/src/openssl33/crypto/rsa/rsa_pss.c

Source
/*
 * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
#pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const unsigned char *EM,
    int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -4      salt length is autorecovered from signature
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL)
        goto err;
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
        ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO
        && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
        && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
            "expected: %d retrieved: %d", sLen,
            maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;
}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
    const unsigned char *mHash,
    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
    int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;
    int sLenMax = -1;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -4      salt length is min(hLen, maximum salt length)
     *      -N      reserved
     */
    /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
     * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
     * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
     * the hash function output block (in bytes)."
     *
     * Provide a way to use at most the digest length, so that the default does
     * not violate FIPS 186-4. */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
        || sLen == RSA_PSS_SALTLEN_AUTO) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        sLen = RSA_PSS_SALTLEN_MAX;
        sLenMax = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
        if (sLenMax >= 0 && sLen > sLenMax)
            sLen = sLenMax;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL)
            goto err;
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;
}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1, /* default hashAlgorithm */
    {
        NID_mgf1, /* default maskGenAlgorithm */
        NID_sha1 /* default MGF1 hash */
    },
    20, /* default saltLength */
    1 /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = {
        0,
    };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
               sizeof(*rsa_pss_params))
        == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
    const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
    int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
#pragma optimize("", on)
#endif

Coverage Report

Created: 2026-05-24 07:14

Line	Count	Source
1		/*
2		* Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/bn.h>
19		#include <openssl/rsa.h>
20		#include <openssl/evp.h>
21		#include <openssl/rand.h>
22		#include <openssl/sha.h>
23		#include "rsa_local.h"
24
25		static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
26
27		#if defined(_MSC_VER) && defined(_ARM_)
28		#pragma optimize("g", off)
29		#endif
30
31		int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
32		const EVP_MD Hash, const unsigned char EM,
33		int sLen)
34	0	{
35	0	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
36	0	}
37
38		int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
39		const EVP_MD Hash, const EVP_MD mgf1Hash,
40		const unsigned char *EM, int sLen)
41	3.96k	{
42	3.96k	int i;
43	3.96k	int ret = 0;
44	3.96k	int hLen, maskedDBLen, MSBits, emLen;
45	3.96k	const unsigned char *H;
46	3.96k	unsigned char *DB = NULL;
47	3.96k	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
48	3.96k	unsigned char H_[EVP_MAX_MD_SIZE];
49
50	3.96k	if (ctx == NULL)
51	0	goto err;
52
53	3.96k	if (mgf1Hash == NULL)
54	0	mgf1Hash = Hash;
55
56	3.96k	hLen = EVP_MD_get_size(Hash);
57	3.96k	if (hLen < 0)
58	0	goto err;
59		/*-
60		* Negative sLen has special meanings:
61		* -1 sLen == hLen
62		* -2 salt length is autorecovered from signature
63		* -3 salt length is maximized
64		* -4 salt length is autorecovered from signature
65		* -N reserved
66		*/
67	3.96k	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
68	2.88k	sLen = hLen;
69	2.88k	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
70	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
71	0	goto err;
72	0	}
73
74	3.96k	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
75	3.96k	emLen = RSA_size(rsa);
76	3.96k	if (EM[0] & (0xFF << MSBits)) {
77	1.05k	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
78	1.05k	goto err;
79	1.05k	}
80	2.91k	if (MSBits == 0) {
81	833	EM++;
82	833	emLen--;
83	833	}
84	2.91k	if (emLen < hLen + 2) {
85	31	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
86	31	goto err;
87	31	}
88	2.88k	if (sLen == RSA_PSS_SALTLEN_MAX) {
89	0	sLen = emLen - hLen - 2;
90	2.88k	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
91	20	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
92	20	goto err;
93	20	}
94	2.86k	if (EM[emLen - 1] != 0xbc) {
