[thirdparty/openssl.git] / crypto / rsa / rsa_pss.c

/* rsa_pss.c */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
/* ====================================================================
 * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#define OPENSSL_FIPSAPI

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"

#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif

__fips_constseg
static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

#if defined(_MSC_VER) && defined(_ARM_)
#pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
			const EVP_MD *Hash, const unsigned char *EM, int sLen)
	{
	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
	}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
			const EVP_MD *Hash, const EVP_MD *mgf1Hash,
			const unsigned char *EM, int sLen)
	{
	int i;
	int ret = 0;
	int hLen, maskedDBLen, MSBits, emLen;
	const unsigned char *H;
	unsigned char *DB = NULL;
	EVP_MD_CTX ctx;
	unsigned char H_[EVP_MAX_MD_SIZE];
	EVP_MD_CTX_init(&ctx);

	if (mgf1Hash == NULL)
		mgf1Hash = Hash;

	hLen = M_EVP_MD_size(Hash);
	if (hLen < 0)
		goto err;
	/*
	 * Negative sLen has special meanings:
	 *	-1	sLen == hLen
	 *	-2	salt length is autorecovered from signature
	 *	-N	reserved
	 */
	if      (sLen == -1)	sLen = hLen;
	else if (sLen == -2)	sLen = -2;
	else if (sLen < -2)
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
		goto err;
		}

	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	emLen = RSA_size(rsa);
	if (EM[0] & (0xFF << MSBits))
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
		goto err;
		}
	if (MSBits == 0)
		{
		EM++;
		emLen--;
		}
	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
		goto err;
		}
	if (EM[emLen - 1] != 0xbc)
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
		goto err;
		}
	maskedDBLen = emLen - hLen - 1;
	H = EM + maskedDBLen;
	DB = OPENSSL_malloc(maskedDBLen);
	if (!DB)
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
		goto err;
		}
	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
		goto err;
	for (i = 0; i < maskedDBLen; i++)
		DB[i] ^= EM[i];
	if (MSBits)
		DB[0] &= 0xFF >> (8 - MSBits);
	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
	if (DB[i++] != 0x1)
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
		goto err;
		}
	if (sLen >= 0 && (maskedDBLen - i) != sLen)
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
		goto err;
		}
	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
		|| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
		|| !EVP_DigestUpdate(&ctx, mHash, hLen))
		goto err;
	if (maskedDBLen - i)
		{
		if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
			goto err;
		}
	if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
		goto err;
	if (memcmp(H_, H, hLen))
		{
		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
		ret = 0;
		}
	else 
		ret = 1;

	err:
	if (DB)
		OPENSSL_free(DB);
	EVP_MD_CTX_cleanup(&ctx);

	return ret;

	}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
			const unsigned char *mHash,
			const EVP_MD *Hash, int sLen)
	{
	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
	}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
			const unsigned char *mHash,
			const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
	{
	int i;
	int ret = 0;
	int hLen, maskedDBLen, MSBits, emLen;
	unsigned char *H, *salt = NULL, *p;
	EVP_MD_CTX ctx;

	if (mgf1Hash == NULL)
		mgf1Hash = Hash;

	hLen = M_EVP_MD_size(Hash);
	if (hLen < 0)
		goto err;
	/*
	 * Negative sLen has special meanings:
	 *	-1	sLen == hLen
	 *	-2	salt length is maximized
	 *	-N	reserved
	 */
	if      (sLen == -1)	sLen = hLen;
	else if (sLen == -2)	sLen = -2;
	else if (sLen < -2)
		{
		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
		goto err;
		}

	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	emLen = RSA_size(rsa);
	if (MSBits == 0)
		{
		*EM++ = 0;
		emLen--;
		}
	if (sLen == -2)
		{
		sLen = emLen - hLen - 2;
		}
	else if (emLen < (hLen + sLen + 2))
		{
		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
		goto err;
		}
	if (sLen > 0)
		{
		salt = OPENSSL_malloc(sLen);
		if (!salt)
			{
			RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
			goto err;
			}
		if (RAND_bytes(salt, sLen) <= 0)
			goto err;
		}
	maskedDBLen = emLen - hLen - 1;
	H = EM + maskedDBLen;
	EVP_MD_CTX_init(&ctx);
	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
		|| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
		|| !EVP_DigestUpdate(&ctx, mHash, hLen))
		goto err;
	if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
		goto err;
	if (!EVP_DigestFinal_ex(&ctx, H, NULL))
		goto err;
	EVP_MD_CTX_cleanup(&ctx);

	/* Generate dbMask in place then perform XOR on it */
	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
		goto err;

	p = EM;

