summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_pss.c
diff options
context:
space:
mode:
authorbeck <>2017-01-29 17:49:23 +0000
committerbeck <>2017-01-29 17:49:23 +0000
commitd1f47bd292f36094480caa49ada36b99a69c59b0 (patch)
tree1a54abba678898ee5270ae4f3404a50ee9a92eea /src/lib/libcrypto/rsa/rsa_pss.c
parentf8c627888330b75c2eea8a3c27d0efe947a4f9da (diff)
downloadopenbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.tar.gz
openbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.tar.bz2
openbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.zip
Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_pss.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c32
1 files changed, 12 insertions, 20 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index 5e137a3090..870f634b8d 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */ 1/* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005. 3 * project 2005.
4 */ 4 */
@@ -107,16 +107,14 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
107 else if (sLen == -2) 107 else if (sLen == -2)
108 sLen = -2; 108 sLen = -2;
109 else if (sLen < -2) { 109 else if (sLen < -2) {
110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 110 RSAerror(RSA_R_SLEN_CHECK_FAILED);
111 RSA_R_SLEN_CHECK_FAILED);
112 goto err; 111 goto err;
113 } 112 }
114 113
115 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 114 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
116 emLen = RSA_size(rsa); 115 emLen = RSA_size(rsa);
117 if (EM[0] & (0xFF << MSBits)) { 116 if (EM[0] & (0xFF << MSBits)) {
118 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 117 RSAerror(RSA_R_FIRST_OCTET_INVALID);
119 RSA_R_FIRST_OCTET_INVALID);
120 goto err; 118 goto err;
121 } 119 }
122 if (MSBits == 0) { 120 if (MSBits == 0) {
@@ -125,19 +123,18 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
125 } 123 }
126 if (emLen < (hLen + sLen + 2)) { 124 if (emLen < (hLen + sLen + 2)) {
127 /* sLen can be small negative */ 125 /* sLen can be small negative */
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); 126 RSAerror(RSA_R_DATA_TOO_LARGE);
129 goto err; 127 goto err;
130 } 128 }
131 if (EM[emLen - 1] != 0xbc) { 129 if (EM[emLen - 1] != 0xbc) {
132 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 130 RSAerror(RSA_R_LAST_OCTET_INVALID);
133 RSA_R_LAST_OCTET_INVALID);
134 goto err; 131 goto err;
135 } 132 }
136 maskedDBLen = emLen - hLen - 1; 133 maskedDBLen = emLen - hLen - 1;
137 H = EM + maskedDBLen; 134 H = EM + maskedDBLen;
138 DB = malloc(maskedDBLen); 135 DB = malloc(maskedDBLen);
139 if (!DB) { 136 if (!DB) {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); 137 RSAerror(ERR_R_MALLOC_FAILURE);
141 goto err; 138 goto err;
142 } 139 }
143 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) 140 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
@@ -149,13 +146,11 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
149 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) 146 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
150 ; 147 ;
151 if (DB[i++] != 0x1) { 148 if (DB[i++] != 0x1) {
152 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 149 RSAerror(RSA_R_SLEN_RECOVERY_FAILED);
153 RSA_R_SLEN_RECOVERY_FAILED);
154 goto err; 150 goto err;
155 } 151 }
156 if (sLen >= 0 && (maskedDBLen - i) != sLen) { 152 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
157 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 153 RSAerror(RSA_R_SLEN_CHECK_FAILED);
158 RSA_R_SLEN_CHECK_FAILED);
159 goto err; 154 goto err;
160 } 155 }
161 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) || 156 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
@@ -169,7 +164,7 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
169 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) 164 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
170 goto err; 165 goto err;
171 if (memcmp(H_, H, hLen)) { 166 if (memcmp(H_, H, hLen)) {
172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); 167 RSAerror(RSA_R_BAD_SIGNATURE);
173 ret = 0; 168 ret = 0;
174 } else 169 } else
175 ret = 1; 170 ret = 1;
@@ -218,8 +213,7 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
218 else if (sLen == -2) 213 else if (sLen == -2)
219 sLen = -2; 214 sLen = -2;
220 else if (sLen < -2) { 215 else if (sLen < -2) {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 216 RSAerror(RSA_R_SLEN_CHECK_FAILED);
222 RSA_R_SLEN_CHECK_FAILED);
223 goto err; 217 goto err;
224 } 218 }
225 219
@@ -232,15 +226,13 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
232 if (sLen == -2) 226 if (sLen == -2)
233 sLen = emLen - hLen - 2; 227 sLen = emLen - hLen - 2;
234 else if (emLen < (hLen + sLen + 2)) { 228 else if (emLen < (hLen + sLen + 2)) {
235 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 229 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
236 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
237 goto err; 230 goto err;
238 } 231 }
239 if (sLen > 0) { 232 if (sLen > 0) {
240 salt = malloc(sLen); 233 salt = malloc(sLen);
241 if (!salt) { 234 if (!salt) {
242 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, 235 RSAerror(ERR_R_MALLOC_FAILURE);
243 ERR_R_MALLOC_FAILURE);
244 goto err; 236 goto err;
245 } 237 }
246 arc4random_buf(salt, sLen); 238 arc4random_buf(salt, sLen);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 14:09:44 +0000