/src/openssl35/crypto/rsa/rsa_pss.c

Source
/*
 * Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    return ossl_rsa_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, mgf1Hash, EM, &sLen);
}

int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   const unsigned char *EM, int *sLenOut)
{
    int i;
    int ret = 0;
    int sLen = *sLenOut;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen <= 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -4      salt length is autorecovered from signature
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL)
        goto err;
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO
            && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
            && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
                       "expected: %d retrieved: %d", sLen,
                       maskedDBLen - i);
        goto err;
    } else {
        sLen = maskedDBLen - i;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen != 0) {
        if (!EVP_DigestUpdate(ctx, DB + i, sLen))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

    *sLenOut = sLen;
 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    return ossl_rsa_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, mgf1Hash, &sLen);
}

int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                        const unsigned char *mHash,
                                        const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                        int *sLenOut)
{
    int i;
    int ret = 0;
    int sLen = *sLenOut;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;
    int sLenMax = -1;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen <= 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -4      salt length is min(hLen, maximum salt length)
     *      -N      reserved
     */
    /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
     * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
     * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
     * the hash function output block (in bytes)."
     *
     * Provide a way to use at most the digest length, so that the default does
     * not violate FIPS 186-4. */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
               || sLen == RSA_PSS_SALTLEN_AUTO) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        sLen = RSA_PSS_SALTLEN_MAX;
        sLenMax = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
        if (sLenMax >= 0 && sLen > sLenMax)
            sLen = sLenMax;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL)
            goto err;
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

    *sLenOut = sLen;
 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1,                    /* default hashAlgorithm */
    {
        NID_mgf1,                /* default maskGenAlgorithm */
        NID_sha1                 /* default MGF1 hash */
    },
    20,                          /* default saltLength */
    1                            /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
                  sizeof(*rsa_pss_params)) == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
                                const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                              int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                            int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif

