summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_pss.c
diff options
context:
space:
mode:
authordjm <>2012-10-13 21:23:50 +0000
committerdjm <>2012-10-13 21:23:50 +0000
commitd56dbc3c72494d4b68c03f5bcc3ae1f9df7b17df (patch)
tree10ebe51c3542099b0ab8325d8f322372375dc3b4 /src/lib/libcrypto/rsa/rsa_pss.c
parentbc685bd401e5657f7fb51b4e1a62a7a5c5ea4098 (diff)
parent228cae30b117c2493f69ad3c195341cd6ec8d430 (diff)
downloadopenbsd-d56dbc3c72494d4b68c03f5bcc3ae1f9df7b17df.tar.gz
openbsd-d56dbc3c72494d4b68c03f5bcc3ae1f9df7b17df.tar.bz2
openbsd-d56dbc3c72494d4b68c03f5bcc3ae1f9df7b17df.zip
This commit was generated by cvs2git to track changes on a CVS vendor
branch.
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_pss.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c81
1 files changed, 53 insertions, 28 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index ac211e2ffe..5f9f533d0c 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -73,6 +73,13 @@ static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
74 const EVP_MD *Hash, const unsigned char *EM, int sLen) 74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
75 { 75 {
76 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
77 }
78
79int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
81 const unsigned char *EM, int sLen)
82 {
76 int i; 83 int i;
77 int ret = 0; 84 int ret = 0;
78 int hLen, maskedDBLen, MSBits, emLen; 85 int hLen, maskedDBLen, MSBits, emLen;
@@ -80,6 +87,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
80 unsigned char *DB = NULL; 87 unsigned char *DB = NULL;
81 EVP_MD_CTX ctx; 88 EVP_MD_CTX ctx;
82 unsigned char H_[EVP_MAX_MD_SIZE]; 89 unsigned char H_[EVP_MAX_MD_SIZE];
90 EVP_MD_CTX_init(&ctx);
91
92 if (mgf1Hash == NULL)
93 mgf1Hash = Hash;
83 94
84 hLen = EVP_MD_size(Hash); 95 hLen = EVP_MD_size(Hash);
85 if (hLen < 0) 96 if (hLen < 0)
@@ -94,7 +105,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
94 else if (sLen == -2) sLen = -2; 105 else if (sLen == -2) sLen = -2;
95 else if (sLen < -2) 106 else if (sLen < -2)
96 { 107 {
97 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
98 goto err; 109 goto err;
99 } 110 }
100 111
@@ -102,7 +113,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
102 emLen = RSA_size(rsa); 113 emLen = RSA_size(rsa);
103 if (EM[0] & (0xFF << MSBits)) 114 if (EM[0] & (0xFF << MSBits))
104 { 115 {
105 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); 116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
106 goto err; 117 goto err;
107 } 118 }
108 if (MSBits == 0) 119 if (MSBits == 0)
@@ -112,12 +123,12 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
112 } 123 }
113 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 124 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
114 { 125 {
115 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); 126 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
116 goto err; 127 goto err;
117 } 128 }
118 if (EM[emLen - 1] != 0xbc) 129 if (EM[emLen - 1] != 0xbc)
119 { 130 {
120 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); 131 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
121 goto err; 132 goto err;
122 } 133 }
123 maskedDBLen = emLen - hLen - 1; 134 maskedDBLen = emLen - hLen - 1;
@@ -125,10 +136,10 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
125 DB = OPENSSL_malloc(maskedDBLen); 136 DB = OPENSSL_malloc(maskedDBLen);
126 if (!DB) 137 if (!DB)
127 { 138 {
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); 139 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
129 goto err; 140 goto err;
130 } 141 }
131 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0) 142 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
132 goto err; 143 goto err;
133 for (i = 0; i < maskedDBLen; i++) 144 for (i = 0; i < maskedDBLen; i++)
134 DB[i] ^= EM[i]; 145 DB[i] ^= EM[i];
@@ -137,25 +148,28 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
137 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 148 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
138 if (DB[i++] != 0x1) 149 if (DB[i++] != 0x1)
139 { 150 {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); 151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
141 goto err; 152 goto err;
142 } 153 }
143 if (sLen >= 0 && (maskedDBLen - i) != sLen) 154 if (sLen >= 0 && (maskedDBLen - i) != sLen)
144 { 155 {
145 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 156 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
