EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) ||
      !EVP_DigestUpdate(&ctx, mHash, hLen) ||
      !EVP_DigestUpdate(&ctx, DB + salt_start, maskedDBLen - salt_start) ||
      !EVP_DigestFinal_ex(&ctx, H_, NULL)) {
    goto err;
  }
  if (OPENSSL_memcmp(H_, H, hLen) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
    goto err;
  }

  ret = 1;

err:
  OPENSSL_free(DB);
  EVP_MD_CTX_cleanup(&ctx);
  FIPS_service_indicator_unlock_state();
  return ret;
}

int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLenRequested) {
  int ret = 0;
  size_t maskedDBLen, MSBits, emLen;
  size_t hLen;
  unsigned char *H, *salt = NULL, *p;

  if (mgf1Hash == NULL) {
    mgf1Hash = Hash;
  }

  FIPS_service_indicator_lock_state();
  hLen = EVP_MD_size(Hash);

  if (BN_is_zero(rsa->n)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
    goto err;
  }

  MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
  emLen = RSA_size(rsa);
  if (MSBits == 0) {
    assert(emLen >= 1);
    *EM++ = 0;
    emLen--;
  }

  if (emLen < hLen + 2) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    goto err;
  }

  // Negative sLenRequested has special meanings:
  //   -1  sLen == hLen
  //   -2  salt length is maximized
  //   -N  reserved
  size_t sLen;
  if (sLenRequested == -1) {
    sLen = hLen;
  } else if (sLenRequested == -2) {
    sLen = emLen - hLen - 2;
  } else if (sLenRequested < 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
    goto err;
  } else {
    sLen = (size_t)sLenRequested;
  }

  if (emLen - hLen - 2 < sLen) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    goto err;
  }

  if (sLen > 0) {
    salt = OPENSSL_malloc(sLen);
    if (!salt) {
      goto err;
    }
    BCM_rand_bytes(salt, sLen);
  }
  maskedDBLen = emLen - hLen - 1;
  H = EM + maskedDBLen;

  EVP_MD_CTX ctx;
  EVP_MD_CTX_init(&ctx);
  int digest_ok = EVP_DigestInit_ex(&ctx, Hash, NULL) &&
                  EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) &&
                  EVP_DigestUpdate(&ctx, mHash, hLen) &&
                  EVP_DigestUpdate(&ctx, salt, sLen) &&
                  EVP_DigestFinal_ex(&ctx, H, NULL);
  EVP_MD_CTX_cleanup(&ctx);
  if (!digest_ok) {
    goto err;
  }

  // Generate dbMask in place then perform XOR on it
  if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
    goto err;
  }

  p = EM;
  // Initial PS XORs with all zeroes which is a NOP so just update
  // pointer. Note from a test above this value is guaranteed to
  // be non-negative.
  p += emLen - sLen - hLen - 2;
  *p++ ^= 0x1;
  if (sLen > 0) {
    for (size_t i = 0; i < sLen; i++) {
      *p++ ^= salt[i];
    }
  }
  if (MSBits) {
    EM[0] &= 0xFF >> (8 - MSBits);
  }

  // H is already in place so just set final 0xbc

  EM[emLen - 1] = 0xbc;

  ret = 1;

err:
  OPENSSL_free(salt);
  FIPS_service_indicator_unlock_state();

