diff options
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_pss.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_pss.c | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c index 5e137a3090..870f634b8d 100644 --- a/src/lib/libcrypto/rsa/rsa_pss.c +++ b/src/lib/libcrypto/rsa/rsa_pss.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */ | 1 | /* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2005. | 3 | * project 2005. |
| 4 | */ | 4 | */ |
| @@ -107,16 +107,14 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | |||
| 107 | else if (sLen == -2) | 107 | else if (sLen == -2) |
| 108 | sLen = -2; | 108 | sLen = -2; |
| 109 | else if (sLen < -2) { | 109 | else if (sLen < -2) { |
| 110 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, | 110 | RSAerror(RSA_R_SLEN_CHECK_FAILED); |
| 111 | RSA_R_SLEN_CHECK_FAILED); | ||
| 112 | goto err; | 111 | goto err; |
| 113 | } | 112 | } |
| 114 | 113 | ||
| 115 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; | 114 | MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; |
| 116 | emLen = RSA_size(rsa); | 115 | emLen = RSA_size(rsa); |
| 117 | if (EM[0] & (0xFF << MSBits)) { | 116 | if (EM[0] & (0xFF << MSBits)) { |
| 118 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, | 117 | RSAerror(RSA_R_FIRST_OCTET_INVALID); |
| 119 | RSA_R_FIRST_OCTET_INVALID); | ||
| 120 | goto err; | 118 | goto err; |
| 121 | } | 119 | } |
| 122 | if (MSBits == 0) { | 120 | if (MSBits == 0) { |
| @@ -125,19 +123,18 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | |||
| 125 | } | 123 | } |
| 126 | if (emLen < (hLen + sLen + 2)) { | 124 | if (emLen < (hLen + sLen + 2)) { |
| 127 | /* sLen can be small negative */ | 125 | /* sLen can be small negative */ |
| 128 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); | 126 | RSAerror(RSA_R_DATA_TOO_LARGE); |
| 129 | goto err; | 127 | goto err; |
| 130 | } | 128 | } |
| 131 | if (EM[emLen - 1] != 0xbc) { | 129 | if (EM[emLen - 1] != 0xbc) { |
| 132 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, | 130 | RSAerror(RSA_R_LAST_OCTET_INVALID); |
| 133 | RSA_R_LAST_OCTET_INVALID); | ||
| 134 | goto err; | 131 | goto err; |
| 135 | } | 132 | } |
| 136 | maskedDBLen = emLen - hLen - 1; | 133 | maskedDBLen = emLen - hLen - 1; |
| 137 | H = EM + maskedDBLen; | 134 | H = EM + maskedDBLen; |
| 138 | DB = malloc(maskedDBLen); | 135 | DB = malloc(maskedDBLen); |
| 139 | if (!DB) { | 136 | if (!DB) { |
| 140 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); | 137 | RSAerror(ERR_R_MALLOC_FAILURE); |
| 141 | goto err; | 138 | goto err; |
| 142 | } | 139 | } |
| 143 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) | 140 | if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) |
| @@ -149,13 +146,11 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | |||
| 149 | for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) | 146 | for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) |
| 150 | ; | 147 | ; |
| 151 | if (DB[i++] != 0x1) { | 148 | if (DB[i++] != 0x1) { |
| 152 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, | 149 | RSAerror(RSA_R_SLEN_RECOVERY_FAILED); |
| 153 | RSA_R_SLEN_RECOVERY_FAILED); | ||
| 154 | goto err; | 150 | goto err; |
| 155 | } | 151 | } |
| 156 | if (sLen >= 0 && (maskedDBLen - i) != sLen) { | 152 | if (sLen >= 0 && (maskedDBLen - i) != sLen) { |
| 157 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, | 153 | RSAerror(RSA_R_SLEN_CHECK_FAILED); |
| 158 | RSA_R_SLEN_CHECK_FAILED); | ||
| 159 | goto err; | 154 | goto err; |
| 160 | } | 155 | } |
| 161 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) || | 156 | if (!EVP_DigestInit_ex(&ctx, Hash, NULL) || |
| @@ -169,7 +164,7 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, | |||
| 169 | if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) | 164 | if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) |
| 170 | goto err; | 165 | goto err; |
| 171 | if (memcmp(H_, H, hLen)) { | 166 | if (memcmp(H_, H, hLen)) { |
| 172 | RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); | 167 | RSAerror(RSA_R_BAD_SIGNATURE); |
| 173 | ret = 0; | 168 | ret = 0; |
| 174 | } else | 169 | } else |
| 175 | ret = 1; | 170 | ret = 1; |
| @@ -218,8 +213,7 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, | |||
| 218 | else if (sLen == -2) | 213 | else if (sLen == -2) |
| 219 | sLen = -2; | 214 | sLen = -2; |
| 220 | else if (sLen < -2) { | 215 | else if (sLen < -2) { |
| 221 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, | 216 | RSAerror(RSA_R_SLEN_CHECK_FAILED); |
| 222 | RSA_R_SLEN_CHECK_FAILED); | ||
| 223 | goto err; | 217 | goto err; |
| 224 | } | 218 | } |
| 225 | 219 | ||
| @@ -232,15 +226,13 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, | |||
| 232 | if (sLen == -2) | 226 | if (sLen == -2) |
| 233 | sLen = emLen - hLen - 2; | 227 | sLen = emLen - hLen - 2; |
| 234 | else if (emLen < (hLen + sLen + 2)) { | 228 | else if (emLen < (hLen + sLen + 2)) { |
| 235 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, | 229 | RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
| 236 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | ||
| 237 | goto err; | 230 | goto err; |
| 238 | } | 231 | } |
| 239 | if (sLen > 0) { | 232 | if (sLen > 0) { |
| 240 | salt = malloc(sLen); | 233 | salt = malloc(sLen); |
| 241 | if (!salt) { | 234 | if (!salt) { |
| 242 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, | 235 | RSAerror(ERR_R_MALLOC_FAILURE); |
| 243 | ERR_R_MALLOC_FAILURE); | ||
| 244 | goto err; | 236 | goto err; |
| 245 | } | 237 | } |
| 246 | arc4random_buf(salt, sLen); | 238 | arc4random_buf(salt, sLen); |