	/* Initial PS XORs with all zeroes which is a NOP so just update
	 * pointer. Note from a test above this value is guaranteed to
	 * be non-negative.
	 */
	p += emLen - sLen - hLen - 2;
	*p++ ^= 0x1;
	if (sLen > 0)
		{
		for (i = 0; i < sLen; i++)
			*p++ ^= salt[i];
		}
	if (MSBits)
		EM[0] &= 0xFF >> (8 - MSBits);

	/* H is already in place so just set final 0xbc */

	EM[emLen - 1] = 0xbc;

	ret = 1;

	err:
	if (salt)
		OPENSSL_free(salt);

	return ret;

	}

#if defined(_MSC_VER)
#pragma optimize("",on)
#endif
Commit	Line	Data
429168e7	1	/* rsa_pss.c */
2e597528	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
429168e7 DSH	3	* project 2005.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
7c8ced94	59	#define OPENSSL_FIPSAPI
c553721e	60
429168e7 DSH	61	#include <stdio.h>
	62	#include "cryptlib.h"
	63	#include <openssl/bn.h>
	64	#include <openssl/rsa.h>
	65	#include <openssl/evp.h>
	66	#include <openssl/rand.h>
	67	#include <openssl/sha.h>
e8254d40	68	#include "rsa_locl.h"
429168e7	69
7cc684f4 DSH	70	#ifdef OPENSSL_FIPS
	71	#include <openssl/fips.h>
	72	#endif
	73
03e389cf	74	__fips_constseg
8215e7a9	75	static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
429168e7	76
0491e058 AP	77	#if defined(_MSC_VER) && defined(_ARM_)
	78	#pragma optimize("g", off)
	79	#endif
	80
429168e7 DSH	81	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
	82	const EVP_MD Hash, const unsigned char EM, int sLen)
	83	{
e8254d40 DSH	84	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
	85	}
	86
	87	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
	88	const EVP_MD Hash, const EVP_MD mgf1Hash,
	89	const unsigned char *EM, int sLen)
	90	{
429168e7 DSH	91	int i;
429168e7 DSH	92	int ret = 0;
3129acbd	93	int hLen, maskedDBLen, MSBits, emLen;
429168e7 DSH	94	const unsigned char *H;
	95	unsigned char *DB = NULL;
	96	EVP_MD_CTX ctx;
	97	unsigned char H_[EVP_MAX_MD_SIZE];
b6dcdbfc	98	EVP_MD_CTX_init(&ctx);
d51204f1	99
e8254d40 DSH	100	if (mgf1Hash == NULL)
	101	mgf1Hash = Hash;
	102
c553721e	103	hLen = M_EVP_MD_size(Hash);
0eab41fb BL	104	if (hLen < 0)
0eab41fb BL	105	goto err;
d51204f1 AP	106	/*
	107	* Negative sLen has special meanings:
	108	* -1 sLen == hLen
	109	* -2 salt length is autorecovered from signature
	110	* -N reserved
	111	*/
	112	if (sLen == -1) sLen = hLen;
	113	else if (sLen == -2) sLen = -2;
	114	else if (sLen < -2)
429168e7	115	{
2440d8b1	116	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
429168e7 DSH	117	goto err;
429168e7 DSH	118	}
d51204f1 AP	119
	120	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	121	emLen = RSA_size(rsa);
3129acbd	122	if (EM[0] & (0xFF << MSBits))
429168e7	123	{
2440d8b1	124	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
429168e7 DSH	125	goto err;
429168e7 DSH	126	}
d51204f1	127	if (MSBits == 0)
3129acbd DSH	128	{
	129	EM++;
	130	emLen--;
	131	}
d51204f1 AP	132	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
d51204f1 AP	133	{
2440d8b1	134	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
d51204f1 AP	135	goto err;
	136	}
	137	if (EM[emLen - 1] != 0xbc)
	138	{
2440d8b1	139	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
d51204f1 AP	140	goto err;
d51204f1 AP	141	}
429168e7 DSH	142	maskedDBLen = emLen - hLen - 1;
	143	H = EM + maskedDBLen;
	144	DB = OPENSSL_malloc(maskedDBLen);
	145	if (!DB)
	146	{
2440d8b1	147	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
429168e7 DSH	148	goto err;
429168e7 DSH	149	}
e8254d40	150	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
0eab41fb	151	goto err;
429168e7 DSH	152	for (i = 0; i < maskedDBLen; i++)
429168e7 DSH	153	DB[i] ^= EM[i];
3129acbd DSH	154	if (MSBits)
3129acbd DSH	155	DB[0] &= 0xFF >> (8 - MSBits);
d51204f1 AP	156	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
d51204f1 AP	157	if (DB[i++] != 0x1)
429168e7	158	{
2440d8b1	159	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
d51204f1	160	goto err;
429168e7	161	}
d51204f1	162	if (sLen >= 0 && (maskedDBLen - i) != sLen)
429168e7	163	{