  return ret;
}

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2		* project 2005.
3		*/
4		/* ====================================================================
5		* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6		*
7		* Redistribution and use in source and binary forms, with or without
8		* modification, are permitted provided that the following conditions
9		* are met:
10		*
11		* 1. Redistributions of source code must retain the above copyright
12		* notice, this list of conditions and the following disclaimer.
13		*
14		* 2. Redistributions in binary form must reproduce the above copyright
15		* notice, this list of conditions and the following disclaimer in
16		* the documentation and/or other materials provided with the
17		* distribution.
18		*
19		* 3. All advertising materials mentioning features or use of this
20		* software must display the following acknowledgment:
21		* "This product includes software developed by the OpenSSL Project
22		* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23		*
24		* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25		* endorse or promote products derived from this software without
26		* prior written permission. For written permission, please contact
27		* licensing@OpenSSL.org.
28		*
29		* 5. Products derived from this software may not be called "OpenSSL"
30		* nor may "OpenSSL" appear in their names without prior written
31		* permission of the OpenSSL Project.
32		*
33		* 6. Redistributions of any form whatsoever must retain the following
34		* acknowledgment:
35		* "This product includes software developed by the OpenSSL Project
36		* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37		*
38		* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39		* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41		* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42		* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44		* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45		* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47		* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49		* OF THE POSSIBILITY OF SUCH DAMAGE.
50		* ====================================================================
51		*
52		* This product includes cryptographic software written by Eric Young
53		* (eay@cryptsoft.com). This product includes software written by Tim
54		* Hudson (tjh@cryptsoft.com). */
55
56		#include <openssl/rsa.h>
57
58		#include <assert.h>
59		#include <limits.h>
60		#include <string.h>
61
62		#include <openssl/bn.h>
63		#include <openssl/digest.h>
64		#include <openssl/err.h>
65		#include <openssl/mem.h>
66
67		#include "internal.h"
68		#include "../service_indicator/internal.h"
69		#include "../bcm_interface.h"
70		#include "../../internal.h"
71
72
73		int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
74	0	const uint8_t *from, size_t from_len) {
75		// See RFC 8017, section 9.2.
76	0	if (to_len < RSA_PKCS1_PADDING_SIZE) {
77	0	OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
78	0	return 0;
79	0	}
80
81	0	if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
82	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83	0	return 0;
84	0	}
85
86	0	to[0] = 0;
87	0	to[1] = 1;
88	0	OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len);
89	0	to[to_len - from_len - 1] = 0;
90	0	OPENSSL_memcpy(to + to_len - from_len, from, from_len);
91	0	return 1;
92	0	}
93
94		int RSA_padding_check_PKCS1_type_1(uint8_t out, size_t out_len,
95		size_t max_out, const uint8_t *from,
96	0	size_t from_len) {
97		// See RFC 8017, section 9.2. This is part of signature verification and thus
98		// does not need to run in constant-time.
99	0	if (from_len < 2) {
100	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
101	0	return 0;
102	0	}
103
104		// Check the header.
105	0	if (from[0] != 0 \|\| from[1] != 1) {
106	0	OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
107	0	return 0;
108	0	}
109
110		// Scan over padded data, looking for the 00.
111	0	size_t pad;
112	0	for (pad = 2 /* header */; pad < from_len; pad++) {
113	0	if (from[pad] == 0x00) {
114	0	break;
115	0	}
116
117	0	if (from[pad] != 0xff) {
