[thirdparty/openssl.git] / crypto / rsa / rsa_pss.c

/*
 * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_local.h"

static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

#if defined(_MSC_VER) && defined(_ARM_)
# pragma optimize("g", off)
#endif

int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                         const EVP_MD *Hash, const unsigned char *EM,
                         int sLen)
{
    return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
}

int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                              const unsigned char *EM, int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    const unsigned char *H;
    unsigned char *DB = NULL;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)
        goto err;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is autorecovered from signature
     *      -3      salt length is maximized
     *      -4      salt length is autorecovered from signature
     *      -N      reserved
     */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (EM[0] & (0xFF << MSBits)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
        goto err;
    }
    if (MSBits == 0) {
        EM++;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
    } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
        goto err;
    }
    if (EM[emLen - 1] != 0xbc) {
        ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
        goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    DB = OPENSSL_malloc(maskedDBLen);
    if (DB == NULL)
        goto err;
    if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
        goto err;
    for (i = 0; i < maskedDBLen; i++)
        DB[i] ^= EM[i];
    if (MSBits)
        DB[0] &= 0xFF >> (8 - MSBits);
    for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
    if (DB[i++] != 0x1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
        goto err;
    }
    if (sLen != RSA_PSS_SALTLEN_AUTO
            && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
            && (maskedDBLen - i) != sLen) {
        ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
                       "expected: %d retrieved: %d", sLen,
                       maskedDBLen - i);
        goto err;
    }
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (maskedDBLen - i) {
        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
            goto err;
    }
    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
        goto err;
    if (memcmp(H_, H, hLen)) {
        ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
        ret = 0;
    } else {
        ret = 1;
    }

 err:
    OPENSSL_free(DB);
    EVP_MD_CTX_free(ctx);

    return ret;

}

int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                              const unsigned char *mHash,
                              const EVP_MD *Hash, int sLen)
{
    return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
}

int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                   const unsigned char *mHash,
                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                   int sLen)
{
    int i;
    int ret = 0;
    int hLen, maskedDBLen, MSBits, emLen;
    unsigned char *H, *salt = NULL, *p;
    EVP_MD_CTX *ctx = NULL;
    int sLenMax = -1;

    if (mgf1Hash == NULL)
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
    if (hLen < 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
     *      -1      sLen == hLen
     *      -2      salt length is maximized
     *      -3      same as above (on signing)
     *      -4      salt length is min(hLen, maximum salt length)
     *      -N      reserved
     */
    /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
     * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
     * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
     * the hash function output block (in bytes)."
     *
     * Provide a way to use at most the digest length, so that the default does
     * not violate FIPS 186-4. */
    if (sLen == RSA_PSS_SALTLEN_DIGEST) {
        sLen = hLen;
    } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
            || sLen == RSA_PSS_SALTLEN_AUTO) {
        sLen = RSA_PSS_SALTLEN_MAX;
    } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        sLen = RSA_PSS_SALTLEN_MAX;
        sLenMax = hLen;
    } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
        ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
        goto err;
    }

    MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
    emLen = RSA_size(rsa);
    if (MSBits == 0) {
        *EM++ = 0;
        emLen--;
    }
    if (emLen < hLen + 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen == RSA_PSS_SALTLEN_MAX) {
        sLen = emLen - hLen - 2;
        if (sLenMax >= 0 && sLen > sLenMax)
            sLen = sLenMax;
    } else if (sLen > emLen - hLen - 2) {
        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        goto err;
    }
    if (sLen > 0) {
        salt = OPENSSL_malloc(sLen);
        if (salt == NULL)
            goto err;
        if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
            goto err;
    }
    maskedDBLen = emLen - hLen - 1;
    H = EM + maskedDBLen;
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto err;
    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
        || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
        || !EVP_DigestUpdate(ctx, mHash, hLen))
        goto err;
    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, H, NULL))
        goto err;

