/src/openssl30/crypto/rsa/rsa_pss.c

Source
/*
 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
#pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const unsigned char *EM,
    int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
        ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
            "expected: %d retrieved: %d", sLen,
            maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;
}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen < RSA_PSS_SALTLEN_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;
}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1, /* default hashAlgorithm */
    {
        NID_mgf1, /* default maskGenAlgorithm */
        NID_sha1 /* default MGF1 hash */
    },
    20, /* default saltLength */
    1 /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = {
        0,
    };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
               sizeof(*rsa_pss_params))
        == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
    const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int maskgenalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
#pragma optimize("", on)
#endif

Coverage Report

Created: 2026-02-14 07:20

Line	Count	Source
1		/*
2		* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		#pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	761	{
42	761	int i;
43	761	int ret = 0;
44	761	int hLen, maskedDBLen, MSBits, emLen;
45	761	const unsigned char *H;
46	761	unsigned char *DB = NULL;
47	761	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
48	761	unsigned char H_[EVP_MAX_MD_SIZE];
49
50	761	if (ctx == NULL)
51	0	goto err;
52
53	761	if (mgf1Hash == NULL)
54	0	mgf1Hash = Hash;
55
56	761	hLen = EVP_MD_get_size(Hash);
57	761	if (hLen < 0)
58	0	goto err;
59		/*-
60		* Negative sLen has special meanings:
61		* -1 sLen == hLen
62		* -2 salt length is autorecovered from signature
63		* -3 salt length is maximized
64		* -N reserved
65		*/
66	761	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
67	62	sLen = hLen;
68	699	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
69	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
70	0	goto err;
71	0	}
72
73	761	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
74	761	emLen = RSA_size(rsa);
75	761	if (EM[0] & (0xFF << MSBits)) {
76	153	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
77	153	goto err;
78	153	}
79	608	if (MSBits == 0) {
80	19	EM++;
81	19	emLen--;
82	19	}
83	608	if (emLen < hLen + 2) {
84	9	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
85	9	goto err;
86	9	}
87	599	if (sLen == RSA_PSS_SALTLEN_MAX) {
88	0	sLen = emLen - hLen - 2;
89	599	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
90	5	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
91	5	goto err;
92	5	}
93	594	if (EM[emLen - 1] != 0xbc) {
94	537	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
95	537	goto err;
96	537	}
97	57	maskedDBLen = emLen - hLen - 1;
98	57	H = EM + maskedDBLen;
99	57	DB = OPENSSL_malloc(maskedDBLen);
100	57	if (DB == NULL) {
101	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
102	0	goto err;
103	0	}
104	57	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
105	0	goto err;
106	9.15k	for (i = 0; i < maskedDBLen; i++)
107	9.09k	DB[i] ^= EM[i];
108	57	if (MSBits)
109	50	DB[0] &= 0xFF >> (8 - MSBits);
110	1.65k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
111	1.59k	;
112	57	if (DB[i++] != 0x1) {
113	36	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
114	36	goto err;
115	36	}
116	21	if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
117	9	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
118	9	"expected: %d retrieved: %d", sLen,
119	9	maskedDBLen - i);
120	9	goto err;
121	9	}
122	12	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
123	12	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
124	12	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
125	0	goto err;
126	12	if (maskedDBLen - i) {
127	12	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
128	0	goto err;
129	12	}
130	12	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
131	0	goto err;
132	12	if (memcmp(H_, H, hLen)) {
133	9	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
134	9	ret = 0;
135	9	} else {
136	3	ret = 1;
137	3	}
138
139	761	err:
140	761	OPENSSL_free(DB);
141	761	EVP_MD_CTX_free(ctx);
142
143	761	return ret;
144	12	}
145
146		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
147		const unsigned char *mHash,
148		const EVP_MD *Hash, int sLen)
149	0	{
150	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
151	0	}
152
153		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
154		const unsigned char *mHash,
155		const EVP_MD Hash, const EVP_MD mgf1Hash,
156		int sLen)
157	108	{
158	108	int i;
159	108	int ret = 0;
160	108	int hLen, maskedDBLen, MSBits, emLen;
161	108	unsigned char H, salt = NULL, *p;
162	108	EVP_MD_CTX *ctx = NULL;
163
164	108	if (mgf1Hash == NULL)
165	0	mgf1Hash = Hash;
166
167	108	hLen = EVP_MD_get_size(Hash);
168	108	if (hLen < 0)
169	0	goto err;
170		/*-
171		* Negative sLen has special meanings:
172		* -1 sLen == hLen
173		* -2 salt length is maximized
174		* -3 same as above (on signing)
175		* -N reserved
176		*/
177	108	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
178	108	sLen = hLen;
179	108	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
180	0	sLen = RSA_PSS_SALTLEN_MAX;
181	0	} else if (sLen < RSA_PSS_SALTLEN_MAX) {
182	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
183	0	goto err;
184	0	}
185
186	108	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
187	108	emLen = RSA_size(rsa);
188	108	if (MSBits == 0) {
189	0	*EM++ = 0;
190	0	emLen--;
191	0	}
192	108	if (emLen < hLen + 2) {
193	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
194	0	goto err;
195	0	}
196	108	if (sLen == RSA_PSS_SALTLEN_MAX) {
