1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2005.
3  */
4 /* ====================================================================
5  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/rsa.h>
57 
58 #include <assert.h>
59 #include <string.h>
60 
61 #include <openssl/digest.h>
62 #include <openssl/err.h>
63 #include <openssl/mem.h>
64 #include <openssl/rand.h>
65 #include <openssl/sha.h>
66 
67 #include "internal.h"
68 
69 /* TODO(fork): don't the check functions have to be constant time? */
70 
RSA_padding_add_PKCS1_type_1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)71 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,
72                                  const uint8_t *from, unsigned flen) {
73   unsigned j;
74   uint8_t *p;
75 
76   if (tlen < RSA_PKCS1_PADDING_SIZE) {
77     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,
78                       RSA_R_KEY_SIZE_TOO_SMALL);
79     return 0;
80   }
81 
82   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
83     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,
84                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
85     return 0;
86   }
87 
88   p = (uint8_t *)to;
89 
90   *(p++) = 0;
91   *(p++) = 1; /* Private Key BT (Block Type) */
92 
93   /* pad out with 0xff data */
94   j = tlen - 3 - flen;
95   memset(p, 0xff, j);
96   p += j;
97   *(p++) = 0;
98   memcpy(p, from, (unsigned int)flen);
99   return 1;
100 }
101 
RSA_padding_check_PKCS1_type_1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)102 int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,
103                                    const uint8_t *from, unsigned flen) {
104   unsigned i, j;
105   const uint8_t *p;
106 
107   if (flen < 2) {
108     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
109                       RSA_R_DATA_TOO_SMALL);
110     return -1;
111   }
112 
113   p = from;
114   if ((*(p++) != 0) || (*(p++) != 1)) {
115     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
116                       RSA_R_BLOCK_TYPE_IS_NOT_01);
117     return -1;
118   }
119 
120   /* scan over padding data */
121   j = flen - 2; /* one for leading 00, one for type. */
122   for (i = 0; i < j; i++) {
123     /* should decrypt to 0xff */
124     if (*p != 0xff) {
125       if (*p == 0) {
126         p++;
127         break;
128       } else {
129         OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
130                           RSA_R_BAD_FIXED_HEADER_DECRYPT);
131         return -1;
132       }
133     }
134     p++;
135   }
136 
137   if (i == j) {
138     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
139                       RSA_R_NULL_BEFORE_BLOCK_MISSING);
140     return -1;
141   }
142 
143   if (i < 8) {
144     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
145                       RSA_R_BAD_PAD_BYTE_COUNT);
146     return -1;
147   }
148   i++; /* Skip over the '\0' */
149   j -= i;
150   if (j > tlen) {
151     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,
152                       RSA_R_DATA_TOO_LARGE);
153     return -1;
154   }
155   memcpy(to, p, j);
156 
157   return j;
158 }
159 
RSA_padding_add_PKCS1_type_2(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)160 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,
161                                  const uint8_t *from, unsigned flen) {
162   unsigned i, j;
163   uint8_t *p;
164 
165   if (tlen < RSA_PKCS1_PADDING_SIZE) {
166     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,
167                       RSA_R_KEY_SIZE_TOO_SMALL);
168     return 0;
169   }
170 
171   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
172     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,
173                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
174     return 0;
175   }
176 
177   p = (unsigned char *)to;
178 
179   *(p++) = 0;
180   *(p++) = 2; /* Public Key BT (Block Type) */
181 
182   /* pad out with non-zero random data */
183   j = tlen - 3 - flen;
184 
185   if (!RAND_bytes(p, j)) {
186     return 0;
187   }
188 
189   for (i = 0; i < j; i++) {
190     while (*p == 0) {
191       if (!RAND_bytes(p, 1)) {
192         return 0;
193       }
194     }
195     p++;
196   }
197 
198   *(p++) = 0;
199 
200   memcpy(p, from, (unsigned int)flen);
201   return 1;
202 }
203 
204 /* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */
constant_time_byte_eq(unsigned char a,unsigned char b)205 static int constant_time_byte_eq(unsigned char a, unsigned char b) {
206   unsigned char z = ~(a ^ b);
207   z &= z >> 4;
208   z &= z >> 2;
209   z &= z >> 1;
210 
211   return z;
212 }
213 
214 /* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.