    /* Generate dbMask in place then perform XOR on it */
    if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
        goto err;

    p = EM;

    /*
     * Initial PS XORs with all zeroes which is a NOP so just update pointer.
     * Note from a test above this value is guaranteed to be non-negative.
     */
    p += emLen - sLen - hLen - 2;
    *p++ ^= 0x1;
    if (sLen > 0) {
        for (i = 0; i < sLen; i++)
            *p++ ^= salt[i];
    }
    if (MSBits)
        EM[0] &= 0xFF >> (8 - MSBits);

    /* H is already in place so just set final 0xbc */

    EM[emLen - 1] = 0xbc;

    ret = 1;

 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

    return ret;

}

/*
 * The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
 * (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
 *
 * If the default values of the hashAlgorithm, maskGenAlgorithm, and
 * trailerField fields of RSASSA-PSS-params are used, then the algorithm
 * identifier will have the following value:
 *
 *     rSASSA-PSS-Default-Identifier    RSASSA-AlgorithmIdentifier ::= {
 *         algorithm   id-RSASSA-PSS,
 *         parameters  RSASSA-PSS-params : {
 *             hashAlgorithm       sha1,
 *             maskGenAlgorithm    mgf1SHA1,
 *             saltLength          20,
 *             trailerField        trailerFieldBC
 *         }
 *     }
 *
 *     RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
 *         {PKCS1Algorithms}
 *     }
 */
static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
    NID_sha1,                    /* default hashAlgorithm */
    {
        NID_mgf1,                /* default maskGenAlgorithm */
        NID_sha1                 /* default MGF1 hash */
    },
    20,                          /* default saltLength */
    1                            /* default trailerField (0xBC) */
};

int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return 0;
    *rsa_pss_params = default_RSASSA_PSS_params;
    return 1;
}

int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };

    return rsa_pss_params == NULL
        || memcmp(rsa_pss_params, &pss_params_cmp,
                  sizeof(*rsa_pss_params)) == 0;
}

int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
                                const RSA_PSS_PARAMS_30 *from)
{
    memcpy(to, from, sizeof(*to));
    return 1;
}

int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int hashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->hash_algorithm_nid = hashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                              int maskgenhashalg_nid)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
    return 1;
}

int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                       int saltlen)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->salt_len = saltlen;
    return 1;
}

int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
                                            int trailerfield)
{
    if (rsa_pss_params == NULL)
        return 0;
    rsa_pss_params->trailer_field = trailerfield;
    return 1;
}

int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
    return rsa_pss_params->mask_gen.algorithm_nid;
}

int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.hash_algorithm_nid;
    return rsa_pss_params->mask_gen.hash_algorithm_nid;
}

int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.salt_len;
    return rsa_pss_params->salt_len;
}

int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
{
    if (rsa_pss_params == NULL)
        return default_RSASSA_PSS_params.trailer_field;
    return rsa_pss_params->trailer_field;
}

