/src/openssl30/crypto/rsa/rsa_pss.c

Source
/*
 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
#pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const unsigned char *EM,
    int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
        ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
            "expected: %d retrieved: %d", sLen,
            maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;
}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;
}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1, /* default hashAlgorithm */
    {
        NID_mgf1, /* default maskGenAlgorithm */
        NID_sha1 /* default MGF1 hash */
    },
    20, /* default saltLength */
    1 /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = {
        0,
    };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
               sizeof(*rsa_pss_params))
        == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
    const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int maskgenalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
#pragma optimize("", on)
#endif

Coverage Report

Created: 2025-12-31 06:58

Line	Count	Source
1		/*
2		* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		#pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	842	{
42	842	int i;
43	842	int ret = 0;
44	842	int hLen, maskedDBLen, MSBits, emLen;
45	842	const unsigned char *H;
46	842	unsigned char *DB = NULL;
47	842	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
48	842	unsigned char H_[EVP_MAX_MD_SIZE];
49
50	842	if (ctx == NULL)
51	0	goto err;
52
53	842	if (mgf1Hash == NULL)
54	0	mgf1Hash = Hash;
55
56	842	hLen = EVP_MD_get_size(Hash);
57	842	if (hLen < 0)
58	0	goto err;
59		/*-
60		* Negative sLen has special meanings:
61		* -1 sLen == hLen
62		* -2 salt length is autorecovered from signature
63		* -3 salt length is maximized
64		* -N reserved
65		*/
66	842	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
67	63	sLen = hLen;
68	779	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
69	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
70	0	goto err;
71	0	}
72
73	842	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
74	842	emLen = RSA_size(rsa);
75	842	if (EM[0] & (0xFF << MSBits)) {
76	165	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
77	165	goto err;
78	165	}
79	677	if (MSBits == 0) {
80	22	EM++;
81	22	emLen--;
82	22	}
83	677	if (emLen < hLen + 2) {
84	9	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
85	9	goto err;
86	9	}
87	668	if (sLen == RSA_PSS_SALTLEN_MAX) {
88	0	sLen = emLen - hLen - 2;
89	668	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
90	4	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
91	4	goto err;
92	4	}
93	664	if (EM[emLen - 1] != 0xbc) {
94	609	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
95	609	goto err;
96	609	}
97	55	maskedDBLen = emLen - hLen - 1;
98	55	H = EM + maskedDBLen;
99	55	DB = OPENSSL_malloc(maskedDBLen);
100	55	if (DB == NULL) {
101	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
102	0	goto err;
103	0	}
104	55	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
105	0	goto err;
106	8.71k	for (i = 0; i < maskedDBLen; i++)
107	8.66k	DB[i] ^= EM[i];
108	55	if (MSBits)
109	49	DB[0] &= 0xFF >> (8 - MSBits);
110	1.71k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
111	1.66k	;
112	55	if (DB[i++] != 0x1) {
113	33	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
114	33	goto err;
115	33	}
116	22	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
117	10	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
118	10	"expected: %d retrieved: %d", sLen,
119	10	maskedDBLen - i);
120	10	goto err;
121	10	}
122	12	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
123	12	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
124	12	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
125	0	goto err;
126	12	if (maskedDBLen - i) {
127	12	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
128	0	goto err;
129	12	}
130	12	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
131	0	goto err;
132	12	if (memcmp(H_, H, hLen)) {
133	9	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
134	9	ret = 0;
135	9	} else {
136	3	ret = 1;
137	3	}
138
139	842	err:
140	842	OPENSSL_free(DB);
141	842	EVP_MD_CTX_free(ctx);
142
143	842	return ret;
144	12	}
145
146		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
147		const unsigned char *mHash,
148		const EVP_MD *Hash, int sLen)
149	0	{
150	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
151	0	}
152
153		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
154		const unsigned char *mHash,
155		const EVP_MD Hash, const EVP_MD mgf1Hash,
156		int sLen)
157	116	{
158	116	int i;
159	116	int ret = 0;
160	116	int hLen, maskedDBLen, MSBits, emLen;
161	116	unsigned char H, salt = NULL, *p;
162	116	EVP_MD_CTX *ctx = NULL;
163
164	116	if (mgf1Hash == NULL)
165	0	mgf1Hash = Hash;
166
167	116	hLen = EVP_MD_get_size(Hash);
168	116	if (hLen < 0)
169	0	goto err;
170		/*-
171		* Negative sLen has special meanings:
172		* -1 sLen == hLen
173		* -2 salt length is maximized
174		* -3 same as above (on signing)
175		* -N reserved
176		*/
177	116	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
178	116	sLen = hLen;
179	116	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
180	0	sLen = RSA_PSS_SALTLEN_MAX;
181	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
182	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
183	0	goto err;
184	0	}
185
186	116	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
187	116	emLen = RSA_size(rsa);
188	116	if (MSBits == 0) {
189	0	*EM++ = 0;
190	0	emLen--;
191	0	}
192	116	if (emLen < hLen + 2) {
193	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
194	0	goto err;
195	0	}
196	116	if (sLen == RSA_PSS_SALTLEN_MAX) {
197	0	sLen = emLen - hLen - 2;
