1 files changed, 93 insertions, 97 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index d26839a5fb..4c6a90c1c7 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.5 2014/06/12 15:49:30 deraadt Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.6 2014/07/09 08:20:08 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -64,18 +64,20 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
-static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
+static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+int
-                        const EVP_MD *Hash, const unsigned char *EM, int sLen)
+RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
-        {
+    const unsigned char *EM, int sLen)
+{
        return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
-        }
+}
-int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+int
-                        const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
-                        const unsigned char *EM, int sLen)
+    const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
-        {
+    int sLen)
+{
        int i;
        int ret = 0;
        int hLen, maskedDBLen, MSBits, emLen;
@@ -83,6 +85,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
        unsigned char *DB = NULL;
        EVP_MD_CTX ctx;
        unsigned char H_[EVP_MAX_MD_SIZE];
        EVP_MD_CTX_init(&ctx);
        if (mgf1Hash == NULL)
@@ -97,99 +100,96 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
         *      -2      salt length is autorecovered from signature
         *      -N      reserved
         */
-        if      (sLen == -1)    sLen = hLen;
+        if (sLen == -1)
-        else if (sLen == -2)    sLen = -2;
+                sLen = hLen;
-        else if (sLen < -2)
+        else if (sLen == -2)
-                {
+                sLen = -2;
-                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
+        else if (sLen < -2) {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
+                    RSA_R_SLEN_CHECK_FAILED);
                goto err;
-                }
+        }
        MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
        emLen = RSA_size(rsa);
-        if (EM[0] & (0xFF << MSBits))
+        if (EM[0] & (0xFF << MSBits)) {
-                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
-                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
+                    RSA_R_FIRST_OCTET_INVALID);
                goto err;
-                }
+        }
-        if (MSBits == 0)
+        if (MSBits == 0) {
-                {
                EM++;
                emLen--;
-                }
+        }
-        if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
+        if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
-                {
                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
                goto err;
-                }
+        }
-        if (EM[emLen - 1] != 0xbc)
+        if (EM[emLen - 1] != 0xbc) {
-                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
-                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
+                    RSA_R_LAST_OCTET_INVALID);
                goto err;
-                }
+        }
        maskedDBLen = emLen - hLen - 1;
        H = EM + maskedDBLen;
        DB = malloc(maskedDBLen);
-        if (!DB)
+        if (!DB) {
-                {
                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
                goto err;
-                }
+        }
        if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
                goto err;
        for (i = 0; i < maskedDBLen; i++)
                DB[i] ^= EM[i];
        if (MSBits)
                DB[0] &= 0xFF >> (8 - MSBits);
-        for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
+        for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++)
-        if (DB[i++] != 0x1)
+                ;
-                {
+        if (DB[i++] != 0x1) {
-                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
+                    RSA_R_SLEN_RECOVERY_FAILED);
                goto err;
-                }
+        }
-        if (sLen >= 0 && (maskedDBLen - i) != sLen)
+        if (sLen >= 0 && (maskedDBLen - i) != sLen) {
-                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
-                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
+                    RSA_R_SLEN_CHECK_FAILED);
                goto err;
-                }
+        }
-        if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
+        if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
-                || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
+            !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
-                || !EVP_DigestUpdate(&ctx, mHash, hLen))
+            !EVP_DigestUpdate(&ctx, mHash, hLen))
                goto err;
-        if (maskedDBLen - i)
+        if (maskedDBLen - i) {
-                {
                if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