#if defined(_MSC_VER)
# pragma optimize("",on)
#endif
Commit	Line	Data
0f113f3e	1	/*
da1c088f	2	* Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
429168e7	3	*
2a7b6f39	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
429168e7 DSH	8	*/
429168e7 DSH	9
c5f87134 P	10	/*
	11	* RSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
429168e7	16	#include <stdio.h>
b39fc560	17	#include "internal/cryptlib.h"
429168e7 DSH	18	#include <openssl/bn.h>
	19	#include <openssl/rsa.h>
	20	#include <openssl/evp.h>
	21	#include <openssl/rand.h>
	22	#include <openssl/sha.h>
706457b7	23	#include "rsa_local.h"
429168e7	24
0f113f3e	25	static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
429168e7	26
0491e058	27	#if defined(_MSC_VER) && defined(_ARM_)
0f113f3e	28	# pragma optimize("g", off)
0491e058 AP	29	#endif
0491e058 AP	30
429168e7	31	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,
0f113f3e MC	32	const EVP_MD Hash, const unsigned char EM,
	33	int sLen)
	34	{
	35	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
	36	}
e8254d40 DSH	37
e8254d40 DSH	38	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
0f113f3e MC	39	const EVP_MD Hash, const EVP_MD mgf1Hash,
	40	const unsigned char *EM, int sLen)
	41	{
	42	int i;
	43	int ret = 0;
	44	int hLen, maskedDBLen, MSBits, emLen;
	45	const unsigned char *H;
	46	unsigned char *DB = NULL;
bfb0641f	47	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
0f113f3e	48	unsigned char H_[EVP_MAX_MD_SIZE];
6e59a892	49
6e59a892 RL	50	if (ctx == NULL)
6e59a892 RL	51	goto err;
d51204f1	52
0f113f3e MC	53	if (mgf1Hash == NULL)
0f113f3e MC	54	mgf1Hash = Hash;
e8254d40	55
ed576acd	56	hLen = EVP_MD_get_size(Hash);
0f113f3e MC	57	if (hLen < 0)
0f113f3e MC	58	goto err;
50e735f9 MC	59	/*-
	60	* Negative sLen has special meanings:
	61	* -1 sLen == hLen
	62	* -2 salt length is autorecovered from signature
108909d3	63	* -3 salt length is maximized
6c73ca4a	64	* -4 salt length is autorecovered from signature
50e735f9 MC	65	* -N reserved
50e735f9 MC	66	*/
90862ab4	67	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
0f113f3e	68	sLen = hLen;
6c73ca4a	69	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
9311d0c4	70	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
0f113f3e MC	71	goto err;
0f113f3e MC	72	}
d51204f1	73
0f113f3e MC	74	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	75	emLen = RSA_size(rsa);
	76	if (EM[0] & (0xFF << MSBits)) {
9311d0c4	77	ERR_raise(ERR_LIB_RSA, RSA_R_FIRST_OCTET_INVALID);
0f113f3e MC	78	goto err;
	79	}
	80	if (MSBits == 0) {
	81	EM++;
	82	emLen--;
	83	}
108909d3	84	if (emLen < hLen + 2) {
9311d0c4	85	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
108909d3 BE	86	goto err;
108909d3 BE	87	}
137096a7 DSH	88	if (sLen == RSA_PSS_SALTLEN_MAX) {
137096a7 DSH	89	sLen = emLen - hLen - 2;
108909d3	90	} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
9311d0c4	91	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE);
0f113f3e MC	92	goto err;
	93	}
	94	if (EM[emLen - 1] != 0xbc) {
9311d0c4	95	ERR_raise(ERR_LIB_RSA, RSA_R_LAST_OCTET_INVALID);
0f113f3e MC	96	goto err;
	97	}
	98	maskedDBLen = emLen - hLen - 1;
	99	H = EM + maskedDBLen;
	100	DB = OPENSSL_malloc(maskedDBLen);
e077455e	101	if (DB == NULL)
0f113f3e	102	goto err;
0f113f3e MC	103	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
	104	goto err;
