1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2005. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/rsa.h> 57 58 #include <assert.h> 59 #include <limits.h> 60 #include <string.h> 61 62 #include <openssl/digest.h> 63 #include <openssl/err.h> 64 #include <openssl/mem.h> 65 #include <openssl/rand.h> 66 #include <openssl/sha.h> 67 68 #include "internal.h" 69 #include "../internal.h" 70 71 /* TODO(fork): don't the check functions have to be constant time? */ 72 73 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len, 74 const uint8_t *from, unsigned from_len) { 75 unsigned j; 76 uint8_t *p; 77 78 if (to_len < RSA_PKCS1_PADDING_SIZE) { 79 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 80 return 0; 81 } 82 83 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) { 84 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 85 return 0; 86 } 87 88 p = (uint8_t *)to; 89 90 *(p++) = 0; 91 *(p++) = 1; /* Private Key BT (Block Type) */ 92 93 /* pad out with 0xff data */ 94 j = to_len - 3 - from_len; 95 memset(p, 0xff, j); 96 p += j; 97 *(p++) = 0; 98 memcpy(p, from, (unsigned int)from_len); 99 return 1; 100 } 101 102 int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len, 103 const uint8_t *from, unsigned from_len) { 104 unsigned i, j; 105 const uint8_t *p; 106 107 if (from_len < 2) { 108 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL); 109 return -1; 110 } 111 112 p = from; 113 if ((*(p++) != 0) || (*(p++) != 1)) { 114 OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01); 115 return -1; 116 } 117 118 /* scan over padding data */ 119 j = from_len - 2; /* one for leading 00, one for type. */ 120 for (i = 0; i < j; i++) { 121 /* should decrypt to 0xff */ 122 if (*p != 0xff) { 123 if (*p == 0) { 124 p++; 125 break; 126 } else { 127 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT); 128 return -1; 129 } 130 } 131 p++; 132 } 133 134 if (i == j) { 135 OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING); 136 return -1; 137 } 138 139 if (i < 8) { 140 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT); 141 return -1; 142 } 143 i++; /* Skip over the '\0' */ 144 j -= i; 145 if (j > to_len) { 146 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 147 return -1; 148 } 149 memcpy(to, p, j); 150 151 return j; 152 } 153 154 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len, 155 const uint8_t *from, unsigned from_len) { 156 unsigned i, j; 157 uint8_t *p; 158 159 if (to_len < RSA_PKCS1_PADDING_SIZE) { 160 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 161 return 0; 162 } 163 164 if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) { 165 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 166 return 0; 167 } 168 169 p = (unsigned char *)to; 170 171 *(p++) = 0; 172 *(p++) = 2; /* Public Key BT (Block Type) */ 173 174 /* pad out with non-zero random data */ 175 j = to_len - 3 - from_len; 176 177 if (!RAND_bytes(p, j)) { 178 return 0; 179 } 180 181 for (i = 0; i < j; i++) { 182 while (*p == 0) { 183 if (!RAND_bytes(p, 1)) { 184 return 0; 185 } 186 } 187 p++; 188 } 189 190 *(p++) = 0; 191 192 memcpy(p, from, (unsigned int)from_len); 193 return 1; 194 } 195 196 int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len, 197 const uint8_t *from, unsigned from_len) { 198 if (from_len == 0) { 199 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY); 200 return -1; 201 } 202 203 /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography 204 * Standard", section 7.2.2. */ 205 if (from_len < RSA_PKCS1_PADDING_SIZE) { 206 /* |from| is zero-padded to the size of the RSA modulus, a public value, so 207 * this can be rejected in non-constant time. */ 208 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 209 return -1; 210 } 211 212 unsigned first_byte_is_zero = constant_time_eq(from[0], 0); 213 unsigned second_byte_is_two = constant_time_eq(from[1], 2); 214 215 unsigned i, zero_index = 0, looking_for_index = ~0u; 216 for (i = 2; i < from_len; i++) { 217 unsigned equals0 = constant_time_is_zero(from[i]); 218 zero_index = constant_time_select(looking_for_index & equals0, (unsigned)i, 219 zero_index); 220 looking_for_index = constant_time_select(equals0, 