215  * Its behavior is undefined if |v| takes any other value. */
constant_time_select(int v,int x,int y)216 static int constant_time_select(int v, int x, int y) {
217   return ((~(v - 1)) & x) | ((v - 1) & y);
218 }
219 
220 /* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.
221  * |x| and |y| must be positive. */
constant_time_le(int x,int y)222 static int constant_time_le(int x, int y) {
223   return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;
224 }
225 
RSA_message_index_PKCS1_type_2(const uint8_t * from,size_t from_len,size_t * out_index)226 int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,
227                                    size_t *out_index) {
228   size_t i;
229   int first_byte_is_zero, second_byte_is_two, looking_for_index;
230   int valid_index, zero_index = 0;
231 
232   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
233    * Standard", section 7.2.2. */
234   if (from_len < RSA_PKCS1_PADDING_SIZE) {
235     /* |from| is zero-padded to the size of the RSA modulus, a public value, so
236      * this can be rejected in non-constant time. */
237     *out_index = 0;
238     return 0;
239   }
240 
241   first_byte_is_zero = constant_time_byte_eq(from[0], 0);
242   second_byte_is_two = constant_time_byte_eq(from[1], 2);
243 
244   looking_for_index = 1;
245   for (i = 2; i < from_len; i++) {
246     int equals0 = constant_time_byte_eq(from[i], 0);
247     zero_index =
248         constant_time_select(looking_for_index & equals0, i, zero_index);
249     looking_for_index = constant_time_select(equals0, 0, looking_for_index);
250   }
251 
252   /* The input must begin with 00 02. */
253   valid_index = first_byte_is_zero;
254   valid_index &= second_byte_is_two;
255 
256   /* We must have found the end of PS. */
257   valid_index &= ~looking_for_index;
258 
259   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
260   valid_index &= constant_time_le(2 + 8, zero_index);
261 
262   /* Skip the zero byte. */
263   zero_index++;
264 
265   *out_index = constant_time_select(valid_index, zero_index, 0);
266   return valid_index;
267 }
268 
RSA_padding_check_PKCS1_type_2(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)269 int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,
270                                    const uint8_t *from, unsigned flen) {
271   size_t msg_index, msg_len;
272 
273   if (flen == 0) {
274     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
275                       RSA_R_EMPTY_PUBLIC_KEY);
276     return -1;
277   }
278 
279   /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,
280    * the API contracts of this function and |RSA_decrypt| with
281    * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's
282    * attack. */
283   if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {
284     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
285                       RSA_R_PKCS_DECODING_ERROR);
286     return -1;
287   }
288 
289   msg_len = flen - msg_index;
290   if (msg_len > tlen) {
291     /* This shouldn't happen because this function is always called with |tlen|
292      * the key size and |flen| is bounded by the key size. */
293     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,
294                       RSA_R_PKCS_DECODING_ERROR);
295     return -1;
296   }
297   memcpy(to, &from[msg_index], msg_len);
298   return msg_len;
299 }
300 
RSA_padding_add_none(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)301 int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {
302   if (flen > tlen) {
303     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,
304                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
305     return 0;
306   }
307 
308   if (flen < tlen) {
309     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,
310                       RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
311     return 0;
312   }
313 
314   memcpy(to, from, (unsigned int)flen);
315   return 1;
316 }
317 
RSA_padding_check_none(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen)318 int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,
319                            unsigned flen) {
320   if (flen > tlen) {
321     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_none, RSA_R_DATA_TOO_LARGE);
322     return -1;
323   }
324 
325   memcpy(to, from, flen);
326   return flen;
327 }
328 
PKCS1_MGF1(uint8_t * mask,unsigned len,const uint8_t * seed,unsigned seedlen,const EVP_MD * dgst)329 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
