From 3129acbd836f9cb1b397c971801ac061317beaed Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 1 Jun 2005 22:14:04 +0000
Subject: [PATCH] Update from 0.9.7-stable.

---
 crypto/rsa/rsa_pss.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index a47035733d..5dcdb54603 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -71,13 +71,13 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
 	{
 	int i;
 	int ret = 0;
-	int hLen, maskedDBLen, emBits, emLen;
+	int hLen, maskedDBLen, MSBits, emLen;
 	const unsigned char *H;
 	unsigned char *DB = NULL;
 	EVP_MD_CTX ctx;
 	unsigned char H_[EVP_MAX_MD_SIZE];
-	emBits = BN_num_bits(rsa->n) - 1;
-	emLen = (emBits + 7) >> 3;
+	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+	emLen = RSA_size(rsa);
 	hLen = EVP_MD_size(Hash);
 	if (emLen < (hLen + sLen + 2))
 		{
@@ -89,11 +89,16 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
 		goto err;
 		}
-	if (EM[0] & (0xFF << (emBits & 0x7)))
+	if (EM[0] & (0xFF << MSBits))
 		{
 		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
 		goto err;
 		}
+	if (!MSBits)
+		{
+		EM++;
+		emLen--;
+		}
 	maskedDBLen = emLen - hLen - 1;
 	H = EM + maskedDBLen;
 	DB = OPENSSL_malloc(maskedDBLen);
@@ -105,7 +110,8 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
 	PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
 	for (i = 0; i < maskedDBLen; i++)
 		DB[i] ^= EM[i];
-	DB[0] &= 0xFF >> (8 - (emBits & 0x7));
+	if (MSBits)
+		DB[0] &= 0xFF >> (8 - MSBits);
 	for (i = 0; i < (emLen - hLen - sLen - 2); i++)
 		{
 		if (DB[i] != 0)	
@@ -150,11 +156,11 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
 	{
 	int i;
 	int ret = 0;
-	int hLen, maskedDBLen, emBits, emLen;
+	int hLen, maskedDBLen, MSBits, emLen;
 	unsigned char *H, *salt = NULL, *p;
 	EVP_MD_CTX ctx;
-	emBits = BN_num_bits(rsa->n) - 1;
-	emLen = (emBits + 7) >> 3;
+	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+	emLen = RSA_size(rsa);
 	hLen = EVP_MD_size(Hash);
 	if (sLen < 0)
 		sLen = 0;
@@ -164,6 +170,11 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 		goto err;
 		}
+	if (MSBits == 0)
+		{
+		*EM++ = 0;
+		emLen--;
+		}
 	if (sLen > 0)
 		{
 		salt = OPENSSL_malloc(sLen);
@@ -203,7 +214,8 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
 		for (i = 0; i < sLen; i++)
 			*p++ ^= salt[i];
 		}
-	EM[0] &= 0xFF >> (8 - (emBits & 0x7));
+	if (MSBits)
+		EM[0] &= 0xFF >> (8 - MSBits);
 
 	/* H is already in place so just set final 0xbc */
 
-- 
2.34.1