1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2005.
3 */
4 /* ====================================================================
5 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/rsa.h>
57
58 #include <assert.h>
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/digest.h>
63 #include <openssl/err.h>
64 #include <openssl/mem.h>
65 #include <openssl/rand.h>
66 #include <openssl/sha.h>
67
68 #include "internal.h"
69 #include "../internal.h"
70
71 /* TODO(fork): don't the check functions have to be constant time? */
72
RSA_padding_add_PKCS1_type_1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)73 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,
74 const uint8_t *from, unsigned from_len) {
75 unsigned j;
76 uint8_t *p;
77
78 if (to_len < RSA_PKCS1_PADDING_SIZE) {
79 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
80 return 0;
81 }
82
83 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
84 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
85 return 0;
86 }
87
88 p = (uint8_t *)to;
89
90 *(p++) = 0;
91 *(p++) = 1; /* Private Key BT (Block Type) */
92
93 /* pad out with 0xff data */
94 j = to_len - 3 - from_len;
95 memset(p, 0xff, j);
96 p += j;
97 *(p++) = 0;
98 memcpy(p, from, (unsigned int)from_len);
99 return 1;
100 }
101
RSA_padding_check_PKCS1_type_1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)102 int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,
103 const uint8_t *from, unsigned from_len) {
104 unsigned i, j;
105 const uint8_t *p;
106
107 if (from_len < 2) {
108 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
109 return -1;
110 }
111
112 p = from;
113 if ((*(p++) != 0) || (*(p++) != 1)) {
114 OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
115 return -1;
116 }
117
118 /* scan over padding data */
119 j = from_len - 2; /* one for leading 00, one for type. */
120 for (i = 0; i < j; i++) {
121 /* should decrypt to 0xff */
122 if (*p != 0xff) {
123 if (*p == 0) {
124 p++;
125 break;
126 } else {
127 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
128 return -1;
129 }
130 }
131 p++;
132 }
133
134 if (i == j) {
135 OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
136 return -1;
137 }
138
139 if (i < 8) {
140 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
141 return -1;
142 }
143 i++; /* Skip over the '\0' */
144 j -= i;
145 if (j > to_len) {
146 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
147 return -1;
148 }
149 memcpy(to, p, j);
150
151 return j;
152 }
153
RSA_padding_add_PKCS1_type_2(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)154 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,
155 const uint8_t *from, unsigned from_len) {
156 unsigned i, j;
157 uint8_t *p;
158
159 if (to_len < RSA_PKCS1_PADDING_SIZE) {
160 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
161 return 0;
162 }
163
164 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
165 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
166 return 0;
167 }
168
169 p = (unsigned char *)to;
170
171 *(p++) = 0;
172 *(p++) = 2; /* Public Key BT (Block Type) */
173
174 /* pad out with non-zero random data */
175 j = to_len - 3 - from_len;
176
177 if (!RAND_bytes(p, j)) {
178 return 0;
179 }
180
181 for (i = 0; i < j; i++) {
182 while (*p == 0) {
183 if (!RAND_bytes(p, 1)) {
184 return 0;
185 }
186 }
187 p++;
188 }
189
190 *(p++) = 0;
191
192 memcpy(p, from, (unsigned int)from_len);
193 return 1;
194 }
195
RSA_padding_check_PKCS1_type_2(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)196 int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len,
197 const uint8_t *from, unsigned from_len) {
198 if (from_len == 0) {
199 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
200 return -1;
201 }
202
203 /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
204 * Standard", section 7.2.2. */
205 if (from_len < RSA_PKCS1_PADDING_SIZE) {
206 /* |from| is zero-padded to the size of the RSA modulus, a public value, so
207 * this can be rejected in non-constant time. */
208 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
209 return -1;
210 }
211
212 unsigned first_byte_is_zero = constant_time_eq(from[0], 0);
213 unsigned second_byte_is_two = constant_time_eq(from[1], 2);
214
215 unsigned i, zero_index = 0, looking_for_index = ~0u;
216 for (i = 2; i < from_len; i++) {
217 unsigned equals0 = constant_time_is_zero(from[i]);
218 zero_index = constant_time_select(looking_for_index & equals0, (unsigned)i,
