OpenCoverage

rsa_pss.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/rsa/rsa_pss.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/* $OpenBSD: rsa_pss.c,v 1.13 2018/09/05 00:55:33 djm Exp $ */-
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL-
3 * project 2005.-
4 */-
5/* ====================================================================-
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.-
7 *-
8 * Redistribution and use in source and binary forms, with or without-
9 * modification, are permitted provided that the following conditions-
10 * are met:-
11 *-
12 * 1. Redistributions of source code must retain the above copyright-
13 * notice, this list of conditions and the following disclaimer.-
14 *-
15 * 2. Redistributions in binary form must reproduce the above copyright-
16 * notice, this list of conditions and the following disclaimer in-
17 * the documentation and/or other materials provided with the-
18 * distribution.-
19 *-
20 * 3. All advertising materials mentioning features or use of this-
21 * software must display the following acknowledgment:-
22 * "This product includes software developed by the OpenSSL Project-
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"-
24 *-
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to-
26 * endorse or promote products derived from this software without-
27 * prior written permission. For written permission, please contact-
28 * licensing@OpenSSL.org.-
29 *-
30 * 5. Products derived from this software may not be called "OpenSSL"-
31 * nor may "OpenSSL" appear in their names without prior written-
32 * permission of the OpenSSL Project.-
33 *-
34 * 6. Redistributions of any form whatsoever must retain the following-
35 * acknowledgment:-
36 * "This product includes software developed by the OpenSSL Project-
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"-
38 *-
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY-
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE-
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR-
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR-
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,-
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT-
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;-
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)-
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,-
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)-
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED-
50 * OF THE POSSIBILITY OF SUCH DAMAGE.-
51 * ====================================================================-
52 *-
53 * This product includes cryptographic software written by Eric Young-
54 * (eay@cryptsoft.com). This product includes software written by Tim-
55 * Hudson (tjh@cryptsoft.com).-
56 *-
57 */-
58-
59#include <stdio.h>-
60#include <stdlib.h>-
61#include <string.h>-
62-
63#include <openssl/bn.h>-
64#include <openssl/err.h>-
65#include <openssl/evp.h>-
66#include <openssl/rsa.h>-
67#include <openssl/sha.h>-
68-
69static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };-
70-
71int-
72RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,-
73 const unsigned char *EM, int sLen)-
74{-
75 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
never executed: return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, ((void *)0) , EM, sLen);
0
76}-
77-
78int-
79RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,-
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,-
81 int sLen)-
82{-
83 int i;-
84 int ret = 0;-
85 int hLen, maskedDBLen, MSBits, emLen;-
86 const unsigned char *H;-
87 unsigned char *DB = NULL;-
88 EVP_MD_CTX ctx;-
89 unsigned char H_[EVP_MAX_MD_SIZE];-
90-
91 EVP_MD_CTX_init(&ctx);-
92-
93 if (mgf1Hash == NULL)
mgf1Hash == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
94 mgf1Hash = Hash;
never executed: mgf1Hash = Hash;
0
95-
96 hLen = EVP_MD_size(Hash);-
97 if (hLen < 0)
hLen < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
98 goto err;
never executed: goto err;
0
99 /*-
100 * Negative sLen has special meanings:-
101 * -1 sLen == hLen-
102 * -2 salt length is autorecovered from signature-
103 * -N reserved-
104 */-
105 if (sLen == -1)
sLen == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
106 sLen = hLen;
never executed: sLen = hLen;
0
107 else if (sLen == -2)