	105	for (i = 0; i < maskedDBLen; i++)
	106	DB[i] ^= EM[i];
	107	if (MSBits)
	108	DB[0] &= 0xFF >> (8 - MSBits);
	109	for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;
	110	if (DB[i++] != 0x1) {
9311d0c4	111	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
0f113f3e MC	112	goto err;
0f113f3e MC	113	}
6c73ca4a CL	114	if (sLen != RSA_PSS_SALTLEN_AUTO
	115	&& sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
	116	&& (maskedDBLen - i) != sLen) {
bbde8566 TM	117	ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
	118	"expected: %d retrieved: %d", sLen,
	119	maskedDBLen - i);
0f113f3e MC	120	goto err;
0f113f3e MC	121	}
6e59a892	122	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
cbe29648	123	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
6e59a892	124	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e MC	125	goto err;
0f113f3e MC	126	if (maskedDBLen - i) {
6e59a892	127	if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
0f113f3e MC	128	goto err;
0f113f3e MC	129	}
6e59a892	130	if (!EVP_DigestFinal_ex(ctx, H_, NULL))
0f113f3e MC	131	goto err;
0f113f3e MC	132	if (memcmp(H_, H, hLen)) {
9311d0c4	133	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_SIGNATURE);
0f113f3e	134	ret = 0;
90862ab4	135	} else {
0f113f3e	136	ret = 1;
90862ab4	137	}
429168e7	138
0f113f3e	139	err:
b548a1f1	140	OPENSSL_free(DB);
bfb0641f	141	EVP_MD_CTX_free(ctx);
429168e7	142
0f113f3e	143	return ret;
429168e7	144
0f113f3e	145	}
429168e7 DSH	146
429168e7 DSH	147	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
0f113f3e MC	148	const unsigned char *mHash,
	149	const EVP_MD *Hash, int sLen)
	150	{
	151	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
	152	}
e8254d40 DSH	153
e8254d40 DSH	154	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
0f113f3e MC	155	const unsigned char *mHash,
	156	const EVP_MD Hash, const EVP_MD mgf1Hash,
	157	int sLen)
	158	{
	159	int i;
	160	int ret = 0;
	161	int hLen, maskedDBLen, MSBits, emLen;
	162	unsigned char H, salt = NULL, *p;
6e59a892	163	EVP_MD_CTX *ctx = NULL;
6c73ca4a	164	int sLenMax = -1;
d51204f1	165
0f113f3e MC	166	if (mgf1Hash == NULL)
0f113f3e MC	167	mgf1Hash = Hash;
e8254d40	168
ed576acd	169	hLen = EVP_MD_get_size(Hash);
0f113f3e MC	170	if (hLen < 0)
0f113f3e MC	171	goto err;
50e735f9 MC	172	/*-
	173	* Negative sLen has special meanings:
	174	* -1 sLen == hLen
	175	* -2 salt length is maximized
108909d3	176	* -3 same as above (on signing)
6c73ca4a	177	* -4 salt length is min(hLen, maximum salt length)
50e735f9 MC	178	* -N reserved
50e735f9 MC	179	*/
6c73ca4a CL	180	/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
	181	* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
	182	* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
	183	* the hash function output block (in bytes)."
	184	*
	185	* Provide a way to use at most the digest length, so that the default does
	186	* not violate FIPS 186-4. */
90862ab4	187	if (sLen == RSA_PSS_SALTLEN_DIGEST) {
0f113f3e	188	sLen = hLen;
6c73ca4a CL	189	} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
6c73ca4a CL	190	\|\| sLen == RSA_PSS_SALTLEN_AUTO) {
137096a7	191	sLen = RSA_PSS_SALTLEN_MAX;
6c73ca4a CL	192	} else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
	193	sLen = RSA_PSS_SALTLEN_MAX;
	194	sLenMax = hLen;