0, looking_for_index); 221 } 222 223 /* The input must begin with 00 02. */ 224 unsigned valid_index = first_byte_is_zero; 225 valid_index &= second_byte_is_two; 226 227 /* We must have found the end of PS. */ 228 valid_index &= ~looking_for_index; 229 230 /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */ 231 valid_index &= constant_time_ge(zero_index, 2 + 8); 232 233 /* Skip the zero byte. */ 234 zero_index++; 235 236 /* NOTE: Although this logic attempts to be constant time, the API contracts 237 * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it 238 * impossible to completely avoid Bleichenbacher's attack. Consumers should 239 * use |RSA_unpad_key_pkcs1|. */ 240 if (!valid_index) { 241 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR); 242 return -1; 243 } 244 245 const unsigned msg_len = from_len - zero_index; 246 if (msg_len > to_len) { 247 /* This shouldn't happen because this function is always called with 248 * |to_len| as the key size and |from_len| is bounded by the key size. */ 249 OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR); 250 return -1; 251 } 252 253 if (msg_len > INT_MAX) { 254 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 255 return -1; 256 } 257 258 memcpy(to, &from[zero_index], msg_len); 259 return (int)msg_len; 260 } 261 262 int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from, 263 unsigned from_len) { 264 if (from_len > to_len) { 265 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 266 return 0; 267 } 268 269 if (from_len < to_len) { 270 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE); 271 return 0; 272 } 273 274 memcpy(to, from, (unsigned int)from_len); 275 return 1; 276 } 277 278 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed, 279 unsigned seedlen, const EVP_MD *dgst) { 280 unsigned outlen = 0; 281 uint32_t i; 282 uint8_t cnt[4]; 283 EVP_MD_CTX c; 284 uint8_t md[EVP_MAX_MD_SIZE]; 285 unsigned mdlen; 286 int ret = -1; 287 288 EVP_MD_CTX_init(&c); 289 mdlen = EVP_MD_size(dgst); 290 291 for (i = 0; outlen < len; i++) { 292 cnt[0] = (uint8_t)((i >> 24) & 255); 293 cnt[1] = (uint8_t)((i >> 16) & 255); 294 cnt[2] = (uint8_t)((i >> 8)) & 255; 295 cnt[3] = (uint8_t)(i & 255); 296 if (!EVP_DigestInit_ex(&c, dgst, NULL) || 297 !EVP_DigestUpdate(&c, seed, seedlen) || 298 !EVP_DigestUpdate(&c, cnt, 4)) { 299 goto err; 300 } 301 302 if (outlen + mdlen <= len) { 303 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) { 304 goto err; 305 } 306 outlen += mdlen; 307 } else { 308 if (!EVP_DigestFinal_ex(&c, md, NULL)) { 309 goto err; 310 } 311 memcpy(mask + outlen, md, len - outlen); 312 outlen = len; 313 } 314 } 315 ret = 0; 316 317 err: 318 EVP_MD_CTX_cleanup(&c); 319 return ret; 320 } 321 322 int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len, 323 const uint8_t *from, unsigned from_len, 324 const uint8_t *param, unsigned param_len, 325 const EVP_MD *md, const EVP_MD *mgf1md) { 326 unsigned i, emlen, mdlen; 327 uint8_t *db, *seed; 328 uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE]; 329 int ret = 0; 330 331 if (md == NULL) { 332 md = EVP_sha1(); 333 } 334 if (mgf1md == NULL) { 335 mgf1md = md; 336 } 337 338 mdlen = EVP_MD_size(md); 339 340 if (to_len < 2 * mdlen + 2) { 341 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 342 return 0; 343 } 344 345 emlen = to_len - 1; 346 if (from_len > emlen - 2 * mdlen - 1) { 347 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 348 return 0; 349 } 350 351 if (emlen < 2 * mdlen + 1) { 352 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 353 return 0; 354 } 355 356 to[0] = 0; 357 seed = to + 1; 358 db = to + mdlen + 1; 359 360 if (!EVP_Digest((void *)param, param_len, db, NULL, md, NULL)) { 361 return 0; 362 } 363 memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1); 364 db[emlen - from_len - mdlen - 1] = 0x01; 365 memcpy(db + emlen - from_len - mdlen, from, from_len); 366 if (!RAND_bytes(seed, mdlen)) { 367 return 0; 368 } 369 370 dbmask = OPENSSL_malloc(emlen - mdlen); 371 if (dbmask == NULL) { 372 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 373 return 0; 374 } 375 376 if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) { 377 