Coverage Report

Created: 2025-11-16 06:40

Line	Count	Source
1		/*
2		* Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		# pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	0	{
42	0	return ossl_rsa_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, mgf1Hash, EM, &sLen);
43	0	}
44
45		int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
46		const EVP_MD Hash, const EVP_MD mgf1Hash,
47		const unsigned char EM, int sLenOut)
48	9.72k	{
49	9.72k	int i;
50	9.72k	int ret = 0;
51	9.72k	int sLen = *sLenOut;
52	9.72k	int hLen, maskedDBLen, MSBits, emLen;
53	9.72k	const unsigned char *H;
54	9.72k	unsigned char *DB = NULL;
55	9.72k	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
56	9.72k	unsigned char H_[EVP_MAX_MD_SIZE];
57
58	9.72k	if (ctx == NULL)
59	0	goto err;
60
61	9.72k	if (mgf1Hash == NULL)
62	0	mgf1Hash = Hash;
63
64	9.72k	hLen = EVP_MD_get_size(Hash);
65	9.72k	if (hLen <= 0)
66	0	goto err;
67		/*-
68		* Negative sLen has special meanings:
69		* -1 sLen == hLen
70		* -2 salt length is autorecovered from signature
71		* -3 salt length is maximized
72		* -4 salt length is autorecovered from signature
73		* -N reserved
74		*/
75	9.72k	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
76	7.28k	sLen = hLen;
77	7.28k	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
78	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
79	0	goto err;
80	0	}
81
82	9.72k	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
83	9.72k	emLen = RSA_size(rsa);
84	9.72k	if (EM[0] & (0xFF << MSBits)) {
85	2.72k	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
86	2.72k	goto err;
87	2.72k	}
88	6.99k	if (MSBits == 0) {
89	1.22k	EM++;
90	1.22k	emLen--;
91	1.22k	}
92	6.99k	if (emLen < hLen + 2) {
93	95	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
94	95	goto err;
95	95	}
96	6.90k	if (sLen == RSA_PSS_SALTLEN_MAX) {
97	0	sLen = emLen - hLen - 2;
98	6.90k	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
99	43	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
100	43	goto err;
101	43	}
102	6.85k	if (EM[emLen - 1] != 0xbc) {
103	6.52k	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
104	6.52k	goto err;
105	6.52k	}
106	328	maskedDBLen = emLen - hLen - 1;
107	328	H = EM + maskedDBLen;
108	328	DB = OPENSSL_malloc(maskedDBLen);
109	328	if (DB == NULL)
110	0	goto err;
111	328	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
112	0	goto err;
113	60.8k	for (i = 0; i < maskedDBLen; i++)
114	60.5k	DB[i] ^= EM[i];
115	328	if (MSBits)
116	282	DB[0] &= 0xFF >> (8 - MSBits);
117	5.27k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
118	328	if (DB[i++] != 0x1) {
119	255	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
120	255	goto err;
121	255	}
122	73	if (sLen != RSA_PSS_SALTLEN_AUTO
123	73	&& sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
124	73	&& (maskedDBLen - i) != sLen) {
125	33	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
126	33	"expected: %d retrieved: %d", sLen,
127	33	maskedDBLen - i);
128	33	goto err;
129	40	} else {
130	40	sLen = maskedDBLen - i;
131	40	}
132	40	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
133	40	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
134	40	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
135	0	goto err;
136	40	if (sLen != 0) {
137	40	if (!EVP_DigestUpdate(ctx, DB + i, sLen))
138	0	goto err;
139	40	}
140	40	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
141	0	goto err;
142	40	if (memcmp(H_, H, hLen)) {
143	36	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
144	36	ret = 0;
145	36	} else {
146	4	ret = 1;
147	4	}
148
149	40	*sLenOut = sLen;
150	9.72k	err:
151	9.72k	OPENSSL_free(DB);
152	9.72k	EVP_MD_CTX_free(ctx);
153
154	9.72k	return ret;
155
156	40	}
157
158		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
159		const unsigned char *mHash,
160		const EVP_MD *Hash, int sLen)
161	0	{
162	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
163	0	}
164
165		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
166		const unsigned char *mHash,
167		const EVP_MD Hash, const EVP_MD mgf1Hash,
168		int sLen)
169		{
170		return ossl_rsa_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, mgf1Hash, &sLen);
171		}
172
173		int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
174		const unsigned char *mHash,
175		const EVP_MD Hash, const EVP_MD mgf1Hash,
176		int *sLenOut)
177	799	{
178	799	int i;
179	799	int ret = 0;
180	799	int sLen = *sLenOut;
181	799	int hLen, maskedDBLen, MSBits, emLen;
182	799	unsigned char H, salt = NULL, *p;
183	799	EVP_MD_CTX *ctx = NULL;
184	799	int sLenMax = -1;
185
186	799	if (mgf1Hash == NULL)
187	0	mgf1Hash = Hash;
188
189	799	hLen = EVP_MD_get_size(Hash);
190	799	if (hLen <= 0)
191	0	goto err;
192		/*-
193		* Negative sLen has special meanings:
194		* -1 sLen == hLen
195		* -2 salt length is maximized
196		* -3 same as above (on signing)
197		* -4 salt length is min(hLen, maximum salt length)
198		* -N reserved
199		*/
200		/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
201		* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
202		* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
203		* the hash function output block (in bytes)."
204		*
205		* Provide a way to use at most the digest length, so that the default does
206		* not violate FIPS 186-4. */
207	799	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
208	799	sLen = hLen;
209	799	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
210	0	\|\| sLen == RSA_PSS_SALTLEN_AUTO) {
211	0	sLen = RSA_PSS_SALTLEN_MAX;
212	0	} else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
213	0	sLen = RSA_PSS_SALTLEN_MAX;
214	0	sLenMax = hLen;
215	0	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
216	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
217	0	goto err;
218	0	}
219
220	799	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