118	0	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
119	0	return 0;
120	0	}
121	0	}
122
123	0	if (pad == from_len) {
124	0	OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
125	0	return 0;
126	0	}
127
128	0	if (pad < 2 /* header */ + 8) {
129	0	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
130	0	return 0;
131	0	}
132
133		// Skip over the 00.
134	0	pad++;
135
136	0	if (from_len - pad > max_out) {
137	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
138	0	return 0;
139	0	}
140
141	0	OPENSSL_memcpy(out, from + pad, from_len - pad);
142	0	*out_len = from_len - pad;
143	0	return 1;
144	0	}
145
146		int RSA_padding_add_none(uint8_t to, size_t to_len, const uint8_t from,
147	0	size_t from_len) {
148	0	if (from_len > to_len) {
149	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
150	0	return 0;
151	0	}
152
153	0	if (from_len < to_len) {
154	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
155	0	return 0;
156	0	}
157
158	0	OPENSSL_memcpy(to, from, from_len);
159	0	return 1;
160	0	}
161
162		int PKCS1_MGF1(uint8_t out, size_t len, const uint8_t seed, size_t seed_len,
163	0	const EVP_MD *md) {
164	0	int ret = 0;
165	0	EVP_MD_CTX ctx;
166	0	EVP_MD_CTX_init(&ctx);
167	0	FIPS_service_indicator_lock_state();
168
169	0	size_t md_len = EVP_MD_size(md);
170
171	0	for (uint32_t i = 0; len > 0; i++) {
172	0	uint8_t counter[4];
173	0	counter[0] = (uint8_t)(i >> 24);
174	0	counter[1] = (uint8_t)(i >> 16);
175	0	counter[2] = (uint8_t)(i >> 8);
176	0	counter[3] = (uint8_t)i;
177	0	if (!EVP_DigestInit_ex(&ctx, md, NULL) \|\|
178	0	!EVP_DigestUpdate(&ctx, seed, seed_len) \|\|
179	0	!EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {
180	0	goto err;
181	0	}
182
183	0	if (md_len <= len) {
184	0	if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {
185	0	goto err;
186	0	}
187	0	out += md_len;
188	0	len -= md_len;
189	0	} else {
190	0	uint8_t digest[EVP_MAX_MD_SIZE];
191	0	if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {
192	0	goto err;
193	0	}
194	0	OPENSSL_memcpy(out, digest, len);
195	0	len = 0;
196	0	}
197	0	}
198
199	0	ret = 1;
200
201	0	err:
202	0	EVP_MD_CTX_cleanup(&ctx);
203	0	FIPS_service_indicator_unlock_state();
204	0	return ret;
205	0	}
206
207		static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
208
209		int RSA_verify_PKCS1_PSS_mgf1(const RSA rsa, const uint8_t mHash,
210		const EVP_MD Hash, const EVP_MD mgf1Hash,
211	0	const uint8_t *EM, int sLen) {
212	0	if (mgf1Hash == NULL) {
213	0	mgf1Hash = Hash;
214	0	}
215
216	0	int ret = 0;
217	0	uint8_t *DB = NULL;
218	0	EVP_MD_CTX ctx;
219	0	EVP_MD_CTX_init(&ctx);
220	0	FIPS_service_indicator_lock_state();
221
222		// Negative sLen has special meanings:
223		// -1 sLen == hLen
224		// -2 salt length is autorecovered from signature
225		// -N reserved
226	0	size_t hLen = EVP_MD_size(Hash);
227	0	if (sLen == -1) {
228	0	sLen = (int)hLen;
229	0	} else if (sLen == -2) {
230	0	sLen = -2;
231	0	} else if (sLen < -2) {
232	0	OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
233	0	goto err;
234	0	}
235
236	0	unsigned MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
237	0	size_t emLen = RSA_size(rsa);
238	0	if (EM[0] & (0xFF << MSBits)) {
239	0	OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
240	0	goto err;
241	0	}
242	0	if (MSBits == 0) {
243	0	EM++;
244	0	emLen--;
245	0	}
246		// \|sLen\| may be -2 for the non-standard salt length recovery mode.
247	0	if (emLen < hLen + 2 \|\|
248	0	(sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) {
249	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
250	0	goto err;
251	0	}
252	0	if (EM[emLen - 1] != 0xbc) {
253	0	OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
254	0	goto err;
255	0	}
256	0	size_t maskedDBLen = emLen - hLen - 1;
257	0	const uint8_t *H = EM + maskedDBLen;
258	0	DB = OPENSSL_malloc(maskedDBLen);
259	0	if (!DB) {
260	0	goto err;
261	0	}
262	0	if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {
263	0	goto err;
264	0	}
265	0	for (size_t i = 0; i < maskedDBLen; i++) {
266	0	DB[i] ^= EM[i];
267	0	}
268	0	if (MSBits) {
269	0	DB[0] &= 0xFF >> (8 - MSBits);
270	0	}