                        goto err;
-                }
+        }
        if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
                goto err;
-        if (memcmp(H_, H, hLen))
+        if (memcmp(H_, H, hLen)) {
-                {
                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
                ret = 0;
-                }
+        } else 
-        else 
                ret = 1;
-        err:
+err:
        free(DB);
        EVP_MD_CTX_cleanup(&ctx);
        return ret;
+}
-        }
+int
+RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
-int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+    const unsigned char *mHash, const EVP_MD *Hash, int sLen)
-                        const unsigned char *mHash,
+{
-                        const EVP_MD *Hash, int sLen)
-        {
        return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
-        }
+}
-int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+int
-                        const unsigned char *mHash,
+RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
-                        const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
+    const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
-        {
+    int sLen)
+{
        int i;
        int ret = 0;
        int hLen, maskedDBLen, MSBits, emLen;
@@ -208,47 +208,45 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
         *      -2      salt length is maximized
         *      -N      reserved
         */
-        if      (sLen == -1)    sLen = hLen;
+        if (sLen == -1)
-        else if (sLen == -2)    sLen = -2;
+                sLen = hLen;
-        else if (sLen < -2)
+        else if (sLen == -2)
-                {
+                sLen = -2;
-                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
+        else if (sLen < -2) {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
+                    RSA_R_SLEN_CHECK_FAILED);
                goto err;
-                }
+        }
        MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
        emLen = RSA_size(rsa);
-        if (MSBits == 0)
+        if (MSBits == 0) {
-                {
                *EM++ = 0;
                emLen--;
-                }
+        }
        if (sLen == -2)
-                {
                sLen = emLen - hLen - 2;
-                }
+        else if (emLen < (hLen + sLen + 2)) {
-        else if (emLen < (hLen + sLen + 2))
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
-                {
+                    RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                goto err;
-                }
+        }
-        if (sLen > 0)
+        if (sLen > 0) {
-                {
                salt = malloc(sLen);
-                if (!salt)
+                if (!salt) {
-                        {
+                        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
-                        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
+                            ERR_R_MALLOC_FAILURE);
                        goto err;
-                        }
+                }
                if (RAND_bytes(salt, sLen) <= 0)
                        goto err;
-                }
+        }
        maskedDBLen = emLen - hLen - 1;
        H = EM + maskedDBLen;
        EVP_MD_CTX_init(&ctx);
-        if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
+        if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
-                || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
+            !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
-                || !EVP_DigestUpdate(&ctx, mHash, hLen))
+            !EVP_DigestUpdate(&ctx, mHash, hLen))
                goto err;
        if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
                goto err;
@@ -262,29 +260,27 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
        p = EM;
-        /* Initial PS XORs with all zeroes which is a NOP so just update
+        /*
+         * Initial PS XORs with all zeroes which is a NOP so just update
         * pointer. Note from a test above this value is guaranteed to
         * be non-negative.
         */
        p += emLen - sLen - hLen - 2;
        *p++ ^= 0x1;
-        if (sLen > 0)
+        if (sLen > 0) {
-                {
                for (i = 0; i < sLen; i++)
                        *p++ ^= salt[i];
-                }
+        }
        if (MSBits)
                EM[0] &= 0xFF >> (8 - MSBits);
        /* H is already in place so just set final 0xbc */
        EM[emLen - 1] = 0xbc;
        ret = 1;
-        err:
+err:
        free(salt);
        return ret;
+}
-        }

diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c index d26839a5fb..4c6a90c1c7 100644 --- a/src/lib/libcrypto/rsa/rsa_pss.c +++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pss.c,v 1.5 2014/06/12 15:49:30 deraadt Exp $ */	1	/* $OpenBSD: rsa_pss.c,v 1.6 2014/07/09 08:20:08 miod Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2005.	3	* project 2005.
4	*/	4	*/
@@ -64,18 +64,20 @@