95	2.72k	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
96	2.72k	goto err;
97	2.72k	}
98	139	maskedDBLen = emLen - hLen - 1;
99	139	H = EM + maskedDBLen;
100	139	DB = OPENSSL_malloc(maskedDBLen);
101	139	if (DB == NULL)
102	0	goto err;
103	139	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
104	0	goto err;
105	26.7k	for (i = 0; i < maskedDBLen; i++)
106	26.6k	DB[i] ^= EM[i];
107	139	if (MSBits)
108	110	DB[0] &= 0xFF >> (8 - MSBits);
109	2.56k	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
110	2.42k	;
111	139	if (DB[i++] != 0x1) {
112	104	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
113	104	goto err;
114	104	}
115	35	if (sLen != RSA_PSS_SALTLEN_AUTO
116	35	&& sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
117	35	&& (maskedDBLen - i) != sLen) {
118	20	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
119	20	"expected: %d retrieved: %d", sLen,
120	20	maskedDBLen - i);
121	20	goto err;
122	20	}
123	15	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
124	15	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
125	15	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
126	0	goto err;
127	15	if (maskedDBLen - i) {
128	15	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
129	0	goto err;
130	15	}
131	15	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
132	0	goto err;
133	15	if (memcmp(H_, H, hLen)) {
134	14	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
135	14	ret = 0;
136	14	} else {
137	1	ret = 1;
138	1	}
139
140	3.96k	err:
141	3.96k	OPENSSL_free(DB);
142	3.96k	EVP_MD_CTX_free(ctx);
143
144	3.96k	return ret;
145	15	}
146
147		int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
148		const unsigned char *mHash,
149		const EVP_MD *Hash, int sLen)
150	0	{
151	0	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
152	0	}
153
154		int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
155		const unsigned char *mHash,
156		const EVP_MD Hash, const EVP_MD mgf1Hash,
157		int sLen)
158	195	{
159	195	int i;
160	195	int ret = 0;
161	195	int hLen, maskedDBLen, MSBits, emLen;
162	195	unsigned char H, salt = NULL, *p;
163	195	EVP_MD_CTX *ctx = NULL;
164	195	int sLenMax = -1;
165
166	195	if (mgf1Hash == NULL)
167	0	mgf1Hash = Hash;
168
169	195	hLen = EVP_MD_get_size(Hash);
170	195	if (hLen < 0)
171	0	goto err;
172		/*-
173		* Negative sLen has special meanings:
174		* -1 sLen == hLen
175		* -2 salt length is maximized
176		* -3 same as above (on signing)
177		* -4 salt length is min(hLen, maximum salt length)
178		* -N reserved
179		*/
180		/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
181		* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
182		* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
183		* the hash function output block (in bytes)."
184		*
185		* Provide a way to use at most the digest length, so that the default does
186		* not violate FIPS 186-4. */
187	195	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
188	195	sLen = hLen;
189	195	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
190	0	\|\| sLen == RSA_PSS_SALTLEN_AUTO) {
191	0	sLen = RSA_PSS_SALTLEN_MAX;
192	0	} else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
193	0	sLen = RSA_PSS_SALTLEN_MAX;
194	0	sLenMax = hLen;
195	0	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
196	0	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
197	0	goto err;
198	0	}
199
200	195	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
201	195	emLen = RSA_size(rsa);
202	195	if (MSBits == 0) {
203	0	*EM++ = 0;
204	0	emLen--;
205	0	}
206	195	if (emLen < hLen + 2) {
207	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
208	0	goto err;
209	0	}
210	195	if (sLen == RSA_PSS_SALTLEN_MAX) {
211	0	sLen = emLen - hLen - 2;
212	0	if (sLenMax >= 0 && sLen > sLenMax)
213	0	sLen = sLenMax;
214	195	} else if (sLen > emLen - hLen - 2) {
215	0	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
216	0	goto err;
217	0	}
218	195	if (sLen > 0) {
219	195	salt = OPENSSL_malloc(sLen);
220	195	if (salt == NULL)
221	0	goto err;
222	195	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
223	0	goto err;
224	195	}
225	195	maskedDBLen = emLen - hLen - 1;
226	195	H = EM + maskedDBLen;
227	195	ctx = EVP_MD_CTX_new();
228	195	if (ctx == NULL)
229	0	goto err;
230	195	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
231	195	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
232	195	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
233	0	goto err;
234	195	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
235	0	goto err;
236	195	if (!EVP_DigestFinal_ex(ctx, H, NULL))
237	0	goto err;
238
239		/* Generate dbMask in place then perform XOR on it */
240	195	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
241	0	goto err;
242
243	195	p = EM;
244
245		/*
246		* Initial PS XORs with all zeroes which is a NOP so just update pointer.
247		* Note from a test above this value is guaranteed to be non-negative.