330                unsigned seedlen, const EVP_MD *dgst) {
331   unsigned outlen = 0;
332   uint32_t i;
333   uint8_t cnt[4];
334   EVP_MD_CTX c;
335   uint8_t md[EVP_MAX_MD_SIZE];
336   unsigned mdlen;
337   int ret = -1;
338 
339   EVP_MD_CTX_init(&c);
340   mdlen = EVP_MD_size(dgst);
341 
342   for (i = 0; outlen < len; i++) {
343     cnt[0] = (uint8_t)((i >> 24) & 255);
344     cnt[1] = (uint8_t)((i >> 16) & 255);
345     cnt[2] = (uint8_t)((i >> 8)) & 255;
346     cnt[3] = (uint8_t)(i & 255);
347     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
348         !EVP_DigestUpdate(&c, seed, seedlen) || !EVP_DigestUpdate(&c, cnt, 4)) {
349       goto err;
350     }
351 
352     if (outlen + mdlen <= len) {
353       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {
354         goto err;
355       }
356       outlen += mdlen;
357     } else {
358       if (!EVP_DigestFinal_ex(&c, md, NULL)) {
359         goto err;
360       }
361       memcpy(mask + outlen, md, len - outlen);
362       outlen = len;
363     }
364   }
365   ret = 0;
366 
367 err:
368   EVP_MD_CTX_cleanup(&c);
369   return ret;
370 }
371 
RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen,const uint8_t * param,unsigned plen,const EVP_MD * md,const EVP_MD * mgf1md)372 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
373                                     const uint8_t *from, unsigned flen,
374                                     const uint8_t *param, unsigned plen,
375                                     const EVP_MD *md, const EVP_MD *mgf1md) {
376   unsigned i, emlen, mdlen;
377   uint8_t *db, *seed;
378   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];
379   int ret = 0;
380 
381   if (md == NULL) {
382     md = EVP_sha1();
383   }
384   if (mgf1md == NULL) {
385     mgf1md = md;
386   }
387 
388   mdlen = EVP_MD_size(md);
389 
390   if (tlen < 2 * mdlen + 2) {
391     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
392                       RSA_R_KEY_SIZE_TOO_SMALL);
393     return 0;
394   }
395 
396   emlen = tlen - 1;
397   if (flen > emlen - 2 * mdlen - 1) {
398     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
399                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
400     return 0;
401   }
402 
403   if (emlen < 2 * mdlen + 1) {
404     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
405                       RSA_R_KEY_SIZE_TOO_SMALL);
406     return 0;
407   }
408 
409   to[0] = 0;
410   seed = to + 1;
411   db = to + mdlen + 1;
412 
413   if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {
414     return 0;
415   }
416   memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
417   db[emlen - flen - mdlen - 1] = 0x01;
418   memcpy(db + emlen - flen - mdlen, from, flen);
419   if (!RAND_bytes(seed, mdlen)) {
420     return 0;
421   }
422 
423   dbmask = OPENSSL_malloc(emlen - mdlen);
424   if (dbmask == NULL) {
425     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,
426                       ERR_R_MALLOC_FAILURE);
427     return 0;
428   }
429 
430   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
431     goto out;
432   }
433   for (i = 0; i < emlen - mdlen; i++) {
434     db[i] ^= dbmask[i];
435   }
436 
437   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
438     goto out;
439   }
440   for (i = 0; i < mdlen; i++) {
441     seed[i] ^= seedmask[i];
442   }
443   ret = 1;
444 
445 out:
446   OPENSSL_free(dbmask);
447   return ret;
448 }
449 
RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t * to,unsigned tlen,const uint8_t * from,unsigned flen,const uint8_t * param,unsigned plen,const EVP_MD * md,const EVP_MD * mgf1md)450 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
451                                       const uint8_t *from, unsigned flen,
452                                       const uint8_t *param, unsigned plen,
453                                       const EVP_MD *md, const EVP_MD *mgf1md) {
454   unsigned i, dblen, mlen = -1, mdlen;
455   const uint8_t *maskeddb, *maskedseed;
456   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
457   int bad, looking_for_one_byte, one_index = 0;
458 
459   if (md == NULL) {
460     md = EVP_sha1();
461   }
462   if (mgf1md == NULL) {
463     mgf1md = md;
464   }
465 
466   mdlen = EVP_MD_size(md);
467 
468   /* The encoded message is one byte smaller than the modulus to ensure that it