64	#include <openssl/rand.h>	64	#include <openssl/rand.h>
65	#include <openssl/sha.h>	65	#include <openssl/sha.h>
66		66
67	static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};	67	static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
68		68
69	int RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash,	69	int
70	const EVP_MD Hash, const unsigned char EM, int sLen)	70	RSA_verify_PKCS1_PSS(RSA rsa, const unsigned char mHash, const EVP_MD *Hash,
71	{	71	const unsigned char *EM, int sLen)
		72	{
72	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);	73	return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
73	}	74	}
74		75
75	int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,	76	int
76	const EVP_MD Hash, const EVP_MD mgf1Hash,	77	RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
77	const unsigned char *EM, int sLen)	78	const EVP_MD Hash, const EVP_MD mgf1Hash, const unsigned char *EM,
78	{	79	int sLen)
		80	{
79	int i;	81	int i;
80	int ret = 0;	82	int ret = 0;
81	int hLen, maskedDBLen, MSBits, emLen;	83	int hLen, maskedDBLen, MSBits, emLen;
@@ -83,6 +85,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
83	unsigned char *DB = NULL;	85	unsigned char *DB = NULL;
84	EVP_MD_CTX ctx;	86	EVP_MD_CTX ctx;
85	unsigned char H_[EVP_MAX_MD_SIZE];	87	unsigned char H_[EVP_MAX_MD_SIZE];
		88
86	EVP_MD_CTX_init(&ctx);	89	EVP_MD_CTX_init(&ctx);
87		90
88	if (mgf1Hash == NULL)	91	if (mgf1Hash == NULL)
@@ -97,99 +100,96 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA rsa, const unsigned char mHash,
97	* -2 salt length is autorecovered from signature	100	* -2 salt length is autorecovered from signature
98	* -N reserved	101	* -N reserved
99	*/	102	*/
100	if (sLen == -1) sLen = hLen;	103	if (sLen == -1)
101	else if (sLen == -2) sLen = -2;	104	sLen = hLen;
102	else if (sLen < -2)	105	else if (sLen == -2)
103	{	106	sLen = -2;
104	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);	107	else if (sLen < -2) {
		108	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
		109	RSA_R_SLEN_CHECK_FAILED);
105	goto err;	110	goto err;
106	}	111	}
107		112
108	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;	113	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
109	emLen = RSA_size(rsa);	114	emLen = RSA_size(rsa);
110	if (EM[0] & (0xFF << MSBits))	115	if (EM[0] & (0xFF << MSBits)) {
111	{	116	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
112	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);	117	RSA_R_FIRST_OCTET_INVALID);
113	goto err;	118	goto err;
114	}	119	}
115	if (MSBits == 0)	120	if (MSBits == 0) {
116	{
117	EM++;	121	EM++;
118	emLen--;	122	emLen--;
119	}	123	}
120	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */	124	if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
121	{
122	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);	125	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
123	goto err;	126	goto err;
124	}	127	}
125	if (EM[emLen - 1] != 0xbc)	128	if (EM[emLen - 1] != 0xbc) {
126	{	129	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
127	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);	130	RSA_R_LAST_OCTET_INVALID);
128	goto err;	131	goto err;
129	}	132	}
130	maskedDBLen = emLen - hLen - 1;	133	maskedDBLen = emLen - hLen - 1;
131	H = EM + maskedDBLen;	134	H = EM + maskedDBLen;
132	DB = malloc(maskedDBLen);	135	DB = malloc(maskedDBLen);
133	if (!DB)	136	if (!DB) {
134	{
135	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);	137	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
136	goto err;	138	goto err;
137	}	139	}
138	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)	140	if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
139	goto err;	141	goto err;
140	for (i = 0; i < maskedDBLen; i++)	142	for (i = 0; i < maskedDBLen; i++)
141	DB[i] ^= EM[i];	143	DB[i] ^= EM[i];
142	if (MSBits)	144	if (MSBits)
143	DB[0] &= 0xFF >> (8 - MSBits);	145	DB[0] &= 0xFF >> (8 - MSBits);
144	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;	146	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++)
145	if (DB[i++] != 0x1)	147	;
146	{	148	if (DB[i++] != 0x1) {
147	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);	149	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
		150	RSA_R_SLEN_RECOVERY_FAILED);
148	goto err;	151	goto err;
149	}	152	}
150	if (sLen >= 0 && (maskedDBLen - i) != sLen)	153	if (sLen >= 0 && (maskedDBLen - i) != sLen) {
151	{	154	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
152	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);	155	RSA_R_SLEN_CHECK_FAILED);
153	goto err;	156	goto err;
154	}	157	}
155	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)	158	if (!EVP_DigestInit_ex(&ctx, Hash, NULL) \|\|
156	\|\| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)	159	!EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) \|\|
157	\|\| !EVP_DigestUpdate(&ctx, mHash, hLen))	160	!EVP_DigestUpdate(&ctx, mHash, hLen))
158	goto err;	161	goto err;
159	if (maskedDBLen - i)	162	if (maskedDBLen - i) {
160	{
161	if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))	163	if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
