OpenCoverage

rsa_pss.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/rsa/rsa_pss.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

3 * -

4 * Licensed under the OpenSSL license (the "License"). You may not use -

5 * this file except in compliance with the License. You can obtain a copy -

6 * in the file LICENSE in the source distribution or at -

7 * https://www.openssl.org/source/license.html -

8 */ -

9 -

10 #include <stdio.h> -

11 #include "internal/cryptlib.h" -

12 #include <openssl/bn.h> -

13 #include <openssl/rsa.h> -

14 #include <openssl/evp.h> -

15 #include <openssl/rand.h> -

16 #include <openssl/sha.h> -

17 #include "rsa_locl.h" -

18 -

19 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; -

20 -

21 #if defined(_MSC_VER) && defined(_ARM_) -

22 # pragma optimize("g", off) -

23 #endif -

24 -

25 int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, -

26 const EVP_MD *Hash, const unsigned char *EM, -

27 int sLen) -

28 { -

return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);

never executed: return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, ((void *)0) , EM, sLen);

30 } -

31 -

32 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, -

33 const EVP_MD *Hash, const EVP_MD *mgf1Hash, -

34 const unsigned char *EM, int sLen) -

35 { -

36 int i; -

37 int ret = 0; -

38 int hLen, maskedDBLen, MSBits, emLen; -

39 const unsigned char *H; -

40 unsigned char *DB = NULL; -

41 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -

42 unsigned char H_[EVP_MAX_MD_SIZE]; -

43 -

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1009 times by 1 test Evaluated by: libcrypto.so.1.1

0-1009

goto err;

never executed: goto err;

46 -

if (mgf1Hash == NULL)

mgf1Hash == ((void *)0)	Description
TRUE	evaluated 934 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 75 times by 1 test Evaluated by: libcrypto.so.1.1

75-934

mgf1Hash = Hash;

executed 934 times by 1 test: mgf1Hash = Hash;

Executed by:

libcrypto.so.1.1

934

49 -

50 hLen = EVP_MD_size(Hash); -

if (hLen < 0)

hLen < 0	Description
TRUE	never evaluated
FALSE	evaluated 1009 times by 1 test Evaluated by: libcrypto.so.1.1

0-1009

goto err;

never executed: goto err;

53 /*- -

54 * Negative sLen has special meanings: -

55 * -1 sLen == hLen -

56 * -2 salt length is autorecovered from signature -

57 * -3 salt length is maximized -

58 * -N reserved -

59 */ -

if (sLen == RSA_PSS_SALTLEN_DIGEST) {

sLen == -1	Description
TRUE	evaluated 932 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 77 times by 1 test Evaluated by: libcrypto.so.1.1

77-932

61 sLen = hLen; -

} else if (sLen < RSA_PSS_SALTLEN_MAX) {

executed 932 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

sLen < -3	Description
TRUE	never evaluated
FALSE	evaluated 77 times by 1 test Evaluated by: libcrypto.so.1.1

0-932

63 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); -

goto err;

never executed: goto err;

65 } -

66 -

67 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; -

68 emLen = RSA_size(rsa); -

if (EM[0] & (0xFF << MSBits)) {

EM[0] & (0xFF << MSBits)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1008 times by 1 test Evaluated by: libcrypto.so.1.1

1-1008

70 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID); -

goto err;

executed 1 time by 1 test: goto err;

Executed by:

libcrypto.so.1.1

72 } -

if (MSBits == 0) {

MSBits == 0	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1001 times by 1 test Evaluated by: libcrypto.so.1.1

7-1001

74 EM++; -

75 emLen--; -

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

if (emLen < hLen + 2) {

emLen < hLen + 2	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1007 times by 1 test Evaluated by: libcrypto.so.1.1

1-1007

78 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); -

goto err;

executed 1 time by 1 test: goto err;

Executed by:

libcrypto.so.1.1

80 } -

if (sLen == RSA_PSS_SALTLEN_MAX) {

sLen == -3	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1005 times by 1 test Evaluated by: libcrypto.so.1.1

2-1005

82 sLen = emLen - hLen - 2; -

} else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

sLen > emLen - hLen - 2	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1004 times by 1 test Evaluated by: libcrypto.so.1.1

1-1004

84 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); -

goto err;

executed 1 time by 1 test: goto err;

Executed by:

libcrypto.so.1.1

86 } -

if (EM[emLen - 1] != 0xbc) {

EM[emLen - 1] != 0xbc	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1000 times by 1 test Evaluated by: libcrypto.so.1.1

6-1000

88 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID); -

goto err;

executed 6 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

90 } -

91 maskedDBLen = emLen - hLen - 1; -

92 H = EM + maskedDBLen; -

93 DB = OPENSSL_malloc(maskedDBLen); -

if (DB == NULL) {

DB == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1000 times by 1 test Evaluated by: libcrypto.so.1.1

0-1000

95 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); -

goto err;

never executed: goto err;

97 } -

if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)