219 zero_index);
220 looking_for_index = constant_time_select(equals0, 0, looking_for_index);
221 }
222
223 /* The input must begin with 00 02. */
224 unsigned valid_index = first_byte_is_zero;
225 valid_index &= second_byte_is_two;
226
227 /* We must have found the end of PS. */
228 valid_index &= ~looking_for_index;
229
230 /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
231 valid_index &= constant_time_ge(zero_index, 2 + 8);
232
233 /* Skip the zero byte. */
234 zero_index++;
235
236 /* NOTE: Although this logic attempts to be constant time, the API contracts
237 * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
238 * impossible to completely avoid Bleichenbacher's attack. Consumers should
239 * use |RSA_unpad_key_pkcs1|. */
240 if (!valid_index) {
241 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
242 return -1;
243 }
244
245 const unsigned msg_len = from_len - zero_index;
246 if (msg_len > to_len) {
247 /* This shouldn't happen because this function is always called with
248 * |to_len| as the key size and |from_len| is bounded by the key size. */
249 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
250 return -1;
251 }
252
253 if (msg_len > INT_MAX) {
254 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
255 return -1;
256 }
257
258 memcpy(to, &from[zero_index], msg_len);
259 return (int)msg_len;
260 }
261
RSA_padding_add_none(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len)262 int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,
263 unsigned from_len) {
264 if (from_len > to_len) {
265 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
266 return 0;
267 }
268
269 if (from_len < to_len) {
270 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
271 return 0;
272 }
273
274 memcpy(to, from, (unsigned int)from_len);
275 return 1;
276 }
277
PKCS1_MGF1(uint8_t * mask,unsigned len,const uint8_t * seed,unsigned seedlen,const EVP_MD * dgst)278 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
279 unsigned seedlen, const EVP_MD *dgst) {
280 unsigned outlen = 0;
281 uint32_t i;
282 uint8_t cnt[4];
283 EVP_MD_CTX c;
284 uint8_t md[EVP_MAX_MD_SIZE];
285 unsigned mdlen;
286 int ret = -1;
287
288 EVP_MD_CTX_init(&c);
289 mdlen = EVP_MD_size(dgst);
290
291 for (i = 0; outlen < len; i++) {
292 cnt[0] = (uint8_t)((i >> 24) & 255);
293 cnt[1] = (uint8_t)((i >> 16) & 255);
294 cnt[2] = (uint8_t)((i >> 8)) & 255;
295 cnt[3] = (uint8_t)(i & 255);
296 if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
297 !EVP_DigestUpdate(&c, seed, seedlen) ||
298 !EVP_DigestUpdate(&c, cnt, 4)) {
299 goto err;
300 }
301
302 if (outlen + mdlen <= len) {
303 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {
304 goto err;
305 }
306 outlen += mdlen;
307 } else {
308 if (!EVP_DigestFinal_ex(&c, md, NULL)) {
309 goto err;
310 }
311 memcpy(mask + outlen, md, len - outlen);
312 outlen = len;
313 }
314 }
315 ret = 0;
316
317 err:
318 EVP_MD_CTX_cleanup(&c);
319 return ret;
320 }
321
RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len,const uint8_t * param,unsigned param_len,const EVP_MD * md,const EVP_MD * mgf1md)322 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
323 const uint8_t *from, unsigned from_len,
324 const uint8_t *param, unsigned param_len,
325 const EVP_MD *md, const EVP_MD *mgf1md) {
326 unsigned i, emlen, mdlen;
327 uint8_t *db, *seed;
328 uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];
329 int ret = 0;
330
331 if (md == NULL) {
332 md = EVP_sha1();
333 }
334 if (mgf1md == NULL) {
335 mgf1md = md;
336 }
337
338 mdlen = EVP_MD_size(md);
339
340 if (to_len < 2 * mdlen + 2) {
341 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
342 return 0;
343 }
344
345 emlen = to_len - 1;
346 if (from_len > emlen - 2 * mdlen - 1) {
347 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
348 return 0;
349 }
350
351 if (emlen < 2 * mdlen + 1) {
352 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
353 return 0;
354 }
355
356 to[0] = 0;
357 seed = to + 1;
358 db = to + mdlen + 1;
359
360 if (!EVP_Digest((void *)param, param_len, db, NULL, md, NULL)) {
361 return 0;
362 }
363 memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
364 db[emlen - from_len - mdlen - 1] = 0x01;
365 memcpy(db + emlen - from_len - mdlen, from, from_len);
366 if (!RAND_bytes(seed, mdlen)) {
367 return 0;
368 }
369
370 dbmask = OPENSSL_malloc(emlen - mdlen);
371 if (dbmask == NULL) {
372 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