197	0	sLen = emLen - hLen - 2;
198	108	} else if (sLen > emLen - hLen - 2) {
199	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
200	0	goto err;
201	0	}
202	108	if (sLen > 0) {
203	108	salt = OPENSSL_malloc(sLen);
204	108	if (salt == NULL) {
205	0	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
206	0	goto err;
207	0	}
208	108	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
209	0	goto err;
210	108	}
211	108	maskedDBLen = emLen - hLen - 1;
212	108	H = EM + maskedDBLen;
213	108	ctx = EVP_MD_CTX_new();
214	108	if (ctx == NULL)
215	0	goto err;
216	108	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
217	108	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
218	108	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
219	0	goto err;
220	108	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
221	0	goto err;
222	108	if (!EVP_DigestFinal_ex(ctx, H, NULL))
223	0	goto err;
224
225		/* Generate dbMask in place then perform XOR on it */
226	108	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
227	0	goto err;
228
229	108	p = EM;
230
231		/*
232		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
233		* Note from a test above this value is guaranteed to be non-negative.
234		*/
235	108	p += emLen - sLen - hLen - 2;
236	108	*p++ ^= 0x1;
237	108	if (sLen > 0) {
238	4.62k	for (i = 0; i < sLen; i++)
239	4.51k	*p++ ^= salt[i];
240	108	}
241	108	if (MSBits)
242	108	EM[0] &= 0xFF >> (8 - MSBits);
243
244		/* H is already in place so just set final 0xbc */
245
246	108	EM[emLen - 1] = 0xbc;
247
248	108	ret = 1;
249
250	108	err:
251	108	EVP_MD_CTX_free(ctx);
252	108	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
253
254	108	return ret;
255	108	}
256
257		/*
258		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
259		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
260		*
261		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
262		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
263		* identifier will have the following value:
264		*
265		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
266		* algorithm id-RSASSA-PSS,
267		* parameters RSASSA-PSS-params : {
268		* hashAlgorithm sha1,
269		* maskGenAlgorithm mgf1SHA1,
270		* saltLength 20,
271		* trailerField trailerFieldBC
272		* }
273		* }
274		*
275		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
276		* {PKCS1Algorithms}
277		* }
278		*/
279		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
280		NID_sha1, /* default hashAlgorithm */
281		{
282		NID_mgf1, /* default maskGenAlgorithm */
283		NID_sha1 /* default MGF1 hash */
284		},
285		20, /* default saltLength */
286		1 /* default trailerField (0xBC) */
287		};
288
289		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
290	26.4k	{
291	26.4k	if (rsa_pss_params == NULL)
292	0	return 0;
293	26.4k	*rsa_pss_params = default_RSASSA_PSS_params;
294	26.4k	return 1;
295	26.4k	}
296
297		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
298	81.6k	{
299	81.6k	static RSA_PSS_PARAMS_30 pss_params_cmp = {
300	81.6k	0,
301	81.6k	};
302
303	81.6k	return rsa_pss_params == NULL
304	81.6k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
305	81.6k	sizeof(*rsa_pss_params))
306	81.6k	== 0;
307	81.6k	}
308
309		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
310		const RSA_PSS_PARAMS_30 *from)
311	0	{
312	0	memcpy(to, from, sizeof(*to));
313	0	return 1;
314	0	}
315
316		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
317		int hashalg_nid)
318	9.51k	{
319	9.51k	if (rsa_pss_params == NULL)
320	0	return 0;
321	9.51k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
322	9.51k	return 1;
323	9.51k	}
324
325		int ossl_rsa_pss_params_30_set_maskgenalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
326		int maskgenalg_nid)
327	0	{
328	0	if (rsa_pss_params == NULL)
329	0	return 0;
330	0	rsa_pss_params->mask_gen.algorithm_nid = maskgenalg_nid;
331	0	return 1;
332	0	}
333
334		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
335		int maskgenhashalg_nid)
336	9.51k	{
337	9.51k	if (rsa_pss_params == NULL)
338	0	return 0;
339	9.51k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
340	9.51k	return 1;
341	9.51k	}
342
343		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
344		int saltlen)
345	9.51k	{
346	9.51k	if (rsa_pss_params == NULL)
347	0	return 0;
348	9.51k	rsa_pss_params->salt_len = saltlen;
349	9.51k	return 1;
350	9.51k	}
351
352		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
353		int trailerfield)
354	9.51k	{
355	9.51k	if (rsa_pss_params == NULL)
356	0	return 0;
357	9.51k	rsa_pss_params->trailer_field = trailerfield;
358	9.51k	return 1;
359	9.51k	}
360
361		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
362	19.6k	{
363	19.6k	if (rsa_pss_params == NULL)
364	9.50k	return default_RSASSA_PSS_params.hash_algorithm_nid;
365	10.1k	return rsa_pss_params->hash_algorithm_nid;
366	19.6k	}
367
368		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
369	19.1k	{
370	19.1k	if (rsa_pss_params == NULL)
371	9.48k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
372	9.66k	return rsa_pss_params->mask_gen.algorithm_nid;
373	19.1k	}
374
375		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
376	19.6k	{
377	19.6k	if (rsa_pss_params == NULL)
378	9.48k	return default_RSASSA_PSS_params.hash_algorithm_nid;
379	10.1k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
380	19.6k	}
381
382		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
383	25.6k	{
384	25.6k	if (rsa_pss_params == NULL)
385	14	return default_RSASSA_PSS_params.salt_len;
386	25.5k	return rsa_pss_params->salt_len;
387	25.6k	}
388
389		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
390	15.6k	{
391	15.6k	if (rsa_pss_params == NULL)
392	14	return default_RSASSA_PSS_params.trailer_field;
393	15.6k	return rsa_pss_params->trailer_field;
394	15.6k	}
395
396		#if defined(_MSC_VER)
397		#pragma optimize("", on)
398		#endif