Extend PSS padding code to support different digests for MGF1 and message.

diff --git a/crypto/rsa/rsa_locl.h b/crypto/rsa/rsa_locl.h
index f5d2d56628430978d8a518a7cf14802cd9cc039d..e8ea477929d24269be90d4582633517c29d810a7 100644 (file)
--- a/crypto/rsa/rsa_locl.h
+++ b/crypto/rsa/rsa_locl.h
@@ -2,3 +2,11 @@ extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
                unsigned char *rm, size_t *prm_len,
                const unsigned char *sigbuf, size_t siglen,
                RSA *rsa);
+
+int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                       const EVP_MD *Hash, const EVP_MD *mgf1Hash, 
+                       const unsigned char *EM, int sLen);
+
+int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                       const unsigned char *mHash,
+                       const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen);

diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 4efb8eddad78fb743009475e92d905066545ec23..4f87a2939d6eecb181009beebd14354fc3b4143d 100644 (file)
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -63,6 +63,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#include "rsa_locl.h"
 
 static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
 
@@ -73,6 +74,13 @@ static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
 int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                        const EVP_MD *Hash, const unsigned char *EM, int sLen)
        {
+       return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
+       }
+
+int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                       const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                       const unsigned char *EM, int sLen)
+       {
        int i;
        int ret = 0;
        int hLen, maskedDBLen, MSBits, emLen;
@@ -82,6 +90,9 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
        unsigned char H_[EVP_MAX_MD_SIZE];
        EVP_MD_CTX_init(&ctx);
 
+       if (mgf1Hash == NULL)
+               mgf1Hash = Hash;
+
        hLen = EVP_MD_size(Hash);
        if (hLen < 0)
                goto err;
@@ -129,7 +140,7 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
                goto err;
                }
-       if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash) < 0)
+       if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
                goto err;
        for (i = 0; i < maskedDBLen; i++)
                DB[i] ^= EM[i];
@@ -178,12 +189,22 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                        const unsigned char *mHash,
                        const EVP_MD *Hash, int sLen)
        {
+       return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
+       }
+
+int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                       const unsigned char *mHash,
+                       const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
+       {
        int i;
        int ret = 0;
        int hLen, maskedDBLen, MSBits, emLen;
        unsigned char *H, *salt = NULL, *p;
        EVP_MD_CTX ctx;
 
+       if (mgf1Hash == NULL)
+               mgf1Hash = Hash;
+
        hLen = EVP_MD_size(Hash);
        if (hLen < 0)
                goto err;
@@ -244,7 +265,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
        EVP_MD_CTX_cleanup(&ctx);
 
        /* Generate dbMask in place then perform XOR on it */
-       if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash))
+       if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
                goto err;
 
        p = EM;