373 return 0;
374 }
375
376 if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
377 goto out;
378 }
379 for (i = 0; i < emlen - mdlen; i++) {
380 db[i] ^= dbmask[i];
381 }
382
383 if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
384 goto out;
385 }
386 for (i = 0; i < mdlen; i++) {
387 seed[i] ^= seedmask[i];
388 }
389 ret = 1;
390
391 out:
392 OPENSSL_free(dbmask);
393 return ret;
394 }
395
RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t * to,unsigned to_len,const uint8_t * from,unsigned from_len,const uint8_t * param,unsigned param_len,const EVP_MD * md,const EVP_MD * mgf1md)396 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
397 const uint8_t *from, unsigned from_len,
398 const uint8_t *param, unsigned param_len,
399 const EVP_MD *md, const EVP_MD *mgf1md) {
400 unsigned i, dblen, mlen = -1, mdlen, bad, looking_for_one_byte, one_index = 0;
401 const uint8_t *maskeddb, *maskedseed;
402 uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
403
404 if (md == NULL) {
405 md = EVP_sha1();
406 }
407 if (mgf1md == NULL) {
408 mgf1md = md;
409 }
410
411 mdlen = EVP_MD_size(md);
412
413 /* The encoded message is one byte smaller than the modulus to ensure that it
414 * doesn't end up greater than the modulus. Thus there's an extra "+1" here
415 * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
416 if (from_len < 1 + 2*mdlen + 1) {
417 /* 'from_len' is the length of the modulus, i.e. does not depend on the
418 * particular ciphertext. */
419 goto decoding_err;
420 }
421
422 dblen = from_len - mdlen - 1;
423 db = OPENSSL_malloc(dblen);
424 if (db == NULL) {
425 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
426 goto err;
427 }
428
429 maskedseed = from + 1;
430 maskeddb = from + 1 + mdlen;
431
432 if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
433 goto err;
434 }
435 for (i = 0; i < mdlen; i++) {
436 seed[i] ^= maskedseed[i];
437 }
438
439 if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
440 goto err;
441 }
442 for (i = 0; i < dblen; i++) {
443 db[i] ^= maskeddb[i];
444 }
445
446 if (!EVP_Digest((void *)param, param_len, phash, NULL, md, NULL)) {
447 goto err;
448 }
449
450 bad = ~constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));
451 bad |= ~constant_time_is_zero(from[0]);
452
453 looking_for_one_byte = ~0u;
454 for (i = mdlen; i < dblen; i++) {
455 unsigned equals1 = constant_time_eq(db[i], 1);
456 unsigned equals0 = constant_time_eq(db[i], 0);
457 one_index = constant_time_select(looking_for_one_byte & equals1, i,
458 one_index);
459 looking_for_one_byte =
460 constant_time_select(equals1, 0, looking_for_one_byte);
461 bad |= looking_for_one_byte & ~equals0;
462 }
463
464 bad |= looking_for_one_byte;
465
466 if (bad) {
467 goto decoding_err;
468 }
469
470 one_index++;
471 mlen = dblen - one_index;
472 if (to_len < mlen) {
473 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
474 mlen = -1;
475 } else {
476 memcpy(to, db + one_index, mlen);
477 }
478
479 OPENSSL_free(db);
480 return mlen;
481
482 decoding_err:
483 /* to avoid chosen ciphertext attacks, the error message should not reveal
484 * which kind of decoding error happened */
485 OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
486 err:
487 OPENSSL_free(db);
488 return -1;
489 }
490
491 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
492
RSA_verify_PKCS1_PSS_mgf1(RSA * rsa,const uint8_t * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,const uint8_t * EM,int sLen)493 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
494 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
495 const uint8_t *EM, int sLen) {
496 int i;
497 int ret = 0;
498 int maskedDBLen, MSBits, emLen;
499 size_t hLen;
500 const uint8_t *H;
501 uint8_t *DB = NULL;
502 EVP_MD_CTX ctx;
503 uint8_t H_[EVP_MAX_MD_SIZE];
504 EVP_MD_CTX_init(&ctx);
505
506 if (mgf1Hash == NULL) {
507 mgf1Hash = Hash;
508 }
509
510 hLen = EVP_MD_size(Hash);
511
512 /* Negative sLen has special meanings:
513 * -1 sLen == hLen
514 * -2 salt length is autorecovered from signature
515 * -N reserved */
516 if (sLen == -1) {
517 sLen = hLen;
518 } else if (sLen == -2) {
519 sLen = -2;
520 } else if (sLen < -2) {
521 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
522 goto err;
523 }
524
525 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
526 emLen = RSA_size(rsa);
527 if (EM[0] & (0xFF << MSBits)) {
528 OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);
