/src/openssl30/crypto/rsa/rsa_pss.c

Source (jump to first uncovered line)
/*
 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
                       "expected: %d retrieved: %d", sLen,
                       maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1,                    /* default hashAlgorithm */
    {
        NID_mgf1,                /* default maskGenAlgorithm */
        NID_sha1                 /* default MGF1 hash */
    },
    20,                          /* default saltLength */
    1                            /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
                  sizeof(*rsa_pss_params)) == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
                                const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                          int maskgenalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                              int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                            int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		# pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	922	{
42	922	int i;
43	922	int ret = 0;
44	922	int hLen, maskedDBLen, MSBits, emLen;
45	922	const unsigned char *H;
46	922	unsigned char *DB = NULL;
47	922	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
48	922	unsigned char H_[EVP_MAX_MD_SIZE];
49
50	922	if (ctx == NULL)
51	0	goto err;
52
53	922	if (mgf1Hash == NULL)
54	0	mgf1Hash = Hash;
55
56	922	hLen = EVP_MD_get_size(Hash);
57	922	if (hLen < 0)
58	0	goto err;
59		/*-
60		* Negative sLen has special meanings:
61		* -1 sLen == hLen
62		* -2 salt length is autorecovered from signature
63		* -3 salt length is maximized
64		* -N reserved
65		*/
66	922	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
67	61	sLen = hLen;
68	861	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
69	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
70	0	goto err;
71	0	}
72
73	922	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
74	922	emLen = RSA_size(rsa);
75	922	if (EM[0] & (0xFF << MSBits)) {
76	196	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
77	196	goto err;
78	196	}
79	726	if (MSBits == 0) {
80	21	EM++;
81	21	emLen--;
82	21	}
83	726	if (emLen < hLen + 2) {
84	8	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
85	8	goto err;
86	8	}
87	718	if (sLen == RSA_PSS_SALTLEN_MAX) {
88	0	sLen = emLen - hLen - 2;
89	718	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
90	5	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
91	5	goto err;
92	5	}
93	713	if (EM[emLen - 1] != 0xbc) {
94	652	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
95	652	goto err;
96	652	}
97	61	maskedDBLen = emLen - hLen - 1;
98	61	H = EM + maskedDBLen;
99	61	DB = OPENSSL_malloc(maskedDBLen);
100	61	if (DB == NULL) {
101	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
102	0	goto err;
103	0	}
104	61	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
105	0	goto err;
106	9.63k	for (i = 0; i < maskedDBLen; i++)
107	9.57k	DB[i] ^= EM[i];
108	61	if (MSBits)
109	55	DB[0] &= 0xFF >> (8 - MSBits);
110	1.53k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
111	61	if (DB[i++] != 0x1) {
112	40	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
113	40	goto err;
114	40	}
115	21	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
116	10	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
117	10	"expected: %d retrieved: %d", sLen,
118	10	maskedDBLen - i);
119	10	goto err;
120	10	}
121	11	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
122	11	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
123	11	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
124	0	goto err;
125	11	if (maskedDBLen - i) {
126	11	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
127	0	goto err;
128	11	}
129	11	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
130	0	goto err;
131	11	if (memcmp(H_, H, hLen)) {
132	8	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
133	8	ret = 0;
134	8	} else {
135	3	ret = 1;
136	3	}
137
138	922	err:
139	922	OPENSSL_free(DB);
140	922	EVP_MD_CTX_free(ctx);
141
142	922	return ret;
143
144	11	}
145
146		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
147		const unsigned char *mHash,
148		const EVP_MD *Hash, int sLen)
149	0	{
150	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
151	0	}
152
153		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
154		const unsigned char *mHash,
155		const EVP_MD Hash, const EVP_MD mgf1Hash,
156		int sLen)
157	138	{
158	138	int i;
159	138	int ret = 0;
160	138	int hLen, maskedDBLen, MSBits, emLen;
161	138	unsigned char H, salt = NULL, *p;
162	138	EVP_MD_CTX *ctx = NULL;
163
164	138	if (mgf1Hash == NULL)
165	0	mgf1Hash = Hash;
166
167	138	hLen = EVP_MD_get_size(Hash);
168	138	if (hLen < 0)
169	0	goto err;
170		/*-
171		* Negative sLen has special meanings:
172		* -1 sLen == hLen
173		* -2 salt length is maximized
174		* -3 same as above (on signing)
175		* -N reserved
176		*/
177	138	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
178	138	sLen = hLen;
179	138	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
180	0	sLen = RSA_PSS_SALTLEN_MAX;
181	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
182	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
183	0	goto err;
184	0	}
185
186	138	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
187	138	emLen = RSA_size(rsa);
188	138	if (MSBits == 0) {
189	0	*EM++ = 0;
190	0	emLen--;
191	0	}
192	138	if (emLen < hLen + 2) {
193	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
194	0	goto err;
195	0	}
196	138	if (sLen == RSA_PSS_SALTLEN_MAX) {
197	0	sLen = emLen - hLen - 2;
198	138	} else if (sLen > emLen - hLen - 2) {
199	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
200	0	goto err;
201	0	}
202	138	if (sLen > 0) {
203	138	salt = OPENSSL_malloc(sLen);
204	138	if (salt == NULL) {
205	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
206	0	goto err;
207	0	}
208	138	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
209	0	goto err;
210	138	}
211	138	maskedDBLen = emLen - hLen - 1;
212	138	H = EM + maskedDBLen;
213	138	ctx = EVP_MD_CTX_new();
214	138	if (ctx == NULL)
215	0	goto err;
216	138	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
217	138	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
218	138	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
219	0	goto err;
220	138	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
221	0	goto err;
222	138	if (!EVP_DigestFinal_ex(ctx, H, NULL))
223	0	goto err;
224
225		/* Generate dbMask in place then perform XOR on it */
226	138	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
227	0	goto err;
228
229	138	p = EM;
230
231		/*
232		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
233		* Note from a test above this value is guaranteed to be non-negative.