goto out; 378 } 379 for (i = 0; i < emlen - mdlen; i++) { 380 db[i] ^= dbmask[i]; 381 } 382 383 if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) { 384 goto out; 385 } 386 for (i = 0; i < mdlen; i++) { 387 seed[i] ^= seedmask[i]; 388 } 389 ret = 1; 390 391 out: 392 OPENSSL_free(dbmask); 393 return ret; 394 } 395 396 int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len, 397 const uint8_t *from, unsigned from_len, 398 const uint8_t *param, unsigned param_len, 399 const EVP_MD *md, const EVP_MD *mgf1md) { 400 unsigned i, dblen, mlen = -1, mdlen, bad, looking_for_one_byte, one_index = 0; 401 const uint8_t *maskeddb, *maskedseed; 402 uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE]; 403 404 if (md == NULL) { 405 md = EVP_sha1(); 406 } 407 if (mgf1md == NULL) { 408 mgf1md = md; 409 } 410 411 mdlen = EVP_MD_size(md); 412 413 /* The encoded message is one byte smaller than the modulus to ensure that it 414 * doesn't end up greater than the modulus. Thus there's an extra "+1" here 415 * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */ 416 if (from_len < 1 + 2*mdlen + 1) { 417 /* 'from_len' is the length of the modulus, i.e. does not depend on the 418 * particular ciphertext. */ 419 goto decoding_err; 420 } 421 422 dblen = from_len - mdlen - 1; 423 db = OPENSSL_malloc(dblen); 424 if (db == NULL) { 425 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 426 goto err; 427 } 428 429 maskedseed = from + 1; 430 maskeddb = from + 1 + mdlen; 431 432 if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) { 433 goto err; 434 } 435 for (i = 0; i < mdlen; i++) { 436 seed[i] ^= maskedseed[i]; 437 } 438 439 if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) { 440 goto err; 441 } 442 for (i = 0; i < dblen; i++) { 443 db[i] ^= maskeddb[i]; 444 } 445 446 if (!EVP_Digest((void *)param, param_len, phash, NULL, md, NULL)) { 447 goto err; 448 } 449 450 bad = ~constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen)); 451 bad |= ~constant_time_is_zero(from[0]); 452 453 looking_for_one_byte = ~0u; 454 for (i = mdlen; i < dblen; i++) { 455 unsigned equals1 = constant_time_eq(db[i], 1); 456 unsigned equals0 = constant_time_eq(db[i], 0); 457 one_index = constant_time_select(looking_for_one_byte & equals1, i, 458 one_index); 459 looking_for_one_byte = 460 constant_time_select(equals1, 0, looking_for_one_byte); 461 bad |= looking_for_one_byte & ~equals0; 462 } 463 464 bad |= looking_for_one_byte; 465 466 if (bad) { 467 goto decoding_err; 468 } 469 470 one_index++; 471 mlen = dblen - one_index; 472 if (to_len < mlen) { 473 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 474 mlen = -1; 475 } else { 476 memcpy(to, db + one_index, mlen); 477 } 478 479 OPENSSL_free(db); 480 return mlen; 481 482 decoding_err: 483 /* to avoid chosen ciphertext attacks, the error message should not reveal 484 * which kind of decoding error happened */ 485 OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR); 486 err: 487 OPENSSL_free(db); 488 return -1; 489 } 490 491 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 492 493 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, 494 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 495 const uint8_t *EM, int sLen) { 496 int i; 497 int ret = 0; 498 int maskedDBLen, MSBits, emLen; 499 size_t hLen; 500 const uint8_t *H; 501 uint8_t *DB = NULL; 502 EVP_MD_CTX ctx; 503 uint8_t H_[EVP_MAX_MD_SIZE]; 504 EVP_MD_CTX_init(&ctx); 505 506 if (mgf1Hash == NULL) { 507 mgf1Hash = Hash; 508 } 509 510 hLen = EVP_MD_size(Hash); 511 512 /* Negative sLen has special meanings: 513 * -1 sLen == hLen 514 * -2 salt length is autorecovered from signature 515 * -N reserved */ 516 if (sLen == -1) { 517 sLen = hLen; 518 } else if (sLen == -2) { 519 sLen = -2; 520 } else if (sLen < -2) { 521 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 522 goto err; 523 } 524 525 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 526 emLen = RSA_size(rsa); 527 if (EM[0] & (0xFF << MSBits)) { 528 OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID); 529 goto err; 530 } 531 if (MSBits == 0) { 532 EM++; 533 emLen--; 534 } 535 if (emLen < ((int)hLen + sLen + 2)) { 536 /* sLen can be