469    * doesn't end up greater than the modulus. Thus there's an extra "+1" here
470    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
471   if (flen < 1 + 2*mdlen + 1) {
472     /* 'flen' is the length of the modulus, i.e. does not depend on the
473      * particular ciphertext. */
474     goto decoding_err;
475   }
476 
477   dblen = flen - mdlen - 1;
478   db = OPENSSL_malloc(dblen);
479   if (db == NULL) {
480     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
481                       ERR_R_MALLOC_FAILURE);
482     goto err;
483   }
484 
485   maskedseed = from + 1;
486   maskeddb = from + 1 + mdlen;
487 
488   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
489     goto err;
490   }
491   for (i = 0; i < mdlen; i++) {
492     seed[i] ^= maskedseed[i];
493   }
494 
495   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
496     goto err;
497   }
498   for (i = 0; i < dblen; i++) {
499     db[i] ^= maskeddb[i];
500   }
501 
502   if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {
503     goto err;
504   }
505 
506   bad = CRYPTO_memcmp(db, phash, mdlen);
507   bad |= from[0];
508 
509   looking_for_one_byte = 1;
510   for (i = mdlen; i < dblen; i++) {
511     int equals1 = constant_time_byte_eq(db[i], 1);
512     int equals0 = constant_time_byte_eq(db[i], 0);
513     one_index =
514         constant_time_select(looking_for_one_byte & equals1, i, one_index);
515     looking_for_one_byte =
516         constant_time_select(equals1, 0, looking_for_one_byte);
517     bad |= looking_for_one_byte & ~equals0;
518   }
519 
520   bad |= looking_for_one_byte;
521 
522   if (bad) {
523     goto decoding_err;
524   }
525 
526   one_index++;
527   mlen = dblen - one_index;
528   if (tlen < mlen) {
529     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
530                       RSA_R_DATA_TOO_LARGE);
531     mlen = -1;
532   } else {
533     memcpy(to, db + one_index, mlen);
534   }
535 
536   OPENSSL_free(db);
537   return mlen;
538 
539 decoding_err:
540   /* to avoid chosen ciphertext attacks, the error message should not reveal
541    * which kind of decoding error happened */
542   OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
543                     RSA_R_OAEP_DECODING_ERROR);
544  err:
545   OPENSSL_free(db);
546   return -1;
547 }
548 
549 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
550 
RSA_verify_PKCS1_PSS_mgf1(RSA * rsa,const uint8_t * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const uint8_t * EM,int sLen)551 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
552                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,
553                               const uint8_t *EM, int sLen) {
554   int i;
555   int ret = 0;
556   int maskedDBLen, MSBits, emLen;
557   size_t hLen;
558   const uint8_t *H;
559   uint8_t *DB = NULL;
560   EVP_MD_CTX ctx;
561   uint8_t H_[EVP_MAX_MD_SIZE];
562   EVP_MD_CTX_init(&ctx);
563 
564   if (mgf1Hash == NULL) {
565     mgf1Hash = Hash;
566   }
567 
568   hLen = EVP_MD_size(Hash);
569 
570   /* Negative sLen has special meanings:
571    *	-1	sLen == hLen
572    *	-2	salt length is autorecovered from signature
573    *	-N	reserved */
574   if (sLen == -1) {
575     sLen = hLen;
576   } else if (sLen == -2) {
577     sLen = -2;
578   } else if (sLen < -2) {
579     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
580     goto err;
581   }
582 
583   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
584   emLen = RSA_size(rsa);
585   if (EM[0] & (0xFF << MSBits)) {
586     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
587                       RSA_R_FIRST_OCTET_INVALID);
588     goto err;
589   }
590   if (MSBits == 0) {
591     EM++;
592     emLen--;
593   }
594   if (emLen < ((int)hLen + sLen + 2)) {
595     /* sLen can be small negative */
596     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_DATA_TOO_LARGE);
597     goto err;
598   }
599   if (EM[emLen - 1] != 0xbc) {
600     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_LAST_OCTET_INVALID);
601     goto err;
602   }
603   maskedDBLen = emLen - hLen - 1;
604   H = EM + maskedDBLen;
605   DB = OPENSSL_malloc(maskedDBLen);
606   if (!DB) {
607     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, ERR_R_MALLOC_FAILURE);
608     goto err;
609   }
610   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
611     goto err;
612   }
613   for (i = 0; i < maskedDBLen; i++) {
614     DB[i] ^= EM[i];
615   }
616   if (MSBits) {
617     DB[0] &= 0xFF >> (8 - MSBits);