146 goto err; 157 goto err;
147 } 158 }
148 EVP_MD_CTX_init(&ctx); 159 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
149 EVP_DigestInit_ex(&ctx, Hash, NULL); 160 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
150 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 161 || !EVP_DigestUpdate(&ctx, mHash, hLen))
151 EVP_DigestUpdate(&ctx, mHash, hLen); 162 goto err;
152 if (maskedDBLen - i) 163 if (maskedDBLen - i)
153 EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); 164 {
154 EVP_DigestFinal(&ctx, H_, NULL); 165 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
155 EVP_MD_CTX_cleanup(&ctx); 166 goto err;
167 }
168 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
169 goto err;
156 if (memcmp(H_, H, hLen)) 170 if (memcmp(H_, H, hLen))
157 { 171 {
158 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); 172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
159 ret = 0; 173 ret = 0;
160 } 174 }
161 else 175 else
@@ -164,6 +178,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
164 err: 178 err:
165 if (DB) 179 if (DB)
166 OPENSSL_free(DB); 180 OPENSSL_free(DB);
181 EVP_MD_CTX_cleanup(&ctx);
167 182
168 return ret; 183 return ret;
169 184
@@ -173,12 +188,22 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
173 const unsigned char *mHash, 188 const unsigned char *mHash,
174 const EVP_MD *Hash, int sLen) 189 const EVP_MD *Hash, int sLen)
175 { 190 {
191 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
192 }
193
194int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
195 const unsigned char *mHash,
196 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
197 {
176 int i; 198 int i;
177 int ret = 0; 199 int ret = 0;
178 int hLen, maskedDBLen, MSBits, emLen; 200 int hLen, maskedDBLen, MSBits, emLen;
179 unsigned char *H, *salt = NULL, *p; 201 unsigned char *H, *salt = NULL, *p;
180 EVP_MD_CTX ctx; 202 EVP_MD_CTX ctx;
181 203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
182 hLen = EVP_MD_size(Hash); 207 hLen = EVP_MD_size(Hash);
183 if (hLen < 0) 208 if (hLen < 0)
184 goto err; 209 goto err;
@@ -192,7 +217,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
192 else if (sLen == -2) sLen = -2; 217 else if (sLen == -2) sLen = -2;
193 else if (sLen < -2) 218 else if (sLen < -2)
194 { 219 {
195 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); 220 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
196 goto err; 221 goto err;
197 } 222 }
198 223
@@ -209,8 +234,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
209 } 234 }
210 else if (emLen < (hLen + sLen + 2)) 235 else if (emLen < (hLen + sLen + 2))
211 { 236 {
212 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
213 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
214 goto err; 238 goto err;
215 } 239 }
216 if (sLen > 0) 240 if (sLen > 0)
@@ -218,8 +242,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
218 salt = OPENSSL_malloc(sLen); 242 salt = OPENSSL_malloc(sLen);
219 if (!salt) 243 if (!salt)
220 { 244 {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, 245 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
222 ERR_R_MALLOC_FAILURE);
223 goto err; 246 goto err;
224 } 247 }
225 if (RAND_bytes(salt, sLen) <= 0) 248 if (RAND_bytes(salt, sLen) <= 0)
@@ -228,16 +251,18 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
228 maskedDBLen = emLen - hLen - 1; 251 maskedDBLen = emLen - hLen - 1;
229 H = EM + maskedDBLen; 252 H = EM + maskedDBLen;
230 EVP_MD_CTX_init(&ctx); 253 EVP_MD_CTX_init(&ctx);
231 EVP_DigestInit_ex(&ctx, Hash, NULL); 254 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
232 EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); 255 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
233 EVP_DigestUpdate(&ctx, mHash, hLen); 256 || !EVP_DigestUpdate(&ctx, mHash, hLen))
234 if (sLen) 257 goto err;
235 EVP_DigestUpdate(&ctx, salt, sLen); 258 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
236 EVP_DigestFinal(&ctx, H, NULL); 259 goto err;
260 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
261 goto err;
237 EVP_MD_CTX_cleanup(&ctx); 262 EVP_MD_CTX_cleanup(&ctx);
238 263
239 /* Generate dbMask in place then perform XOR on it */ 264 /* Generate dbMask in place then perform XOR on it */
240 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash)) 265 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
241 goto err; 266 goto err;
242 267
243 p = EM; 268 p = EM;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 17:35:46 +0000