PKCS1_MGF1(DB,... mgf1Hash) < 0	Description
TRUE	never evaluated
FALSE	evaluated 1000 times by 1 test Evaluated by: libcrypto.so.1.1

0-1000

goto err;

never executed: goto err;

100

for (i = 0; i < maskedDBLen; i++)

i < maskedDBLen	Description
TRUE	evaluated 215712 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1000 times by 1 test Evaluated by: libcrypto.so.1.1

1000-215712

101

DB[i] ^= EM[i];

executed 215712 times by 1 test: DB[i] ^= EM[i];

Executed by:

libcrypto.so.1.1

215712

102

if (MSBits)

MSBits	Description
TRUE	evaluated 993 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-993

103

DB[0] &= 0xFF >> (8 - MSBits);

executed 993 times by 1 test: DB[0] &= 0xFF >> (8 - MSBits);

Executed by:

libcrypto.so.1.1

993

104

for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) ;

executed 181936 times by 1 test: ;

Executed by:

libcrypto.so.1.1

DB[i] == 0	Description
TRUE	evaluated 181936 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1000 times by 1 test Evaluated by: libcrypto.so.1.1

i < (maskedDBLen - 1)	Description
TRUE	evaluated 181936 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-181936

105

if (DB[i++] != 0x1) {

DB[i++] != 0x1	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 994 times by 1 test Evaluated by: libcrypto.so.1.1

6-994

106 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED); -

107

goto err;

executed 6 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

108 } -

109

if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {

sLen != -2	Description
TRUE	evaluated 933 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 61 times by 1 test Evaluated by: libcrypto.so.1.1

(maskedDBLen - i) != sLen	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 930 times by 1 test Evaluated by: libcrypto.so.1.1

3-933

110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); -

111

goto err;

executed 3 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

112 } -

113

if (!EVP_DigestInit_ex(ctx, Hash, NULL)

!EVP_DigestIni... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 991 times by 1 test Evaluated by: libcrypto.so.1.1

0-991

114

|| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))

!EVP_DigestUpd...izeof(zeroes))	Description
TRUE	never evaluated
FALSE	evaluated 991 times by 1 test Evaluated by: libcrypto.so.1.1

0-991

115

|| !EVP_DigestUpdate(ctx, mHash, hLen))

!EVP_DigestUpd..., mHash, hLen)	Description
TRUE	never evaluated
FALSE	evaluated 991 times by 1 test Evaluated by: libcrypto.so.1.1

0-991

116

goto err;

never executed: goto err;

117

if (maskedDBLen - i) {

maskedDBLen - i	Description
TRUE	evaluated 990 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-990

118

if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))

!EVP_DigestUpd...skedDBLen - i)	Description
TRUE	never evaluated
FALSE	evaluated 990 times by 1 test Evaluated by: libcrypto.so.1.1

0-990

119

goto err;

never executed: goto err;

120

}

executed 990 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

990

121

if (!EVP_DigestFinal_ex(ctx, H_, NULL))

!EVP_DigestFin... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 991 times by 1 test Evaluated by: libcrypto.so.1.1

0-991

122

goto err;

never executed: goto err;

123

if (memcmp(H_, H, hLen)) {

memcmp(H_, H, hLen)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 989 times by 1 test Evaluated by: libcrypto.so.1.1

2-989

124 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); -

125 ret = 0; -

126

} else {

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

127 ret = 1; -

128

}

executed 989 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

989

129 -

130

err:

code before this statement executed 991 times by 1 test: err:

Executed by:

libcrypto.so.1.1

991

131 OPENSSL_free(DB); -

132 EVP_MD_CTX_free(ctx); -

133 -

134

return ret;

executed 1009 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

1009

135 -

136 } -

137 -

138 int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, -

139 const unsigned char *mHash, -

140 const EVP_MD *Hash, int sLen) -

141 { -

142

return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);

never executed: return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, ((void *)0) , sLen);

143 } -

144 -

145 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, -

146 const unsigned char *mHash, -

147 const EVP_MD *Hash, const EVP_MD *mgf1Hash, -

148 int sLen) -

149 { -

150 int i; -

151 int ret = 0; -

152 int hLen, maskedDBLen, MSBits, emLen; -

153 unsigned char *H, *salt = NULL, *p; -

154 EVP_MD_CTX *ctx = NULL; -

155 -

156

if (mgf1Hash == NULL)

mgf1Hash == ((void *)0)	Description
TRUE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-1090

157

mgf1Hash = Hash;

executed 1090 times by 1 test: mgf1Hash = Hash;

Executed by:

libcrypto.so.1.1

1090

158 -

159 hLen = EVP_MD_size(Hash); -

160

if (hLen < 0)

hLen < 0	Description
TRUE	never evaluated
FALSE	evaluated 1094 times by 1 test Evaluated by: libcrypto.so.1.1

0-1094

161

goto err;

never executed: goto err;

