/src/openssl32/crypto/rsa/rsa_pss.c

Source (jump to first uncovered line)
/*
 * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -4      salt length is autorecovered from signature
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL)
        goto err;
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO
            && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
            && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
                       "expected: %d retrieved: %d", sLen,
                       maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;
    int sLenMax = -1;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -4      salt length is min(hLen, maximum salt length)
     *      -N      reserved
     */
    /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
     * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
     * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
     * the hash function output block (in bytes)."
     *
     * Provide a way to use at most the digest length, so that the default does
     * not violate FIPS 186-4. */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
            || sLen == RSA_PSS_SALTLEN_AUTO) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        sLen = RSA_PSS_SALTLEN_MAX;
        sLenMax = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
        if (sLenMax >= 0 && sLen > sLenMax)
            sLen = sLenMax;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL)
            goto err;
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1,                    /* default hashAlgorithm */
    {
        NID_mgf1,                /* default maskGenAlgorithm */
        NID_sha1                 /* default MGF1 hash */
    },
    20,                          /* default saltLength */
    1                            /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
                  sizeof(*rsa_pss_params)) == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
                                const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                              int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                            int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		# pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	4.60k	{
42	4.60k	int i;
43	4.60k	int ret = 0;
44	4.60k	int hLen, maskedDBLen, MSBits, emLen;
45	4.60k	const unsigned char *H;
46	4.60k	unsigned char *DB = NULL;
47	4.60k	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
48	4.60k	unsigned char H_[EVP_MAX_MD_SIZE];
49
50	4.60k	if (ctx == NULL)
51	0	goto err;
52
53	4.60k	if (mgf1Hash == NULL)
54	0	mgf1Hash = Hash;
55
56	4.60k	hLen = EVP_MD_get_size(Hash);
57	4.60k	if (hLen < 0)
58	0	goto err;
59		/*-
60		* Negative sLen has special meanings:
61		* -1 sLen == hLen
62		* -2 salt length is autorecovered from signature
63		* -3 salt length is maximized
64		* -4 salt length is autorecovered from signature
65		* -N reserved
66		*/
67	4.60k	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
68	2.82k	sLen = hLen;
69	2.82k	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
70	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
71	0	goto err;
72	0	}
73
74	4.60k	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
75	4.60k	emLen = RSA_size(rsa);
76	4.60k	if (EM[0] & (0xFF << MSBits)) {
77	1.21k	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
78	1.21k	goto err;
79	1.21k	}
80	3.39k	if (MSBits == 0) {
81	822	EM++;
82	822	emLen--;
83	822	}
84	3.39k	if (emLen < hLen + 2) {
85	38	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
86	38	goto err;
87	38	}
88	3.35k	if (sLen == RSA_PSS_SALTLEN_MAX) {
89	0	sLen = emLen - hLen - 2;
90	3.35k	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
91	21	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
92	21	goto err;
93	21	}
94	3.33k	if (EM[emLen - 1] != 0xbc) {
95	3.13k	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
96	3.13k	goto err;
97	3.13k	}
98	194	maskedDBLen = emLen - hLen - 1;
99	194	H = EM + maskedDBLen;
100	194	DB = OPENSSL_malloc(maskedDBLen);
101	194	if (DB == NULL)
102	0	goto err;
103	194	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
104	0	goto err;
105	39.4k	for (i = 0; i < maskedDBLen; i++)
106	39.2k	DB[i] ^= EM[i];
107	194	if (MSBits)
108	162	DB[0] &= 0xFF >> (8 - MSBits);
109	4.85k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