sLen == -2Description
TRUEnever evaluated
FALSEnever evaluated
0
108 sLen = -2;
never executed: sLen = -2;
0
109 else if (sLen < -2) {
sLen < -2Description
TRUEnever evaluated
FALSEnever evaluated
0
110 RSAerror(RSA_R_SLEN_CHECK_FAILED);-
111 goto err;
never executed: goto err;
0
112 }-
113-
114 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;-
115 emLen = RSA_size(rsa);-
116 if (EM[0] & (0xFF << MSBits)) {
EM[0] & (0xFF << MSBits)Description
TRUEnever evaluated
FALSEnever evaluated
0
117 RSAerror(RSA_R_FIRST_OCTET_INVALID);-
118 goto err;
never executed: goto err;
0
119 }-
120 if (MSBits == 0) {
MSBits == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
121 EM++;-
122 emLen--;-
123 }
never executed: end of block
0
124 if (emLen < (hLen + sLen + 2)) {
emLen < (hLen + sLen + 2)Description
TRUEnever evaluated
FALSEnever evaluated
0
125 /* sLen can be small negative */-
126 RSAerror(RSA_R_DATA_TOO_LARGE);-
127 goto err;
never executed: goto err;
0
128 }-
129 if (EM[emLen - 1] != 0xbc) {
EM[emLen - 1] != 0xbcDescription
TRUEnever evaluated
FALSEnever evaluated
0
130 RSAerror(RSA_R_LAST_OCTET_INVALID);-
131 goto err;
never executed: goto err;
0
132 }-
133 maskedDBLen = emLen - hLen - 1;-
134 H = EM + maskedDBLen;-
135 DB = malloc(maskedDBLen);-
136 if (!DB) {
!DBDescription
TRUEnever evaluated
FALSEnever evaluated
0
137 RSAerror(ERR_R_MALLOC_FAILURE);-
138 goto err;
never executed: goto err;
0
139 }-
140 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
PKCS1_MGF1(DB,... mgf1Hash) < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
141 goto err;
never executed: goto err;
0
142 for (i = 0; i < maskedDBLen; i++)
i < maskedDBLenDescription
TRUEnever evaluated
FALSEnever evaluated
0
143 DB[i] ^= EM[i];
never executed: DB[i] ^= EM[i];
0
144 if (MSBits)
MSBitsDescription
TRUEnever evaluated
FALSEnever evaluated
0
145 DB[0] &= 0xFF >> (8 - MSBits);
never executed: DB[0] &= 0xFF >> (8 - MSBits);
0
146 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
DB[i] == 0Description
TRUEnever evaluated
FALSEnever evaluated
i < (maskedDBLen - 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
147 ;
never executed: ;
0
148 if (DB[i++] != 0x1) {
DB[i++] != 0x1Description
TRUEnever evaluated
FALSEnever evaluated
0
149 RSAerror(RSA_R_SLEN_RECOVERY_FAILED);-
150 goto err;
never executed: goto err;
0
151 }-
152 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
sLen >= 0Description
TRUEnever evaluated
FALSEnever evaluated
(maskedDBLen - i) != sLenDescription
TRUEnever evaluated
FALSEnever evaluated
0
153 RSAerror(RSA_R_SLEN_CHECK_FAILED);-
154 goto err;
never executed: goto err;
0
155 }-
156 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
!EVP_DigestIni... ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
0
157 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
!EVP_DigestUpd...sizeof zeroes)Description
TRUEnever evaluated
FALSEnever evaluated
0
158 !EVP_DigestUpdate(&ctx, mHash, hLen))
!EVP_DigestUpd..., mHash, hLen)Description
TRUEnever evaluated
FALSEnever evaluated
0
159 goto err;
never executed: goto err;
0
160 if (maskedDBLen - i) {
maskedDBLen - iDescription
TRUEnever evaluated
FALSEnever evaluated
0
161 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
!EVP_DigestUpd...skedDBLen - i)Description
TRUEnever evaluated
FALSEnever evaluated
0
162 goto err;
never executed: goto err;
0
163 }
never executed: end of block
0
164 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
!EVP_DigestFin... ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
0
165 goto err;
never executed: goto err;
0
166 if (timingsafe_bcmp(H_, H, hLen)) {
timingsafe_bcmp(H_, H, hLen)Description
TRUEnever evaluated
FALSEnever evaluated
0
167 RSAerror(RSA_R_BAD_SIGNATURE);-
168 ret = 0;-
169 } else
never executed: end of block
0
170 ret = 1;
never executed: ret = 1;
0
171-
172err:
code before this statement never executed: err:
0
173 free(DB);-
174 EVP_MD_CTX_cleanup(&ctx);-
175-
176 return ret;
never executed: return ret;
0
177}-
178-
179int-
180RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,-
181 const unsigned char *mHash, const EVP_MD *Hash, int sLen)-
182{-
183 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
never executed: return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, ((void *)0) , sLen);
0
184}-
185-
186int-
187RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,-
188 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,-
189 int sLen)-
190{-
191 int i;-
192 int ret = 0;-
193 int hLen, maskedDBLen, MSBits, emLen;-
194 unsigned char *H, *salt = NULL, *p;-
195 EVP_MD_CTX ctx;-
196-
197 EVP_MD_CTX_init(&ctx);-
198-
199 if (mgf1Hash == NULL)
mgf1Hash == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
200 mgf1Hash = Hash;
never executed: mgf1Hash = Hash;
0
201-
202 hLen = EVP_MD_size(Hash);-
203 if (hLen < 0)
hLen < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
204 goto err;
never executed: goto err;
0
205 /*-
206 * Negative sLen has special meanings:-
207 * -1 sLen == hLen-
208 * -2 salt length is maximized-
209 * -N reserved-
210 */-
211 if (sLen == -1)
sLen == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
212 sLen = hLen;
never executed: sLen = hLen;
0
213 else if (sLen == -2)
sLen == -2Description
TRUEnever evaluated
FALSEnever evaluated
0
214 sLen = -2;
never executed: sLen = -2;
0
215 else if (sLen < -2) {
sLen < -2Description
TRUEnever evaluated
FALSEnever evaluated
0
216 RSAerror(RSA_R_SLEN_CHECK_FAILED);-
217 goto err;
never executed: goto err;
0
218 }-
219-
220 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;-
221 emLen = RSA_size(rsa);-
222 if (MSBits == 0) {
MSBits == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
223 *EM++ = 0;-
224 emLen--;-
225 }
never executed: end of block
0
226 if (sLen == -2)
sLen == -2Description
TRUEnever evaluated
FALSEnever evaluated
0
227 sLen = emLen - hLen - 2;
never executed: sLen = emLen - hLen - 2;
0
228 else if (emLen < (hLen + sLen + 2)) {
emLen < (hLen + sLen + 2)Description
TRUEnever evaluated
FALSEnever evaluated
0
229 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);-
230 goto err;
never executed: goto err;
0
231 }-
232 if (sLen > 0) {
sLen > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
233 salt = malloc(sLen);-
234 if (!salt) {
!saltDescription
TRUEnever evaluated
FALSEnever evaluated
0
235 RSAerror(ERR_R_MALLOC_FAILURE);-
236 goto err;
never executed: goto err;
0
237 }-
238 arc4random_buf(salt, sLen);-
239 }
never executed: end of block
0
240 maskedDBLen = emLen - hLen - 1;-
241 H = EM + maskedDBLen;-
242 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
!EVP_DigestIni... ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
0
243 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
!EVP_DigestUpd...sizeof zeroes)Description
TRUEnever evaluated
FALSEnever evaluated
0
244 !EVP_DigestUpdate(&ctx, mHash, hLen))
!EVP_DigestUpd..., mHash, hLen)Description
TRUEnever evaluated
FALSEnever evaluated
0
245 goto err;
never executed: goto err;
0
246 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
sLenDescription
TRUEnever evaluated
FALSEnever evaluated
!EVP_DigestUpd...x, salt, sLen)Description
TRUEnever evaluated
FALSEnever evaluated
0
247 goto err;
never executed: goto err;
0
248 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
!EVP_DigestFin... ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
0
249 goto err;
never executed: goto err;
0
250-
251 /* Generate dbMask in place then perform XOR on it */-
252 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
PKCS1_MGF1(EM,...Len, mgf1Hash)Description
TRUEnever evaluated
FALSEnever evaluated
0
253 goto err;
never executed: goto err;
0
254-
255 p = EM;-
256-
257 /*-
258 * Initial PS XORs with all zeroes which is a NOP so just update-
259 * pointer. Note from a test above this value is guaranteed to-
260 * be non-negative.-
261 */-
262 p += emLen - sLen - hLen - 2;-
263 *p++ ^= 0x1;-
264 if (sLen > 0) {
sLen > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
265 for (i = 0; i < sLen; i++)
i < sLenDescription
TRUEnever evaluated
FALSEnever evaluated
0
266 *p++ ^= salt[i];
never executed: *p++ ^= salt[i];
0
267 }
never executed: end of block
0
268 if (MSBits)
MSBitsDescription
TRUEnever evaluated
FALSEnever evaluated
0
269 EM[0] &= 0xFF >> (8 - MSBits);
never executed: EM[0] &= 0xFF >> (8 - MSBits);
0
270-
271 /* H is already in place so just set final 0xbc */-
272 EM[emLen - 1] = 0xbc;-
273-
274 ret = 1;-
275-
276err:
code before this statement never executed: err:
0
277 free(salt);-
278 EVP_MD_CTX_cleanup(&ctx);-
279-
280 return ret;
never executed: return ret;
0
281}-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2