529 goto err;
530 }
531 if (MSBits == 0) {
532 EM++;
533 emLen--;
534 }
535 if (emLen < ((int)hLen + sLen + 2)) {
536 /* sLen can be small negative */
537 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
538 goto err;
539 }
540 if (EM[emLen - 1] != 0xbc) {
541 OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);
542 goto err;
543 }
544 maskedDBLen = emLen - hLen - 1;
545 H = EM + maskedDBLen;
546 DB = OPENSSL_malloc(maskedDBLen);
547 if (!DB) {
548 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
549 goto err;
550 }
551 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
552 goto err;
553 }
554 for (i = 0; i < maskedDBLen; i++) {
555 DB[i] ^= EM[i];
556 }
557 if (MSBits) {
558 DB[0] &= 0xFF >> (8 - MSBits);
559 }
560 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
561 ;
562 }
563 if (DB[i++] != 0x1) {
564 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);
565 goto err;
566 }
567 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
568 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
569 goto err;
570 }
571 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
572 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
573 !EVP_DigestUpdate(&ctx, mHash, hLen)) {
574 goto err;
575 }
576 if (maskedDBLen - i) {
577 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {
578 goto err;
579 }
580 }
581 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {
582 goto err;
583 }
584 if (memcmp(H_, H, hLen)) {
585 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
586 ret = 0;
587 } else {
588 ret = 1;
589 }
590
591 err:
592 OPENSSL_free(DB);
593 EVP_MD_CTX_cleanup(&ctx);
594
595 return ret;
596 }
597
RSA_padding_add_PKCS1_PSS_mgf1(RSA * rsa,unsigned char * EM,const unsigned char * mHash,const EVP_MD * Hash,const EVP_MD * mgf1Hash,int sLen)598 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
599 const unsigned char *mHash,
600 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
601 int sLen) {
602 int i;
603 int ret = 0;
604 size_t maskedDBLen, MSBits, emLen;
605 size_t hLen;
606 unsigned char *H, *salt = NULL, *p;
607 EVP_MD_CTX ctx;
608
609 if (mgf1Hash == NULL) {
610 mgf1Hash = Hash;
611 }
612
613 hLen = EVP_MD_size(Hash);
614
615 /* Negative sLen has special meanings:
616 * -1 sLen == hLen
617 * -2 salt length is maximized
618 * -N reserved */
619 if (sLen == -1) {
620 sLen = hLen;
621 } else if (sLen == -2) {
622 sLen = -2;
623 } else if (sLen < -2) {
624 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
625 goto err;
626 }
627
628 if (BN_is_zero(rsa->n)) {
629 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
630 goto err;
631 }
632
633 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
634 emLen = RSA_size(rsa);
635 if (MSBits == 0) {
636 assert(emLen >= 1);
637 *EM++ = 0;
638 emLen--;
639 }
640 if (sLen == -2) {
641 if (emLen < hLen + 2) {
642 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
643 goto err;
644 }
645 sLen = emLen - hLen - 2;
646 } else if (emLen < hLen + sLen + 2) {
647 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
648 goto err;
649 }
650 if (sLen > 0) {
651 salt = OPENSSL_malloc(sLen);
652 if (!salt) {
653 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
654 goto err;
655 }
656 if (!RAND_bytes(salt, sLen)) {
657 goto err;
658 }
659 }
660 maskedDBLen = emLen - hLen - 1;
661 H = EM + maskedDBLen;
662 EVP_MD_CTX_init(&ctx);
663 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
664 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
665 !EVP_DigestUpdate(&ctx, mHash, hLen)) {
666 goto err;
667 }
668 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {
669 goto err;
670 }
671 if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {
672 goto err;
673 }
674 EVP_MD_CTX_cleanup(&ctx);
675
676 /* Generate dbMask in place then perform XOR on it */
677 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
678 goto err;
679 }
680
681 p = EM;
682
683 /* Initial PS XORs with all zeroes which is a NOP so just update
684 * pointer. Note from a test above this value is guaranteed to
685 * be non-negative. */
686 p += emLen - sLen - hLen - 2;
687 *p++ ^= 0x1;
688 if (sLen > 0) {
689 for (i = 0; i < sLen; i++) {
690 *p++ ^= salt[i];
691 }
692 }
693 if (MSBits) {
694 EM[0] &= 0xFF >> (8 - MSBits);
695 }
696
697 /* H is already in place so just set final 0xbc */
698
699 EM[emLen - 1] = 0xbc;
700
701 ret = 1;
702
703 err:
704 OPENSSL_free(salt);
705
706 return ret;
707 }
708