162	goto err;	164	goto err;
163	}	165	}
164	if (!EVP_DigestFinal_ex(&ctx, H_, NULL))	166	if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
165	goto err;	167	goto err;
166	if (memcmp(H_, H, hLen))	168	if (memcmp(H_, H, hLen)) {
167	{
168	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);	169	RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
169	ret = 0;	170	ret = 0;
170	}	171	} else
171	else
172	ret = 1;	172	ret = 1;
173		173
174	err:	174	err:
175	free(DB);	175	free(DB);
176	EVP_MD_CTX_cleanup(&ctx);	176	EVP_MD_CTX_cleanup(&ctx);
177		177
178	return ret;	178	return ret;
		179	}
179		180
180	}	181	int
181		182	RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,
182	int RSA_padding_add_PKCS1_PSS(RSA rsa, unsigned char EM,	183	const unsigned char mHash, const EVP_MD Hash, int sLen)
183	const unsigned char *mHash,	184	{
184	const EVP_MD *Hash, int sLen)
185	{
186	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);	185	return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
187	}	186	}
188		187
189	int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,	188	int
190	const unsigned char *mHash,	189	RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
191	const EVP_MD Hash, const EVP_MD mgf1Hash, int sLen)	190	const unsigned char mHash, const EVP_MD Hash, const EVP_MD *mgf1Hash,
192	{	191	int sLen)
		192	{
193	int i;	193	int i;
194	int ret = 0;	194	int ret = 0;
195	int hLen, maskedDBLen, MSBits, emLen;	195	int hLen, maskedDBLen, MSBits, emLen;
@@ -208,47 +208,45 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
208	* -2 salt length is maximized	208	* -2 salt length is maximized
209	* -N reserved	209	* -N reserved
210	*/	210	*/
211	if (sLen == -1) sLen = hLen;	211	if (sLen == -1)
212	else if (sLen == -2) sLen = -2;	212	sLen = hLen;
213	else if (sLen < -2)	213	else if (sLen == -2)
214	{	214	sLen = -2;
215	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);	215	else if (sLen < -2) {
		216	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
		217	RSA_R_SLEN_CHECK_FAILED);
216	goto err;	218	goto err;
217	}	219	}
218		220
219	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;	221	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
220	emLen = RSA_size(rsa);	222	emLen = RSA_size(rsa);
221	if (MSBits == 0)	223	if (MSBits == 0) {
222	{
223	*EM++ = 0;	224	*EM++ = 0;
224	emLen--;	225	emLen--;
225	}	226	}
226	if (sLen == -2)	227	if (sLen == -2)
227	{
228	sLen = emLen - hLen - 2;	228	sLen = emLen - hLen - 2;
229	}	229	else if (emLen < (hLen + sLen + 2)) {
230	else if (emLen < (hLen + sLen + 2))	230	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
231	{	231	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
232	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
233	goto err;	232	goto err;
234	}	233	}
235	if (sLen > 0)	234	if (sLen > 0) {
236	{
237	salt = malloc(sLen);	235	salt = malloc(sLen);
238	if (!salt)	236	if (!salt) {
239	{	237	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
240	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);	238	ERR_R_MALLOC_FAILURE);
241	goto err;	239	goto err;
242	}	240	}
243	if (RAND_bytes(salt, sLen) <= 0)	241	if (RAND_bytes(salt, sLen) <= 0)
244	goto err;	242	goto err;
245	}	243	}
246	maskedDBLen = emLen - hLen - 1;	244	maskedDBLen = emLen - hLen - 1;
247	H = EM + maskedDBLen;	245	H = EM + maskedDBLen;
248	EVP_MD_CTX_init(&ctx);	246	EVP_MD_CTX_init(&ctx);
249	if (!EVP_DigestInit_ex(&ctx, Hash, NULL)	247	if (!EVP_DigestInit_ex(&ctx, Hash, NULL) \|\|
250	\|\| !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)	248	!EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) \|\|
251	\|\| !EVP_DigestUpdate(&ctx, mHash, hLen))	249	!EVP_DigestUpdate(&ctx, mHash, hLen))
252	goto err;	250	goto err;
253	if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))	251	if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
254	goto err;	252	goto err;
@@ -262,29 +260,27 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA rsa, unsigned char EM,
262		260
263	p = EM;	261	p = EM;
264		262
265	/* Initial PS XORs with all zeroes which is a NOP so just update	263	/*
		264	* Initial PS XORs with all zeroes which is a NOP so just update
266	* pointer. Note from a test above this value is guaranteed to	265	* pointer. Note from a test above this value is guaranteed to
267	* be non-negative.	266	* be non-negative.
268	*/	267	*/
269	p += emLen - sLen - hLen - 2;	268	p += emLen - sLen - hLen - 2;
270	*p++ ^= 0x1;	269	*p++ ^= 0x1;
271	if (sLen > 0)	270	if (sLen > 0) {
272	{
273	for (i = 0; i < sLen; i++)	271	for (i = 0; i < sLen; i++)
274	*p++ ^= salt[i];	272	*p++ ^= salt[i];
275	}	273	}
276	if (MSBits)	274	if (MSBits)
277	EM[0] &= 0xFF >> (8 - MSBits);	275	EM[0] &= 0xFF >> (8 - MSBits);
278		276
279	/* H is already in place so just set final 0xbc */	277	/* H is already in place so just set final 0xbc */
280
281	EM[emLen - 1] = 0xbc;	278	EM[emLen - 1] = 0xbc;
282		279
283	ret = 1;	280	ret = 1;
284		281
285	err:	282	err:
286	free(salt);	283	free(salt);
287		284
288	return ret;	285	return ret;
289		286	}
290	}