221	799	emLen = RSA_size(rsa);
222	799	if (MSBits == 0) {
223	0	*EM++ = 0;
224	0	emLen--;
225	0	}
226	799	if (emLen < hLen + 2) {
227	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
228	0	goto err;
229	0	}
230	799	if (sLen == RSA_PSS_SALTLEN_MAX) {
231	0	sLen = emLen - hLen - 2;
232	0	if (sLenMax >= 0 && sLen > sLenMax)
233	0	sLen = sLenMax;
234	799	} else if (sLen > emLen - hLen - 2) {
235	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
236	0	goto err;
237	0	}
238	799	if (sLen > 0) {
239	799	salt = OPENSSL_malloc(sLen);
240	799	if (salt == NULL)
241	0	goto err;
242	799	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
243	0	goto err;
244	799	}
245	799	maskedDBLen = emLen - hLen - 1;
246	799	H = EM + maskedDBLen;
247	799	ctx = EVP_MD_CTX_new();
248	799	if (ctx == NULL)
249	0	goto err;
250	799	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
251	799	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
252	799	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
253	0	goto err;
254	799	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
255	0	goto err;
256	799	if (!EVP_DigestFinal_ex(ctx, H, NULL))
257	0	goto err;
258
259		/* Generate dbMask in place then perform XOR on it */
260	799	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
261	0	goto err;
262
263	799	p = EM;
264
265		/*
266		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
267		* Note from a test above this value is guaranteed to be non-negative.
268		*/
269	799	p += emLen - sLen - hLen - 2;
270	799	*p++ ^= 0x1;
271	799	if (sLen > 0) {
272	32.3k	for (i = 0; i < sLen; i++)
273	31.5k	*p++ ^= salt[i];
274	799	}
275	799	if (MSBits)
276	799	EM[0] &= 0xFF >> (8 - MSBits);
277
278		/* H is already in place so just set final 0xbc */
279
280	799	EM[emLen - 1] = 0xbc;
281
282	799	ret = 1;
283
284	799	*sLenOut = sLen;
285	799	err:
286	799	EVP_MD_CTX_free(ctx);
287	799	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
288
289	799	return ret;
290
291	799	}
292
293		/*
294		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
295		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
296		*
297		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
298		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
299		* identifier will have the following value:
300		*
301		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
302		* algorithm id-RSASSA-PSS,
303		* parameters RSASSA-PSS-params : {
304		* hashAlgorithm sha1,
305		* maskGenAlgorithm mgf1SHA1,
306		* saltLength 20,
307		* trailerField trailerFieldBC
308		* }
309		* }
310		*
311		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
312		* {PKCS1Algorithms}
313		* }
314		*/
315		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
316		NID_sha1, /* default hashAlgorithm */
317		{
318		NID_mgf1, /* default maskGenAlgorithm */
319		NID_sha1 /* default MGF1 hash */
320		},
321		20, /* default saltLength */
322		1 /* default trailerField (0xBC) */
323		};
324
325		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
326	42.1k	{
327	42.1k	if (rsa_pss_params == NULL)
328	0	return 0;
329	42.1k	*rsa_pss_params = default_RSASSA_PSS_params;
330	42.1k	return 1;
331	42.1k	}
332
333		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
334	80.6k	{
335	80.6k	static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };
336
337	80.6k	return rsa_pss_params == NULL
338	80.6k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
339	80.6k	sizeof(*rsa_pss_params)) == 0;
340	80.6k	}
341
342		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
343		const RSA_PSS_PARAMS_30 *from)
344	0	{
345	0	memcpy(to, from, sizeof(*to));
346	0	return 1;
347	0	}
348
349		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
350		int hashalg_nid)
351	17.6k	{
352	17.6k	if (rsa_pss_params == NULL)
353	0	return 0;
354	17.6k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
355	17.6k	return 1;
356	17.6k	}
357
358		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
359		int maskgenhashalg_nid)
360	17.6k	{
361	17.6k	if (rsa_pss_params == NULL)
362	0	return 0;
363	17.6k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
364	17.6k	return 1;
365	17.6k	}
366
367		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
368		int saltlen)
369	17.6k	{
370	17.6k	if (rsa_pss_params == NULL)
371	0	return 0;
372	17.6k	rsa_pss_params->salt_len = saltlen;
373	17.6k	return 1;
374	17.6k	}
375
376		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
377		int trailerfield)
378	17.6k	{
379	17.6k	if (rsa_pss_params == NULL)
380	0	return 0;
381	17.6k	rsa_pss_params->trailer_field = trailerfield;
382	17.6k	return 1;
383	17.6k	}
384
385		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
386	35.9k	{
387	35.9k	if (rsa_pss_params == NULL)
388	17.6k	return default_RSASSA_PSS_params.hash_algorithm_nid;
389	18.2k	return rsa_pss_params->hash_algorithm_nid;
390	35.9k	}
391
392		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
393	35.4k	{
394	35.4k	if (rsa_pss_params == NULL)
395	17.6k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
396	17.8k	return rsa_pss_params->mask_gen.algorithm_nid;
397	35.4k	}
398
399		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
400	35.9k	{
401	35.9k	if (rsa_pss_params == NULL)
402	17.6k	return default_RSASSA_PSS_params.hash_algorithm_nid;
403	18.2k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
404	35.9k	}
405
406		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
407	41.3k	{
408	41.3k	if (rsa_pss_params == NULL)
409	12	return default_RSASSA_PSS_params.salt_len;
410	41.3k	return rsa_pss_params->salt_len;
411	41.3k	}
412
413		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
414	23.2k	{
415	23.2k	if (rsa_pss_params == NULL)
416	12	return default_RSASSA_PSS_params.trailer_field;
417	23.2k	return rsa_pss_params->trailer_field;
418	23.2k	}
419
420		#if defined(_MSC_VER)
421		# pragma optimize("",on)
422		#endif