small negative */ 537 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 538 goto err; 539 } 540 if (EM[emLen - 1] != 0xbc) { 541 OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID); 542 goto err; 543 } 544 maskedDBLen = emLen - hLen - 1; 545 H = EM + maskedDBLen; 546 DB = OPENSSL_malloc(maskedDBLen); 547 if (!DB) { 548 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 549 goto err; 550 } 551 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) { 552 goto err; 553 } 554 for (i = 0; i < maskedDBLen; i++) { 555 DB[i] ^= EM[i]; 556 } 557 if (MSBits) { 558 DB[0] &= 0xFF >> (8 - MSBits); 559 } 560 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) { 561 ; 562 } 563 if (DB[i++] != 0x1) { 564 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED); 565 goto err; 566 } 567 if (sLen >= 0 && (maskedDBLen - i) != sLen) { 568 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 569 goto err; 570 } 571 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) || 572 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) || 573 !EVP_DigestUpdate(&ctx, mHash, hLen)) { 574 goto err; 575 } 576 if (maskedDBLen - i) { 577 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) { 578 goto err; 579 } 580 } 581 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) { 582 goto err; 583 } 584 if (memcmp(H_, H, hLen)) { 585 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); 586 ret = 0; 587 } else { 588 ret = 1; 589 } 590 591 err: 592 OPENSSL_free(DB); 593 EVP_MD_CTX_cleanup(&ctx); 594 595 return ret; 596 } 597 598 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, 599 const unsigned char *mHash, 600 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 601 int sLen) { 602 int i; 603 int ret = 0; 604 size_t maskedDBLen, MSBits, emLen; 605 size_t hLen; 606 unsigned char *H, *salt = NULL, *p; 607 EVP_MD_CTX ctx; 608 609 if (mgf1Hash == NULL) { 610 mgf1Hash = Hash; 611 } 612 613 hLen = EVP_MD_size(Hash); 614 615 /* Negative sLen has special meanings: 616 * -1 sLen == hLen 617 * -2 salt length is maximized 618 * -N reserved */ 619 if (sLen == -1) { 620 sLen = hLen; 621 } else if (sLen == -2) { 622 sLen = -2; 623 } else if (sLen < -2) { 624 OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED); 625 goto err; 626 } 627 628 if (BN_is_zero(rsa->n)) { 629 OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY); 630 goto err; 631 } 632 633 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 634 emLen = RSA_size(rsa); 635 if (MSBits == 0) { 636 assert(emLen >= 1); 637 *EM++ = 0; 638 emLen--; 639 } 640 if (sLen == -2) { 641 if (emLen < hLen + 2) { 642 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 643 goto err; 644 } 645 sLen = emLen - hLen - 2; 646 } else if (emLen < hLen + sLen + 2) { 647 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 648 goto err; 649 } 650 if (sLen > 0) { 651 salt = OPENSSL_malloc(sLen); 652 if (!salt) { 653 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 654 goto err; 655 } 656 if (!RAND_bytes(salt, sLen)) { 657 goto err; 658 } 659 } 660 maskedDBLen = emLen - hLen - 1; 661 H = EM + maskedDBLen; 662 EVP_MD_CTX_init(&ctx); 663 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) || 664 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) || 665 !EVP_DigestUpdate(&ctx, mHash, hLen)) { 666 goto err; 667 } 668 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) { 669 goto err; 670 } 671 if (!EVP_DigestFinal_ex(&ctx, H, NULL)) { 672 goto err; 673 } 674 EVP_MD_CTX_cleanup(&ctx); 675 676 /* Generate dbMask in place then perform XOR on it */ 677 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) { 678 goto err; 679 } 680 681 p = EM; 682 683 /* Initial PS XORs with all zeroes which is a NOP so just update 684 * pointer. Note from a test above this value is guaranteed to 685 * be non-negative. */ 686 p += emLen - sLen - hLen - 2; 687 *p++ ^= 0x1; 688 if (sLen > 0) { 689 for (i = 0; i < sLen; i++) { 690 *p++ ^= salt[i]; 691 } 692 } 693 if (MSBits) { 694 EM[0] &= 0xFF >> (8 - MSBits); 695 } 696 697 /* H is already in place so just set final 0xbc */ 698 699 EM[emLen - 1] = 0xbc; 700 701 ret = 1; 702 703 err: 704 OPENSSL_free(salt); 705 706 return ret; 707 } 708