110	194	if (DB[i++] != 0x1) {
111	141	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
112	141	goto err;
113	141	}
114	53	if (sLen != RSA_PSS_SALTLEN_AUTO
115	53	&& sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
116	53	&& (maskedDBLen - i) != sLen) {
117	24	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
118	24	"expected: %d retrieved: %d", sLen,
119	24	maskedDBLen - i);
120	24	goto err;
121	24	}
122	29	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
123	29	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
124	29	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
125	0	goto err;
126	29	if (maskedDBLen - i) {
127	29	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
128	0	goto err;
129	29	}
130	29	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
131	0	goto err;
132	29	if (memcmp(H_, H, hLen)) {
133	25	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
134	25	ret = 0;
135	25	} else {
136	4	ret = 1;
137	4	}
138
139	4.60k	err:
140	4.60k	OPENSSL_free(DB);
141	4.60k	EVP_MD_CTX_free(ctx);
142
143	4.60k	return ret;
144
145	29	}
146
147		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
148		const unsigned char *mHash,
149		const EVP_MD *Hash, int sLen)
150	0	{
151	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
152	0	}
153
154		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
155		const unsigned char *mHash,
156		const EVP_MD Hash, const EVP_MD mgf1Hash,
157		int sLen)
158	223	{
159	223	int i;
160	223	int ret = 0;
161	223	int hLen, maskedDBLen, MSBits, emLen;
162	223	unsigned char H, salt = NULL, *p;
163	223	EVP_MD_CTX *ctx = NULL;
164	223	int sLenMax = -1;
165
166	223	if (mgf1Hash == NULL)
167	0	mgf1Hash = Hash;
168
169	223	hLen = EVP_MD_get_size(Hash);
170	223	if (hLen < 0)
171	0	goto err;
172		/*-
173		* Negative sLen has special meanings:
174		* -1 sLen == hLen
175		* -2 salt length is maximized
176		* -3 same as above (on signing)
177		* -4 salt length is min(hLen, maximum salt length)
178		* -N reserved
179		*/
180		/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
181		* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
182		* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
183		* the hash function output block (in bytes)."
184		*
185		* Provide a way to use at most the digest length, so that the default does
186		* not violate FIPS 186-4. */
187	223	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
188	223	sLen = hLen;
189	223	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
190	0	\|\| sLen == RSA_PSS_SALTLEN_AUTO) {
191	0	sLen = RSA_PSS_SALTLEN_MAX;
192	0	} else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
193	0	sLen = RSA_PSS_SALTLEN_MAX;
194	0	sLenMax = hLen;
195	0	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
196	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
197	0	goto err;
198	0	}
199
200	223	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
201	223	emLen = RSA_size(rsa);
202	223	if (MSBits == 0) {
203	0	*EM++ = 0;
204	0	emLen--;
205	0	}
206	223	if (emLen < hLen + 2) {
207	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
208	0	goto err;
209	0	}
210	223	if (sLen == RSA_PSS_SALTLEN_MAX) {
211	0	sLen = emLen - hLen - 2;
212	0	if (sLenMax >= 0 && sLen > sLenMax)
213	0	sLen = sLenMax;
214	223	} else if (sLen > emLen - hLen - 2) {
215	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
216	0	goto err;
217	0	}
218	223	if (sLen > 0) {
219	223	salt = OPENSSL_malloc(sLen);
220	223	if (salt == NULL)
221	0	goto err;
222	223	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
223	0	goto err;
224	223	}
225	223	maskedDBLen = emLen - hLen - 1;
226	223	H = EM + maskedDBLen;
227	223	ctx = EVP_MD_CTX_new();
228	223	if (ctx == NULL)
229	0	goto err;
230	223	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
231	223	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
232	223	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
233	0	goto err;
234	223	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
235	0	goto err;
236	223	if (!EVP_DigestFinal_ex(ctx, H, NULL))
237	0	goto err;
238
239		/* Generate dbMask in place then perform XOR on it */
240	223	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
241	0	goto err;
242
243	223	p = EM;
244
245		/*
246		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
247		* Note from a test above this value is guaranteed to be non-negative.