2440d8b1	164	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
429168e7 DSH	165	goto err;
429168e7 DSH	166	}
b6dcdbfc DSH	167	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
	168	\|\| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
	169	\|\| !EVP_DigestUpdate(&ctx, mHash, hLen))
	170	goto err;
d51204f1	171	if (maskedDBLen - i)
b6dcdbfc DSH	172	{
	173	if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
	174	goto err;
	175	}
c553721e	176	if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
b6dcdbfc	177	goto err;
429168e7 DSH	178	if (memcmp(H_, H, hLen))
429168e7 DSH	179	{
2440d8b1	180	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
429168e7 DSH	181	ret = 0;
	182	}
	183	else
	184	ret = 1;
	185
	186	err:
	187	if (DB)
	188	OPENSSL_free(DB);
b6dcdbfc	189	EVP_MD_CTX_cleanup(&ctx);
429168e7 DSH	190
	191	return ret;
	192
	193	}
	194
	195	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
	196	const unsigned char *mHash,
	197	const EVP_MD *Hash, int sLen)
	198	{
e8254d40 DSH	199	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
	200	}
	201
	202	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
	203	const unsigned char *mHash,
	204	const EVP_MD Hash, const EVP_MD mgf1Hash, int sLen)
	205	{
429168e7 DSH	206	int i;
429168e7 DSH	207	int ret = 0;
3129acbd	208	int hLen, maskedDBLen, MSBits, emLen;
429168e7 DSH	209	unsigned char H, salt = NULL, *p;
429168e7 DSH	210	EVP_MD_CTX ctx;
d51204f1	211
e8254d40 DSH	212	if (mgf1Hash == NULL)
	213	mgf1Hash = Hash;
	214
c553721e	215	hLen = M_EVP_MD_size(Hash);
0eab41fb BL	216	if (hLen < 0)
0eab41fb BL	217	goto err;
d51204f1 AP	218	/*
	219	* Negative sLen has special meanings:
	220	* -1 sLen == hLen
	221	* -2 salt length is maximized
	222	* -N reserved
	223	*/
	224	if (sLen == -1) sLen = hLen;
	225	else if (sLen == -2) sLen = -2;
	226	else if (sLen < -2)
429168e7	227	{
2440d8b1	228	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
429168e7 DSH	229	goto err;
429168e7 DSH	230	}
d51204f1 AP	231
	232	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	233	emLen = RSA_size(rsa);
3129acbd DSH	234	if (MSBits == 0)
	235	{
	236	*EM++ = 0;
	237	emLen--;
	238	}
d51204f1 AP	239	if (sLen == -2)
	240	{
	241	sLen = emLen - hLen - 2;
	242	}
	243	else if (emLen < (hLen + sLen + 2))
	244	{
2440d8b1	245	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
d51204f1 AP	246	goto err;
d51204f1 AP	247	}
429168e7 DSH	248	if (sLen > 0)
	249	{
	250	salt = OPENSSL_malloc(sLen);
	251	if (!salt)
	252	{
2440d8b1	253	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
429168e7 DSH	254	goto err;
429168e7 DSH	255	}
a25f33d2	256	if (RAND_bytes(salt, sLen) <= 0)
429168e7 DSH	257	goto err;
	258	}
	259	maskedDBLen = emLen - hLen - 1;
	260	H = EM + maskedDBLen;
	261	EVP_MD_CTX_init(&ctx);
b6dcdbfc DSH	262	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
	263	\|\| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
	264	\|\| !EVP_DigestUpdate(&ctx, mHash, hLen))
	265	goto err;
	266	if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
	267	goto err;
c553721e	268	if (!EVP_DigestFinal_ex(&ctx, H, NULL))
b6dcdbfc	269	goto err;
429168e7 DSH	270	EVP_MD_CTX_cleanup(&ctx);
	271
	272	/* Generate dbMask in place then perform XOR on it */
e8254d40	273	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
0eab41fb	274	goto err;
429168e7 DSH	275
	276	p = EM;
	277
	278	/* Initial PS XORs with all zeroes which is a NOP so just update
	279	* pointer. Note from a test above this value is guaranteed to
	280	* be non-negative.
	281	*/
	282	p += emLen - sLen - hLen - 2;
	283	*p++ ^= 0x1;
	284	if (sLen > 0)
	285	{
	286	for (i = 0; i < sLen; i++)
	287	*p++ ^= salt[i];
	288	}
3129acbd DSH	289	if (MSBits)
3129acbd DSH	290	EM[0] &= 0xFF >> (8 - MSBits);
429168e7 DSH	291
	292	/* H is already in place so just set final 0xbc */
	293
	294	EM[emLen - 1] = 0xbc;
	295
	296	ret = 1;
	297
	298	err:
	299	if (salt)
	300	OPENSSL_free(salt);
	301
	302	return ret;
	303
	304	}
0491e058 AP	305
	306	#if defined(_MSC_VER)
	307	#pragma optimize("",on)
	308	#endif