198	116	} else if (sLen > emLen - hLen - 2) {
199	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
200	0	goto err;
201	0	}
202	116	if (sLen > 0) {
203	116	salt = OPENSSL_malloc(sLen);
204	116	if (salt == NULL) {
205	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
206	0	goto err;
207	0	}
208	116	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
209	0	goto err;
210	116	}
211	116	maskedDBLen = emLen - hLen - 1;
212	116	H = EM + maskedDBLen;
213	116	ctx = EVP_MD_CTX_new();
214	116	if (ctx == NULL)
215	0	goto err;
216	116	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
217	116	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
218	116	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
219	0	goto err;
220	116	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
221	0	goto err;
222	116	if (!EVP_DigestFinal_ex(ctx, H, NULL))
223	0	goto err;
224
225		/* Generate dbMask in place then perform XOR on it */
226	116	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
227	0	goto err;
228
229	116	p = EM;
230
231		/*
232		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
233		* Note from a test above this value is guaranteed to be non-negative.
234		*/
235	116	p += emLen - sLen - hLen - 2;
236	116	*p++ ^= 0x1;
237	116	if (sLen > 0) {
238	4.86k	for (i = 0; i < sLen; i++)
239	4.75k	*p++ ^= salt[i];
240	116	}
241	116	if (MSBits)
242	116	EM[0] &= 0xFF >> (8 - MSBits);
243
244		/* H is already in place so just set final 0xbc */
245
246	116	EM[emLen - 1] = 0xbc;
247
248	116	ret = 1;
249
250	116	err:
251	116	EVP_MD_CTX_free(ctx);
252	116	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
253
254	116	return ret;
255	116	}
256
257		/*
258		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
259		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
260		*
261		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
262		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
263		* identifier will have the following value:
264		*
265		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
266		* algorithm id-RSASSA-PSS,
267		* parameters RSASSA-PSS-params : {
268		* hashAlgorithm sha1,
269		* maskGenAlgorithm mgf1SHA1,
270		* saltLength 20,
271		* trailerField trailerFieldBC
272		* }
273		* }
274		*
275		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
276		* {PKCS1Algorithms}
277		* }
278		*/
279		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
280		NID_sha1, /* default hashAlgorithm */
281		{
282		NID_mgf1, /* default maskGenAlgorithm */
283		NID_sha1 /* default MGF1 hash */
284		},
285		20, /* default saltLength */
286		1 /* default trailerField (0xBC) */
287		};
288
289		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
290	27.4k	{
291	27.4k	if (rsa_pss_params == NULL)
292	0	return 0;
293	27.4k	*rsa_pss_params = default_RSASSA_PSS_params;
294	27.4k	return 1;
295	27.4k	}
296
297		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
298	80.4k	{
299	80.4k	static RSA_PSS_PARAMS_30 pss_params_cmp = {
300	80.4k	0,
301	80.4k	};
302
303	80.4k	return rsa_pss_params == NULL
304	80.4k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
305	80.4k	sizeof(*rsa_pss_params))
306	80.4k	== 0;
307	80.4k	}
308
309		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
310		const RSA_PSS_PARAMS_30 *from)
311	0	{
312	0	memcpy(to, from, sizeof(*to));
313	0	return 1;
314	0	}
315
316		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
317		int hashalg_nid)
318	10.1k	{
319	10.1k	if (rsa_pss_params == NULL)
320	0	return 0;
321	10.1k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
322	10.1k	return 1;
323	10.1k	}
324
325		int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
326		int maskgenalg_nid)
327	0	{
328	0	if (rsa_pss_params == NULL)
329	0	return 0;
330	0	rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
331	0	return 1;
332	0	}
333
334		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
335		int maskgenhashalg_nid)
336	10.1k	{
337	10.1k	if (rsa_pss_params == NULL)
338	0	return 0;
339	10.1k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
340	10.1k	return 1;
341	10.1k	}
342
343		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
344		int saltlen)
345	10.1k	{
346	10.1k	if (rsa_pss_params == NULL)
347	0	return 0;
348	10.1k	rsa_pss_params->salt_len = saltlen;
349	10.1k	return 1;
350	10.1k	}
351
352		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
353		int trailerfield)
354	10.1k	{
355	10.1k	if (rsa_pss_params == NULL)
356	0	return 0;
357	10.1k	rsa_pss_params->trailer_field = trailerfield;
358	10.1k	return 1;
359	10.1k	}
360
361		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
362	20.8k	{
363	20.8k	if (rsa_pss_params == NULL)
364	10.1k	return default_RSASSA_PSS_params.hash_algorithm_nid;
365	10.7k	return rsa_pss_params->hash_algorithm_nid;
366	20.8k	}
367
368		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
369	20.3k	{
370	20.3k	if (rsa_pss_params == NULL)
371	10.0k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
372	10.2k	return rsa_pss_params->mask_gen.algorithm_nid;
373	20.3k	}
374
375		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
376	20.8k	{
377	20.8k	if (rsa_pss_params == NULL)
378	10.0k	return default_RSASSA_PSS_params.hash_algorithm_nid;
379	10.7k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
380	20.8k	}
381
382		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
383	26.5k	{
384	26.5k	if (rsa_pss_params == NULL)
385	16	return default_RSASSA_PSS_params.salt_len;
386	26.5k	return rsa_pss_params->salt_len;
387	26.5k	}
388
389		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
390	16.0k	{
391	16.0k	if (rsa_pss_params == NULL)
392	16	return default_RSASSA_PSS_params.trailer_field;
393	16.0k	return rsa_pss_params->trailer_field;
394	16.0k	}
395
396		#if defined(_MSC_VER)
397		#pragma optimize("", on)
398		#endif