	195	} else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
9311d0c4	196	ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
0f113f3e MC	197	goto err;
0f113f3e MC	198	}
d51204f1	199
0f113f3e MC	200	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
	201	emLen = RSA_size(rsa);
	202	if (MSBits == 0) {
	203	*EM++ = 0;
	204	emLen--;
	205	}
108909d3	206	if (emLen < hLen + 2) {
9311d0c4	207	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
108909d3 BE	208	goto err;
108909d3 BE	209	}
137096a7	210	if (sLen == RSA_PSS_SALTLEN_MAX) {
0f113f3e	211	sLen = emLen - hLen - 2;
6c73ca4a CL	212	if (sLenMax >= 0 && sLen > sLenMax)
6c73ca4a CL	213	sLen = sLenMax;
108909d3	214	} else if (sLen > emLen - hLen - 2) {
9311d0c4	215	ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
0f113f3e MC	216	goto err;
	217	}
	218	if (sLen > 0) {
	219	salt = OPENSSL_malloc(sLen);
e077455e	220	if (salt == NULL)
0f113f3e	221	goto err;
5cbd2ea3	222	if (RAND_bytes_ex(rsa->libctx, salt, sLen, 0) <= 0)
0f113f3e MC	223	goto err;
	224	}
	225	maskedDBLen = emLen - hLen - 1;
	226	H = EM + maskedDBLen;
bfb0641f	227	ctx = EVP_MD_CTX_new();
6e59a892 RL	228	if (ctx == NULL)
	229	goto err;
	230	if (!EVP_DigestInit_ex(ctx, Hash, NULL)
cbe29648	231	\|\| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
6e59a892	232	\|\| !EVP_DigestUpdate(ctx, mHash, hLen))
0f113f3e	233	goto err;
6e59a892	234	if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
0f113f3e	235	goto err;
6e59a892	236	if (!EVP_DigestFinal_ex(ctx, H, NULL))
0f113f3e	237	goto err;
429168e7	238
0f113f3e MC	239	/* Generate dbMask in place then perform XOR on it */
	240	if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
	241	goto err;
429168e7	242
0f113f3e	243	p = EM;
429168e7	244
0f113f3e MC	245	/*
	246	* Initial PS XORs with all zeroes which is a NOP so just update pointer.
	247	* Note from a test above this value is guaranteed to be non-negative.
	248	*/
	249	p += emLen - sLen - hLen - 2;
	250	*p++ ^= 0x1;
	251	if (sLen > 0) {
	252	for (i = 0; i < sLen; i++)
	253	*p++ ^= salt[i];
	254	}
	255	if (MSBits)
	256	EM[0] &= 0xFF >> (8 - MSBits);
429168e7	257
0f113f3e	258	/* H is already in place so just set final 0xbc */
429168e7	259
0f113f3e	260	EM[emLen - 1] = 0xbc;
429168e7	261
0f113f3e	262	ret = 1;
429168e7	263
0f113f3e	264	err:
bfb0641f	265	EVP_MD_CTX_free(ctx);
427e91d9	266	OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */
429168e7	267
0f113f3e	268	return ret;
429168e7	269
0f113f3e	270	}
0491e058	271
15671090 RL	272	/*
	273	* The defaults for PSS restrictions are defined in RFC 8017, A.2.3 RSASSA-PSS
	274	* (https://tools.ietf.org/html/rfc8017#appendix-A.2.3):
	275	*
	276	* If the default values of the hashAlgorithm, maskGenAlgorithm, and
	277	* trailerField fields of RSASSA-PSS-params are used, then the algorithm
	278	* identifier will have the following value:
	279	*
	280	* rSASSA-PSS-Default-Identifier RSASSA-AlgorithmIdentifier ::= {
	281	* algorithm id-RSASSA-PSS,
	282	* parameters RSASSA-PSS-params : {
	283	* hashAlgorithm sha1,
	284	* maskGenAlgorithm mgf1SHA1,
	285	* saltLength 20,
	286	* trailerField trailerFieldBC
	287	* }
	288	* }
	289	*
	290	* RSASSA-AlgorithmIdentifier ::= AlgorithmIdentifier {
	291	* {PKCS1Algorithms}
	292	* }
	293	*/
	294	static const RSA_PSS_PARAMS_30 default_RSASSA_PSS_params = {
	295	NID_sha1, /* default hashAlgorithm */
	296	{