248		*/
249	223	p += emLen - sLen - hLen - 2;
250	223	*p++ ^= 0x1;
251	223	if (sLen > 0) {
252	9.23k	for (i = 0; i < sLen; i++)
253	9.00k	*p++ ^= salt[i];
254	223	}
255	223	if (MSBits)
256	223	EM[0] &= 0xFF >> (8 - MSBits);
257
258		/* H is already in place so just set final 0xbc */
259
260	223	EM[emLen - 1] = 0xbc;
261
262	223	ret = 1;
263
264	223	err:
265	223	EVP_MD_CTX_free(ctx);
266	223	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
267
268	223	return ret;
269
270	223	}
271
272		/*
273		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
274		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
275		*
276		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
277		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
278		* identifier will have the following value:
279		*
280		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
281		* algorithm id-RSASSA-PSS,
282		* parameters RSASSA-PSS-params : {
283		* hashAlgorithm sha1,
284		* maskGenAlgorithm mgf1SHA1,
285		* saltLength 20,
286		* trailerField trailerFieldBC
287		* }
288		* }
289		*
290		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
291		* {PKCS1Algorithms}
292		* }
293		*/
294		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
295		NID_sha1, /* default hashAlgorithm */
296		{
297		NID_mgf1, /* default maskGenAlgorithm */
298		NID_sha1 /* default MGF1 hash */
299		},
300		20, /* default saltLength */
301		1 /* default trailerField (0xBC) */
302		};
303
304		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
305	51.0k	{
306	51.0k	if (rsa_pss_params == NULL)
307	0	return 0;
308	51.0k	*rsa_pss_params = default_RSASSA_PSS_params;
309	51.0k	return 1;
310	51.0k	}
311
312		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
313	57.6k	{
314	57.6k	static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };
315
316	57.6k	return rsa_pss_params == NULL
317	57.6k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
318	57.6k	sizeof(*rsa_pss_params)) == 0;
319	57.6k	}
320
321		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
322		const RSA_PSS_PARAMS_30 *from)
323	0	{
324	0	memcpy(to, from, sizeof(*to));
325	0	return 1;
326	0	}
327
328		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
329		int hashalg_nid)
330	22.9k	{
331	22.9k	if (rsa_pss_params == NULL)
332	0	return 0;
333	22.9k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
334	22.9k	return 1;
335	22.9k	}
336
337		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
338		int maskgenhashalg_nid)
339	22.9k	{
340	22.9k	if (rsa_pss_params == NULL)
341	0	return 0;
342	22.9k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
343	22.9k	return 1;
344	22.9k	}
345
346		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
347		int saltlen)
348	22.9k	{
349	22.9k	if (rsa_pss_params == NULL)
350	0	return 0;
351	22.9k	rsa_pss_params->salt_len = saltlen;
352	22.9k	return 1;
353	22.9k	}
354
355		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
356		int trailerfield)
357	22.9k	{
358	22.9k	if (rsa_pss_params == NULL)
359	0	return 0;
360	22.9k	rsa_pss_params->trailer_field = trailerfield;
361	22.9k	return 1;
362	22.9k	}
363
364		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
365	46.3k	{
366	46.3k	if (rsa_pss_params == NULL)
367	22.9k	return default_RSASSA_PSS_params.hash_algorithm_nid;
368	23.4k	return rsa_pss_params->hash_algorithm_nid;
369	46.3k	}
370
371		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
372	45.9k	{
373	45.9k	if (rsa_pss_params == NULL)
374	22.9k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
375	23.0k	return rsa_pss_params->mask_gen.algorithm_nid;
376	45.9k	}
377
378		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
379	46.3k	{
380	46.3k	if (rsa_pss_params == NULL)
381	22.9k	return default_RSASSA_PSS_params.hash_algorithm_nid;
382	23.4k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
383	46.3k	}
384
385		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
386	50.6k	{
387	50.6k	if (rsa_pss_params == NULL)
388	8	return default_RSASSA_PSS_params.salt_len;
389	50.6k	return rsa_pss_params->salt_len;
390	50.6k	}
391
392		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
393	27.3k	{
394	27.3k	if (rsa_pss_params == NULL)
395	8	return default_RSASSA_PSS_params.trailer_field;
396	27.3k	return rsa_pss_params->trailer_field;
397	27.3k	}
398
399		#if defined(_MSC_VER)
400		# pragma optimize("",on)
401		#endif