[thirdparty/openssl.git] / crypto / rsa / rsa_pss.c

/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2005.
 */
/* ====================================================================
 * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];


    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -N      reserved
     */
    if (sLen == -1)
        sLen = hLen;
    else if (sLen == -2)
        sLen = -2;
    else if (sLen < -2) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen >= 0 && (maskedDBLen - i) != sLen) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else
        ret = 1;

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -N      reserved
     */
    if (sLen == -1)
        sLen = hLen;
    else if (sLen == -2)
        sLen = -2;
    else if (sLen < -2) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (sLen == -2) {
        sLen = emLen - hLen - 2;
    } else if (emLen < (hLen + sLen + 2)) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL) {
            RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
                   ERR_R_MALLOC_FAILURE);
            goto err;
        }
        if (RAND_bytes(salt, sLen) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_free(salt);

    return ret;

}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif
Commit	Line	Data
0f113f3e MC	1	/*
	2	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
	3	* 2005.
429168e7 DSH	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
0f113f3e	13	* notice, this list of conditions and the following disclaimer.
429168e7 DSH	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
b39fc560	60	#include "internal/cryptlib.h"
429168e7 DSH	61	#include <openssl/bn.h>
	62	#include <openssl/rsa.h>
	63	#include <openssl/evp.h>
	64	#include <openssl/rand.h>
	65	#include <openssl/sha.h>
e8254d40	66	#include "rsa_locl.h"
429168e7	67
0f113f3e	68	static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
429168e7	69
0491e058	70	#if defined(_MSC_VER) && defined(_ARM_)
0f113f3e	71	# pragma optimize("g", off)
0491e058 AP	72	#endif
0491e058 AP	73
429168e7	74	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
0f113f3e MC	75	const EVP_MD Hash, const unsigned char EM,
	76	int sLen)
	77	{
	78	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
	79	}
e8254d40 DSH	80
e8254d40 DSH	81	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
0f113f3e MC	82	const EVP_MD Hash, const EVP_MD mgf1Hash,
	83	const unsigned char *EM, int sLen)
	84	{
	85	int i;
	86	int ret = 0;
	87	int hLen, maskedDBLen, MSBits, emLen;
	88	const unsigned char *H;
	89	unsigned char *DB = NULL;
bfb0641f	90	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
0f113f3e	91	unsigned char H_[EVP_MAX_MD_SIZE];
6e59a892 RL	92
	93
	94	if (ctx == NULL)
	95	goto err;
d51204f1	96
0f113f3e MC	97	if (mgf1Hash == NULL)
0f113f3e MC	98	mgf1Hash = Hash;
e8254d40	99
6e59a892	100	hLen = EVP_MD_size(Hash);
0f113f3e MC	101	if (hLen < 0)
0f113f3e MC	102	goto err;
50e735f9 MC	103	/*-
	104	* Negative sLen has special meanings:
	105	* -1 sLen == hLen
	106	* -2 salt length is autorecovered from signature
	107	* -N reserved
	108	*/
0f113f3e MC	109	if (sLen == -1)
	110	sLen = hLen;
	111	else if (sLen == -2)
	112	sLen = -2;
	113	else if (sLen < -2) {
	114	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	115	goto err;
	116	}
d51204f1	117
0f113f3e MC	118	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	119	emLen = RSA_size(rsa);
	120	if (EM[0] & (0xFF << MSBits)) {
	121	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
	122	goto err;
	123	}
	124	if (MSBits == 0) {
	125	EM++;
	126	emLen--;
	127	}
	128	if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
	129	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
	130	goto err;
	131	}
	132	if (EM[emLen - 1] != 0xbc) {
	133	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
	134	goto err;
	135	}
	136	maskedDBLen = emLen - hLen - 1;
	137	H = EM + maskedDBLen;
	138	DB = OPENSSL_malloc(maskedDBLen);
90945fa3	139	if (DB == NULL) {
0f113f3e MC	140	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
	141	goto err;
	142	}
	143	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
	144	goto err;
	145	for (i = 0; i < maskedDBLen; i++)
	146	DB[i] ^= EM[i];
	147	if (MSBits)
	148	DB[0] &= 0xFF >> (8 - MSBits);
	149	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