	297	NID_mgf1, /* default maskGenAlgorithm */
	298	NID_sha1 /* default MGF1 hash */
	299	},
	300	20, /* default saltLength */
	301	1 /* default trailerField (0xBC) */
	302	};
	303
23b2fc0b	304	int ossl_rsa_pss_params_30_set_defaults(RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	305	{
	306	if (rsa_pss_params == NULL)
	307	return 0;
	308	*rsa_pss_params = default_RSASSA_PSS_params;
	309	return 1;
	310	}
	311
23b2fc0b	312	int ossl_rsa_pss_params_30_is_unrestricted(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	313	{
	314	static RSA_PSS_PARAMS_30 pss_params_cmp = { 0, };
	315
	316	return rsa_pss_params == NULL
	317	\|\| memcmp(rsa_pss_params, &pss_params_cmp,
	318	sizeof(*rsa_pss_params)) == 0;
	319	}
	320
23b2fc0b P	321	int ossl_rsa_pss_params_30_copy(RSA_PSS_PARAMS_30 *to,
23b2fc0b P	322	const RSA_PSS_PARAMS_30 *from)
15671090 RL	323	{
	324	memcpy(to, from, sizeof(*to));
	325	return 1;
	326	}
	327
23b2fc0b P	328	int ossl_rsa_pss_params_30_set_hashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
23b2fc0b P	329	int hashalg_nid)
15671090 RL	330	{
	331	if (rsa_pss_params == NULL)
	332	return 0;
	333	rsa_pss_params->hash_algorithm_nid = hashalg_nid;
	334	return 1;
	335	}
	336
23b2fc0b P	337	int ossl_rsa_pss_params_30_set_maskgenhashalg(RSA_PSS_PARAMS_30 *rsa_pss_params,
23b2fc0b P	338	int maskgenhashalg_nid)
15671090 RL	339	{
	340	if (rsa_pss_params == NULL)
	341	return 0;
	342	rsa_pss_params->mask_gen.hash_algorithm_nid = maskgenhashalg_nid;
	343	return 1;
	344	}
	345
23b2fc0b P	346	int ossl_rsa_pss_params_30_set_saltlen(RSA_PSS_PARAMS_30 *rsa_pss_params,
23b2fc0b P	347	int saltlen)
15671090 RL	348	{
	349	if (rsa_pss_params == NULL)
	350	return 0;
	351	rsa_pss_params->salt_len = saltlen;
	352	return 1;
	353	}
	354
23b2fc0b P	355	int ossl_rsa_pss_params_30_set_trailerfield(RSA_PSS_PARAMS_30 *rsa_pss_params,
23b2fc0b P	356	int trailerfield)
15671090 RL	357	{
	358	if (rsa_pss_params == NULL)
	359	return 0;
	360	rsa_pss_params->trailer_field = trailerfield;
	361	return 1;
	362	}
	363
23b2fc0b	364	int ossl_rsa_pss_params_30_hashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	365	{
	366	if (rsa_pss_params == NULL)
	367	return default_RSASSA_PSS_params.hash_algorithm_nid;
	368	return rsa_pss_params->hash_algorithm_nid;
	369	}
	370
23b2fc0b	371	int ossl_rsa_pss_params_30_maskgenalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	372	{
	373	if (rsa_pss_params == NULL)
	374	return default_RSASSA_PSS_params.mask_gen.algorithm_nid;
	375	return rsa_pss_params->mask_gen.algorithm_nid;
	376	}
	377
23b2fc0b	378	int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	379	{
	380	if (rsa_pss_params == NULL)
	381	return default_RSASSA_PSS_params.hash_algorithm_nid;
	382	return rsa_pss_params->mask_gen.hash_algorithm_nid;
	383	}
	384
23b2fc0b	385	int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	386	{
	387	if (rsa_pss_params == NULL)
	388	return default_RSASSA_PSS_params.salt_len;
	389	return rsa_pss_params->salt_len;
	390	}
	391
23b2fc0b	392	int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params)
15671090 RL	393	{
	394	if (rsa_pss_params == NULL)
	395	return default_RSASSA_PSS_params.trailer_field;
	396	return rsa_pss_params->trailer_field;
	397	}
	398
0491e058	399	#if defined(_MSC_VER)
0f113f3e	400	# pragma optimize("",on)
0491e058	401	#endif