248		*/
249	195	p += emLen - sLen - hLen - 2;
250	195	*p++ ^= 0x1;
251	195	if (sLen > 0) {
252	9.07k	for (i = 0; i < sLen; i++)
253	8.88k	*p++ ^= salt[i];
254	195	}
255	195	if (MSBits)
256	195	EM[0] &= 0xFF >> (8 - MSBits);
257
258		/* H is already in place so just set final 0xbc */
259
260	195	EM[emLen - 1] = 0xbc;
261
262	195	ret = 1;
263
264	195	err:
265	195	EVP_MD_CTX_free(ctx);
266	195	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
267
268	195	return ret;
269	195	}
270
271		/*
272		* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
273		* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
274		*
275		* If the default values of the hashAlgorithm, maskGenAlgorithm, and
276		* trailerField fields of RSASSA-PSS-params are used, then the algorithm
277		* identifier will have the following value:
278		*
279		* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
280		* algorithm id-RSASSA-PSS,
281		* parameters RSASSA-PSS-params : {
282		* hashAlgorithm sha1,
283		* maskGenAlgorithm mgf1SHA1,
284		* saltLength 20,
285		* trailerField trailerFieldBC
286		* }
287		* }
288		*
289		* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
290		* {PKCS1Algorithms}
291		* }
292		*/
293		static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
294		NID_sha1, /* default hashAlgorithm */
295		{
296		NID_mgf1, /* default maskGenAlgorithm */
297		NID_sha1 /* default MGF1 hash */
298		},
299		20, /* default saltLength */
300		1 /* default trailerField (0xBC) */
301		};
302
303		int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
304	36.1k	{
305	36.1k	if (rsa_pss_params == NULL)
306	0	return 0;
307	36.1k	*rsa_pss_params = default_RSASSA_PSS_params;
308	36.1k	return 1;
309	36.1k	}
310
311		int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
312	91.5k	{
313	91.5k	static RSA_PSS_PARAMS_30 pss_params_cmp = {
314	91.5k	0,
315	91.5k	};
316
317	91.5k	return rsa_pss_params == NULL
318	91.5k	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
319	91.5k	sizeof(*rsa_pss_params))
320	91.5k	== 0;
321	91.5k	}
322
323		int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
324		const RSA_PSS_PARAMS_30 *from)
325	0	{
326	0	memcpy(to, from, sizeof(*to));
327	0	return 1;
328	0	}
329
330		int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
331		int hashalg_nid)
332	13.6k	{
333	13.6k	if (rsa_pss_params == NULL)
334	0	return 0;
335	13.6k	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
336	13.6k	return 1;
337	13.6k	}
338
339		int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
340		int maskgenhashalg_nid)
341	13.6k	{
342	13.6k	if (rsa_pss_params == NULL)
343	0	return 0;
344	13.6k	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
345	13.6k	return 1;
346	13.6k	}
347
348		int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
349		int saltlen)
350	13.6k	{
351	13.6k	if (rsa_pss_params == NULL)
352	0	return 0;
353	13.6k	rsa_pss_params->salt_len = saltlen;
354	13.6k	return 1;
355	13.6k	}
356
357		int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
358		int trailerfield)
359	13.6k	{
360	13.6k	if (rsa_pss_params == NULL)
361	0	return 0;
362	13.6k	rsa_pss_params->trailer_field = trailerfield;
363	13.6k	return 1;
364	13.6k	}
365
366		int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
367	28.0k	{
368	28.0k	if (rsa_pss_params == NULL)
369	13.6k	return default_RSASSA_PSS_params.hash_algorithm_nid;
370	14.4k	return rsa_pss_params->hash_algorithm_nid;
371	28.0k	}
372
373		int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
374	27.3k	{
375	27.3k	if (rsa_pss_params == NULL)
376	13.5k	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
377	13.7k	return rsa_pss_params->mask_gen.algorithm_nid;
378	27.3k	}
379
380		int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
381	27.9k	{
382	27.9k	if (rsa_pss_params == NULL)
383	13.5k	return default_RSASSA_PSS_params.hash_algorithm_nid;
384	14.4k	return rsa_pss_params->mask_gen.hash_algorithm_nid;
385	27.9k	}
386
387		int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
388	35.0k	{
389	35.0k	if (rsa_pss_params == NULL)
390	12	return default_RSASSA_PSS_params.salt_len;
391	35.0k	return rsa_pss_params->salt_len;
392	35.0k	}
393
394		int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
395	20.9k	{
396	20.9k	if (rsa_pss_params == NULL)
397	12	return default_RSASSA_PSS_params.trailer_field;
398	20.9k	return rsa_pss_params->trailer_field;
399	20.9k	}
400
401		#if defined(_MSC_VER)
402		#pragma optimize("", on)
403		#endif