618   }
619   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
620     ;
621   }
622   if (DB[i++] != 0x1) {
623     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
624                       RSA_R_SLEN_RECOVERY_FAILED);
625     goto err;
626   }
627   if (sLen >= 0 && (maskedDBLen - i) != sLen) {
628     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);
629     goto err;
630   }
631   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
632       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
633       !EVP_DigestUpdate(&ctx, mHash, hLen)) {
634     goto err;
635   }
636   if (maskedDBLen - i) {
637     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {
638       goto err;
639     }
640   }
641   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
642     goto err;
643   }
644   if (memcmp(H_, H, hLen)) {
645     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_BAD_SIGNATURE);
646     ret = 0;
647   } else {
648     ret = 1;
649   }
650 
651 err:
652   OPENSSL_free(DB);
653   EVP_MD_CTX_cleanup(&ctx);
654 
655   return ret;
656 }
657 
RSA_padding_add_PKCS1_PSS_mgf1(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLen)658 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
659                                    const unsigned char *mHash,
660                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
661                                    int sLen) {
662   int i;
663   int ret = 0;
664   size_t maskedDBLen, MSBits, emLen;
665   size_t hLen;
666   unsigned char *H, *salt = NULL, *p;
667   EVP_MD_CTX ctx;
668 
669   if (mgf1Hash == NULL) {
670     mgf1Hash = Hash;
671   }
672 
673   hLen = EVP_MD_size(Hash);
674 
675   /* Negative sLen has special meanings:
676    *	-1	sLen == hLen
677    *	-2	salt length is maximized
678    *	-N	reserved */
679   if (sLen == -1) {
680     sLen = hLen;
681   } else if (sLen == -2) {
682     sLen = -2;
683   } else if (sLen < -2) {
684     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
685                       RSA_R_SLEN_CHECK_FAILED);
686     goto err;
687   }
688 
689   if (BN_is_zero(rsa->n)) {
690     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
691                       RSA_R_EMPTY_PUBLIC_KEY);
692     goto err;
693   }
694 
695   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
696   emLen = RSA_size(rsa);
697   if (MSBits == 0) {
698     assert(emLen >= 1);
699     *EM++ = 0;
700     emLen--;
701   }
702   if (sLen == -2) {
703     if (emLen < hLen + 2) {
704       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
705                         RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
706       goto err;
707     }
708     sLen = emLen - hLen - 2;
709   } else if (emLen < hLen + sLen + 2) {
710     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
711                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
712     goto err;
713   }
714   if (sLen > 0) {
715     salt = OPENSSL_malloc(sLen);
716     if (!salt) {
717       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,
718                         ERR_R_MALLOC_FAILURE);
719       goto err;
720     }
721     if (!RAND_bytes(salt, sLen)) {
722       goto err;
723     }
724   }
725   maskedDBLen = emLen - hLen - 1;
726   H = EM + maskedDBLen;
727   EVP_MD_CTX_init(&ctx);
728   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
729       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
730       !EVP_DigestUpdate(&ctx, mHash, hLen)) {
731     goto err;
732   }
733   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {
734     goto err;
735   }
736   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {
737     goto err;
738   }
739   EVP_MD_CTX_cleanup(&ctx);
740 
741   /* Generate dbMask in place then perform XOR on it */
742   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
743     goto err;
744   }
745 
746   p = EM;
747 
748   /* Initial PS XORs with all zeroes which is a NOP so just update
749    * pointer. Note from a test above this value is guaranteed to
750    * be non-negative. */
751   p += emLen - sLen - hLen - 2;
752   *p++ ^= 0x1;
753   if (sLen > 0) {
754     for (i = 0; i < sLen; i++) {
755       *p++ ^= salt[i];
756     }
757   }
758   if (MSBits) {
759     EM[0] &= 0xFF >> (8 - MSBits);
760   }
761 
762   /* H is already in place so just set final 0xbc */
763 
764   EM[emLen - 1] = 0xbc;
765 
766   ret = 1;
767 
768 err:
769   OPENSSL_free(salt);
770 
771   return ret;
772 }
773