	150	if (DB[i++] != 0x1) {
	151	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
	152	goto err;
	153	}
	154	if (sLen >= 0 && (maskedDBLen - i) != sLen) {
	155	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	156	goto err;
	157	}
6e59a892 RL	158	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
	159	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
	160	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e MC	161	goto err;
0f113f3e MC	162	if (maskedDBLen - i) {
6e59a892	163	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
0f113f3e MC	164	goto err;
0f113f3e MC	165	}
6e59a892	166	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
0f113f3e MC	167	goto err;
	168	if (memcmp(H_, H, hLen)) {
	169	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
	170	ret = 0;
	171	} else
	172	ret = 1;
429168e7	173
0f113f3e	174	err:
b548a1f1	175	OPENSSL_free(DB);
bfb0641f	176	EVP_MD_CTX_free(ctx);
429168e7	177
0f113f3e	178	return ret;
429168e7	179
0f113f3e	180	}
429168e7 DSH	181
429168e7 DSH	182	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
0f113f3e MC	183	const unsigned char *mHash,
	184	const EVP_MD *Hash, int sLen)
	185	{
	186	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
	187	}
e8254d40 DSH	188
e8254d40 DSH	189	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
0f113f3e MC	190	const unsigned char *mHash,
	191	const EVP_MD Hash, const EVP_MD mgf1Hash,
	192	int sLen)
	193	{
	194	int i;
	195	int ret = 0;
	196	int hLen, maskedDBLen, MSBits, emLen;
	197	unsigned char H, salt = NULL, *p;
6e59a892	198	EVP_MD_CTX *ctx = NULL;
d51204f1	199
0f113f3e MC	200	if (mgf1Hash == NULL)
0f113f3e MC	201	mgf1Hash = Hash;
e8254d40	202
6e59a892	203	hLen = EVP_MD_size(Hash);
0f113f3e MC	204	if (hLen < 0)
0f113f3e MC	205	goto err;
50e735f9 MC	206	/*-
	207	* Negative sLen has special meanings:
	208	* -1 sLen == hLen
	209	* -2 salt length is maximized
	210	* -N reserved
	211	*/
0f113f3e MC	212	if (sLen == -1)
	213	sLen = hLen;
	214	else if (sLen == -2)
	215	sLen = -2;
	216	else if (sLen < -2) {
	217	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
	218	goto err;
	219	}
d51204f1	220
0f113f3e MC	221	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	222	emLen = RSA_size(rsa);
	223	if (MSBits == 0) {
	224	*EM++ = 0;
	225	emLen--;
	226	}
	227	if (sLen == -2) {
	228	sLen = emLen - hLen - 2;
	229	} else if (emLen < (hLen + sLen + 2)) {
	230	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
	231	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
	232	goto err;
	233	}
	234	if (sLen > 0) {
	235	salt = OPENSSL_malloc(sLen);
90945fa3	236	if (salt == NULL) {
0f113f3e MC	237	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
	238	ERR_R_MALLOC_FAILURE);
	239	goto err;
	240	}
	241	if (RAND_bytes(salt, sLen) <= 0)
	242	goto err;
	243	}
	244	maskedDBLen = emLen - hLen - 1;
	245	H = EM + maskedDBLen;
bfb0641f	246	ctx = EVP_MD_CTX_new();
6e59a892 RL	247	if (ctx == NULL)
	248	goto err;
	249	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
	250	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
	251	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e	252	goto err;
6e59a892	253	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
0f113f3e	254	goto err;
6e59a892	255	if (!EVP_DigestFinal_ex(ctx, H, NULL))
0f113f3e	256	goto err;
429168e7	257
0f113f3e MC	258	/* Generate dbMask in place then perform XOR on it */
	259	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
	260	goto err;
429168e7	261
0f113f3e	262	p = EM;
429168e7	263
0f113f3e MC	264	/*
	265	* Initial PS XORs with all zeroes which is a NOP so just update pointer.
	266	* Note from a test above this value is guaranteed to be non-negative.
	267	*/
	268	p += emLen - sLen - hLen - 2;
	269	*p++ ^= 0x1;
	270	if (sLen > 0) {
	271	for (i = 0; i < sLen; i++)
	272	*p++ ^= salt[i];
	273	}
	274	if (MSBits)
	275	EM[0] &= 0xFF >> (8 - MSBits);
429168e7	276
0f113f3e	277	/* H is already in place so just set final 0xbc */
429168e7	278
0f113f3e	279	EM[emLen - 1] = 0xbc;
429168e7	280
0f113f3e	281	ret = 1;
429168e7	282
0f113f3e	283	err:
bfb0641f	284	EVP_MD_CTX_free(ctx);
b548a1f1	285	OPENSSL_free(salt);
429168e7	286
0f113f3e	287	return ret;
429168e7	288
0f113f3e	289	}
0491e058 AP	290
0491e058 AP	291	#if defined(_MSC_VER)
0f113f3e	292	# pragma optimize("",on)
0491e058	293	#endif