271		// This step differs slightly from EMSA-PSS-VERIFY (RFC 8017) step 10 because
272		// it accepts a non-standard salt recovery flow. DB should be some number of
273		// zeros, a one, then the salt.
274	0	size_t salt_start;
275	0	for (salt_start = 0; DB[salt_start] == 0 && salt_start < maskedDBLen - 1;
276	0	salt_start++) {
277	0	;
278	0	}
279	0	if (DB[salt_start] != 0x1) {
280	0	OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
281	0	goto err;
282	0	}
283	0	salt_start++;
284		// If a salt length was specified, check it matches.
285	0	if (sLen >= 0 && maskedDBLen - salt_start != (size_t)sLen) {
286	0	OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
287	0	goto err;
288	0	}
289	0	uint8_t H_[EVP_MAX_MD_SIZE];
290	0	if (!EVP_DigestInit_ex(&ctx, Hash, NULL) \|\|
291	0	!EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) \|\|
292	0	!EVP_DigestUpdate(&ctx, mHash, hLen) \|\|
293	0	!EVP_DigestUpdate(&ctx, DB + salt_start, maskedDBLen - salt_start) \|\|
294	0	!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
295	0	goto err;
296	0	}
297	0	if (OPENSSL_memcmp(H_, H, hLen) != 0) {
298	0	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
299	0	goto err;
300	0	}
301
302	0	ret = 1;
303
304	0	err:
305	0	OPENSSL_free(DB);
306	0	EVP_MD_CTX_cleanup(&ctx);
307	0	FIPS_service_indicator_unlock_state();
308	0	return ret;
309	0	}
310
311		int RSA_padding_add_PKCS1_PSS_mgf1(const RSA rsa, unsigned char EM,
312		const unsigned char *mHash,
313		const EVP_MD Hash, const EVP_MD mgf1Hash,
314	0	int sLenRequested) {
315	0	int ret = 0;
316	0	size_t maskedDBLen, MSBits, emLen;
317	0	size_t hLen;
318	0	unsigned char H, salt = NULL, *p;
319
320	0	if (mgf1Hash == NULL) {
321	0	mgf1Hash = Hash;
322	0	}
323
324	0	FIPS_service_indicator_lock_state();
325	0	hLen = EVP_MD_size(Hash);
326
327	0	if (BN_is_zero(rsa->n)) {
328	0	OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
329	0	goto err;
330	0	}
331
332	0	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
333	0	emLen = RSA_size(rsa);
334	0	if (MSBits == 0) {
335	0	assert(emLen >= 1);
336	0	*EM++ = 0;
337	0	emLen--;
338	0	}
339
340	0	if (emLen < hLen + 2) {
341	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
342	0	goto err;
343	0	}
344
345		// Negative sLenRequested has special meanings:
346		// -1 sLen == hLen
347		// -2 salt length is maximized
348		// -N reserved
349	0	size_t sLen;
350	0	if (sLenRequested == -1) {
351	0	sLen = hLen;
352	0	} else if (sLenRequested == -2) {
353	0	sLen = emLen - hLen - 2;
354	0	} else if (sLenRequested < 0) {
355	0	OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
356	0	goto err;
357	0	} else {
358	0	sLen = (size_t)sLenRequested;
359	0	}
360
361	0	if (emLen - hLen - 2 < sLen) {
362	0	OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
363	0	goto err;
364	0	}
365
366	0	if (sLen > 0) {
367	0	salt = OPENSSL_malloc(sLen);
368	0	if (!salt) {
369	0	goto err;
370	0	}
371	0	BCM_rand_bytes(salt, sLen);
372	0	}
373	0	maskedDBLen = emLen - hLen - 1;
374	0	H = EM + maskedDBLen;
375
376	0	EVP_MD_CTX ctx;
377	0	EVP_MD_CTX_init(&ctx);
378	0	int digest_ok = EVP_DigestInit_ex(&ctx, Hash, NULL) &&
379	0	EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) &&
380	0	EVP_DigestUpdate(&ctx, mHash, hLen) &&
381	0	EVP_DigestUpdate(&ctx, salt, sLen) &&
382	0	EVP_DigestFinal_ex(&ctx, H, NULL);
383	0	EVP_MD_CTX_cleanup(&ctx);
384	0	if (!digest_ok) {
385	0	goto err;
386	0	}
387
388		// Generate dbMask in place then perform XOR on it
389	0	if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
390	0	goto err;
391	0	}
392
393	0	p = EM;
394		// Initial PS XORs with all zeroes which is a NOP so just update
395		// pointer. Note from a test above this value is guaranteed to
396		// be non-negative.
397	0	p += emLen - sLen - hLen - 2;
398	0	*p++ ^= 0x1;
399	0	if (sLen > 0) {
400	0	for (size_t i = 0; i < sLen; i++) {
401	0	*p++ ^= salt[i];
402	0	}
403	0	}
404	0	if (MSBits) {
405	0	EM[0] &= 0xFF >> (8 - MSBits);
406	0	}
407
408		// H is already in place so just set final 0xbc
409
410	0	EM[emLen - 1] = 0xbc;
411
412	0	ret = 1;
413
414	0	err:
415	0	OPENSSL_free(salt);
416	0	FIPS_service_indicator_unlock_state();
417
418	0	return ret;
419	0	}