234		*/
235	138	p += emLen - sLen - hLen - 2;
236	138	*p++ ^= 0x1;
237	138	if (sLen > 0) {
238	6.21k	for (i = 0; i < sLen; i++)
239	6.08k	*p++ ^= salt[i];
240	138	}
241	138	if (MSBits)
242	138	EM[0] &= 0xFF >> (8 - MSBits);
243
244		/* H is already in place so just set final 0xbc */
245
246	138	EM[emLen - 1] = 0xbc;
247
248	138	ret = 1;
249
250	138	err:
251	138	EVP_MD_CTX_free(ctx);
252	138	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
253
254	138	return ret;
255
256	138	}
257
258		/*
259		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
260		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
261		*
262		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
263		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
264		* identifier will have the following value:
265		*
266		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
267		* algorithm id-RSASSA-PSS,
268		* parameters RSASSA-PSS-params : {
269		* hashAlgorithm sha1,
270		* maskGenAlgorithm mgf1SHA1,
271		* saltLength 20,
272		* trailerField trailerFieldBC
273		* }
274		* }
275		*
276		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
277		* {PKCS1Algorithms}
278		* }
279		*/
280		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
281		NID_sha1, /* default hashAlgorithm */
282		{
283		NID_mgf1, /* default maskGenAlgorithm */
284		NID_sha1 /* default MGF1 hash */
285		},
286		20, /* default saltLength */
287		1 /* default trailerField (0xBC) */
288		};
289
290		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
291	51.0k	{
292	51.0k	if (rsa_pss_params == NULL)
293	0	return 0;
294	51.0k	*rsa_pss_params = default_RSASSA_PSS_params;
295	51.0k	return 1;
296	51.0k	}
297
298		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
299	57.6k	{
300	57.6k	static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };
301
302	57.6k	return rsa_pss_params == NULL
303	57.6k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
304	57.6k	sizeof(*rsa_pss_params)) == 0;
305	57.6k	}
306
307		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
308		const RSA_PSS_PARAMS_30 *from)
309	0	{
310	0	memcpy(to, from, sizeof(*to));
311	0	return 1;
312	0	}
313
314		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
315		int hashalg_nid)
316	22.9k	{
317	22.9k	if (rsa_pss_params == NULL)
318	0	return 0;
319	22.9k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
320	22.9k	return 1;
321	22.9k	}
322
323		int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
324		int maskgenalg_nid)
325	0	{
326	0	if (rsa_pss_params == NULL)
327	0	return 0;
328	0	rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
329	0	return 1;
330	0	}
331
332		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
333		int maskgenhashalg_nid)
334	22.9k	{
335	22.9k	if (rsa_pss_params == NULL)
336	0	return 0;
337	22.9k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
338	22.9k	return 1;
339	22.9k	}
340
341		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
342		int saltlen)
343	22.9k	{
344	22.9k	if (rsa_pss_params == NULL)
345	0	return 0;
346	22.9k	rsa_pss_params->salt_len = saltlen;
347	22.9k	return 1;
348	22.9k	}
349
350		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
351		int trailerfield)
352	22.9k	{
353	22.9k	if (rsa_pss_params == NULL)
354	0	return 0;
355	22.9k	rsa_pss_params->trailer_field = trailerfield;
356	22.9k	return 1;
357	22.9k	}
358
359		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
360	46.3k	{
361	46.3k	if (rsa_pss_params == NULL)
362	22.9k	return default_RSASSA_PSS_params.hash_algorithm_nid;
363	23.4k	return rsa_pss_params->hash_algorithm_nid;
364	46.3k	}
365
366		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
367	45.9k	{
368	45.9k	if (rsa_pss_params == NULL)
369	22.9k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
370	23.0k	return rsa_pss_params->mask_gen.algorithm_nid;
371	45.9k	}
372
373		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
374	46.3k	{
375	46.3k	if (rsa_pss_params == NULL)
376	22.9k	return default_RSASSA_PSS_params.hash_algorithm_nid;
377	23.4k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
378	46.3k	}
379
380		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
381	50.6k	{
382	50.6k	if (rsa_pss_params == NULL)
383	8	return default_RSASSA_PSS_params.salt_len;
384	50.6k	return rsa_pss_params->salt_len;
385	50.6k	}
386
387		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
388	27.3k	{
389	27.3k	if (rsa_pss_params == NULL)
390	8	return default_RSASSA_PSS_params.trailer_field;
391	27.3k	return rsa_pss_params->trailer_field;
392	27.3k	}
393
394		#if defined(_MSC_VER)
395		# pragma optimize("",on)
396		#endif