]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
d7f5e5ae | 2 | * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. |
58964a49 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
58964a49 RE |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
706457b7 | 16 | #include "internal/constant_time.h" |
294d1e36 | 17 | |
58964a49 | 18 | #include <stdio.h> |
ec577822 BM |
19 | #include <openssl/bn.h> |
20 | #include <openssl/rsa.h> | |
21 | #include <openssl/rand.h> | |
d9a75107 MC |
22 | /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ |
23 | #include <openssl/ssl.h> | |
24 | #include "internal/cryptlib.h" | |
25 | #include "crypto/rsa.h" | |
58964a49 | 26 | |
6b691a5c | 27 | int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, |
0f113f3e MC |
28 | const unsigned char *from, int flen) |
29 | { | |
30 | int j; | |
31 | unsigned char *p; | |
32 | ||
33 | if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { | |
34 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1, | |
35 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
8686c474 | 36 | return 0; |
0f113f3e MC |
37 | } |
38 | ||
39 | p = (unsigned char *)to; | |
40 | ||
41 | *(p++) = 0; | |
42 | *(p++) = 1; /* Private Key BT (Block Type) */ | |
43 | ||
44 | /* pad out with 0xff data */ | |
45 | j = tlen - 3 - flen; | |
46 | memset(p, 0xff, j); | |
47 | p += j; | |
48 | *(p++) = '\0'; | |
49 | memcpy(p, from, (unsigned int)flen); | |
8686c474 | 50 | return 1; |
0f113f3e | 51 | } |
58964a49 | 52 | |
6b691a5c | 53 | int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, |
0f113f3e MC |
54 | const unsigned char *from, int flen, |
55 | int num) | |
56 | { | |
57 | int i, j; | |
58 | const unsigned char *p; | |
59 | ||
60 | p = from; | |
ba2de73b EK |
61 | |
62 | /* | |
63 | * The format is | |
64 | * 00 || 01 || PS || 00 || D | |
65 | * PS - padding string, at least 8 bytes of FF | |
66 | * D - data. | |
67 | */ | |
68 | ||
f1d1903d | 69 | if (num < RSA_PKCS1_PADDING_SIZE) |
ba2de73b EK |
70 | return -1; |
71 | ||
72 | /* Accept inputs with and without the leading 0-byte. */ | |
73 | if (num == flen) { | |
74 | if ((*p++) != 0x00) { | |
75 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
76 | RSA_R_INVALID_PADDING); | |
77 | return -1; | |
78 | } | |
79 | flen--; | |
80 | } | |
81 | ||
82 | if ((num != (flen + 1)) || (*(p++) != 0x01)) { | |
0f113f3e MC |
83 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, |
84 | RSA_R_BLOCK_TYPE_IS_NOT_01); | |
8686c474 | 85 | return -1; |
0f113f3e MC |
86 | } |
87 | ||
88 | /* scan over padding data */ | |
89 | j = flen - 1; /* one for type. */ | |
90 | for (i = 0; i < j; i++) { | |
91 | if (*p != 0xff) { /* should decrypt to 0xff */ | |
92 | if (*p == 0) { | |
93 | p++; | |
94 | break; | |
95 | } else { | |
96 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
97 | RSA_R_BAD_FIXED_HEADER_DECRYPT); | |
8686c474 | 98 | return -1; |
0f113f3e MC |
99 | } |
100 | } | |
101 | p++; | |
102 | } | |
103 | ||
104 | if (i == j) { | |
105 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
106 | RSA_R_NULL_BEFORE_BLOCK_MISSING); | |
8686c474 | 107 | return -1; |
0f113f3e MC |
108 | } |
109 | ||
110 | if (i < 8) { | |
111 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
112 | RSA_R_BAD_PAD_BYTE_COUNT); | |
8686c474 | 113 | return -1; |
0f113f3e MC |
114 | } |
115 | i++; /* Skip over the '\0' */ | |
116 | j -= i; | |
117 | if (j > tlen) { | |
118 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_DATA_TOO_LARGE); | |
8686c474 | 119 | return -1; |
0f113f3e MC |
120 | } |
121 | memcpy(to, p, (unsigned int)j); | |
122 | ||
8686c474 | 123 | return j; |
0f113f3e | 124 | } |
58964a49 | 125 | |
6b691a5c | 126 | int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, |
0f113f3e MC |
127 | const unsigned char *from, int flen) |
128 | { | |
129 | int i, j; | |
130 | unsigned char *p; | |
131 | ||
f1d1903d | 132 | if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { |
0f113f3e MC |
133 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2, |
134 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
8686c474 | 135 | return 0; |
0f113f3e MC |
136 | } |
137 | ||