162 /*- -

163 * Negative sLen has special meanings: -

164 * -1 sLen == hLen -

165 * -2 salt length is maximized -

166 * -3 same as above (on signing) -

167 * -N reserved -

168 */ -

169

if (sLen == RSA_PSS_SALTLEN_DIGEST) {

sLen == -1	Description
TRUE	evaluated 1086 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1

8-1086

170 sLen = hLen; -

171

} else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {

executed 1086 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

sLen == -2	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

3-1086

172 sLen = RSA_PSS_SALTLEN_MAX; -

173

} else if (sLen < RSA_PSS_SALTLEN_MAX) {

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

sLen < -3	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

174 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); -

175

goto err;

never executed: goto err;

176 } -

177 -

178 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; -

179 emLen = RSA_size(rsa); -

180

if (MSBits == 0) {

MSBits == 0	Description
TRUE	never evaluated
FALSE	evaluated 1094 times by 1 test Evaluated by: libcrypto.so.1.1

0-1094

181 *EM++ = 0; -

182 emLen--; -

183

}

never executed: end of block

184

if (emLen < hLen + 2) {

emLen < hLen + 2	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

2-1092

185 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, -

186 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); -

187

goto err;

executed 2 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

188 } -

189

if (sLen == RSA_PSS_SALTLEN_MAX) {

sLen == -3	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1088 times by 1 test Evaluated by: libcrypto.so.1.1

4-1088

190 sLen = emLen - hLen - 2; -

191

} else if (sLen > emLen - hLen - 2) {

executed 4 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

sLen > emLen - hLen - 2	Description
TRUE	never evaluated
FALSE	evaluated 1088 times by 1 test Evaluated by: libcrypto.so.1.1

0-1088

192 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, -

193 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); -

194

goto err;

never executed: goto err;

195 } -

196

if (sLen > 0) {

sLen > 0	Description
TRUE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-1090

197 salt = OPENSSL_malloc(sLen); -

198

if (salt == NULL) {

salt == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1

0-1090

199 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, -

200 ERR_R_MALLOC_FAILURE); -

201

goto err;

never executed: goto err;

202 } -

203

if (RAND_bytes(salt, sLen) <= 0)

RAND_bytes(salt, sLen) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1

0-1090

204

goto err;

never executed: goto err;

205

}

executed 1090 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1090

206 maskedDBLen = emLen - hLen - 1; -

207 H = EM + maskedDBLen; -

208 ctx = EVP_MD_CTX_new(); -

209

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

210

goto err;

never executed: goto err;

211

if (!EVP_DigestInit_ex(ctx, Hash, NULL)

!EVP_DigestIni... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

212

|| !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))

!EVP_DigestUpd...izeof(zeroes))	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

213

|| !EVP_DigestUpdate(ctx, mHash, hLen))

!EVP_DigestUpd..., mHash, hLen)	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

214

goto err;

never executed: goto err;

215

if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))

sLen	Description
TRUE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

!EVP_DigestUpd...x, salt, sLen)	Description
TRUE	never evaluated
FALSE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1

0-1090

216

goto err;

never executed: goto err;

217

if (!EVP_DigestFinal_ex(ctx, H, NULL))

!EVP_DigestFin... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

218

goto err;

never executed: goto err;

219 -

220 /* Generate dbMask in place then perform XOR on it */ -

221

if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))

PKCS1_MGF1(EM,...Len, mgf1Hash)	Description
TRUE	never evaluated
FALSE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1

0-1092

222

goto err;

never executed: goto err;

223 -

224 p = EM; -

225 -

226 /* -

227 * Initial PS XORs with all zeroes which is a NOP so just update pointer. -

228 * Note from a test above this value is guaranteed to be non-negative. -

229 */ -

230 p += emLen - sLen - hLen - 2; -

231 *p++ ^= 0x1; -

232

if (sLen > 0) {

sLen > 0	Description
TRUE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-1090

233

for (i = 0; i < sLen; i++)

i < sLen	Description
TRUE	evaluated 35780 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1090 times by 1 test Evaluated by: libcrypto.so.1.1

1090-35780

234

*p++ ^= salt[i];

executed 35780 times by 1 test: *p++ ^= salt[i];

Executed by:

libcrypto.so.1.1

35780

235

}

executed 1090 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1090

236

if (MSBits)

MSBits	Description
TRUE	evaluated 1092 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1092

237

EM[0] &= 0xFF >> (8 - MSBits);

executed 1092 times by 1 test: EM[0] &= 0xFF >> (8 - MSBits);

Executed by:

libcrypto.so.1.1

1092

238 -

239 /* H is already in place so just set final 0xbc */ -

240 -

241 EM[emLen - 1] = 0xbc; -

242 -

243 ret = 1; -

244 -

245

err:

code before this statement executed 1092 times by 1 test: err:

Executed by:

libcrypto.so.1.1

1092

246 EVP_MD_CTX_free(ctx); -

247 OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */ -

248 -

249

return ret;

executed 1094 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

1094

250 -

251 } -

252 -

253 #if defined(_MSC_VER) -

254 # pragma optimize("",on) -

255 #endif -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2