138 | p = (unsigned char *)to; | |
139 | ||
140 | *(p++) = 0; | |
141 | *(p++) = 2; /* Public Key BT (Block Type) */ | |
142 | ||
143 | /* pad out with non-zero random data */ | |
144 | j = tlen - 3 - flen; | |
145 | ||
146 | if (RAND_bytes(p, j) <= 0) | |
8686c474 | 147 | return 0; |
0f113f3e MC |
148 | for (i = 0; i < j; i++) { |
149 | if (*p == '\0') | |
150 | do { | |
151 | if (RAND_bytes(p, 1) <= 0) | |
8686c474 | 152 | return 0; |
0f113f3e MC |
153 | } while (*p == '\0'); |
154 | p++; | |
155 | } | |
156 | ||
157 | *(p++) = '\0'; | |
158 | ||
159 | memcpy(p, from, (unsigned int)flen); | |
8686c474 | 160 | return 1; |
0f113f3e | 161 | } |
58964a49 | 162 | |
6b691a5c | 163 | int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, |
0f113f3e MC |
164 | const unsigned char *from, int flen, |
165 | int num) | |
166 | { | |
167 | int i; | |
168 | /* |em| is the encoded message, zero-padded to exactly |num| bytes */ | |
169 | unsigned char *em = NULL; | |
e875b0cf | 170 | unsigned int good, found_zero_byte, mask; |
0f113f3e MC |
171 | int zero_index = 0, msg_index, mlen = -1; |
172 | ||
4fea7005 | 173 | if (tlen <= 0 || flen <= 0) |
0f113f3e MC |
174 | return -1; |
175 | ||
176 | /* | |
177 | * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", | |
178 | * section 7.2.2. | |
179 | */ | |
180 | ||
f1d1903d | 181 | if (flen > num || num < RSA_PKCS1_PADDING_SIZE) { |
e875b0cf AP |
182 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, |
183 | RSA_R_PKCS_DECODING_ERROR); | |
184 | return -1; | |
185 | } | |
0f113f3e | 186 | |
e875b0cf AP |
187 | em = OPENSSL_malloc(num); |
188 | if (em == NULL) { | |
189 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); | |
190 | return -1; | |
191 | } | |
192 | /* | |
193 | * Caller is encouraged to pass zero-padded message created with | |
194 | * BN_bn2binpad. Trouble is that since we can't read out of |from|'s | |
195 | * bounds, it's impossible to have an invariant memory access pattern | |
196 | * in case |from| was not zero-padded in advance. | |
197 | */ | |
198 | for (from += flen, em += num, i = 0; i < num; i++) { | |
199 | mask = ~constant_time_is_zero(flen); | |
200 | flen -= 1 & mask; | |
201 | from -= 1 & mask; | |
202 | *--em = *from & mask; | |
0f113f3e | 203 | } |
0f113f3e | 204 | |
d7f5e5ae BE |
205 | good = constant_time_is_zero(em[0]); |
206 | good &= constant_time_eq(em[1], 2); | |
0f113f3e | 207 | |
e875b0cf | 208 | /* scan over padding data */ |
0f113f3e MC |
209 | found_zero_byte = 0; |
210 | for (i = 2; i < num; i++) { | |
d7f5e5ae | 211 | unsigned int equals0 = constant_time_is_zero(em[i]); |
e875b0cf AP |
212 | |
213 | zero_index = constant_time_select_int(~found_zero_byte & equals0, | |
214 | i, zero_index); | |
0f113f3e MC |
215 | found_zero_byte |= equals0; |
216 | } | |
217 | ||
218 | /* | |
d7f5e5ae | 219 | * PS must be at least 8 bytes long, and it starts two bytes into |em|. |
0f113f3e MC |
220 | * If we never found a 0-byte, then |zero_index| is 0 and the check |
221 | * also fails. | |
222 | */ | |
e875b0cf | 223 | good &= constant_time_ge(zero_index, 2 + 8); |
0f113f3e MC |
224 | |
225 | /* | |
226 | * Skip the zero byte. This is incorrect if we never found a zero-byte | |
227 | * but in this case we also do not copy the message out. | |
228 | */ | |
229 | msg_index = zero_index + 1; | |
230 | mlen = num - msg_index; | |
231 | ||
232 | /* | |
e875b0cf | 233 | * For good measure, do this check in constant time as well. |
0f113f3e | 234 | */ |
e875b0cf | 235 | good &= constant_time_ge(tlen, mlen); |
0f113f3e MC |
236 | |
237 | /* | |
f1d1903d DMSP |
238 | * Move the result in-place by |num|-RSA_PKCS1_PADDING_SIZE-|mlen| bytes to the left. |
239 | * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to |to|. | |
9c0cf214 BE |
240 | * Otherwise leave |to| unchanged. |
241 | * Copy the memory back in a way that does not reveal the size of | |
242 | * the data being copied via a timing side channel. This requires copying | |
243 | * parts of the buffer multiple times based on the bits set in the real | |
244 | * length. Clear bits do a non-copy with identical access pattern. | |
245 | * The loop below has overall complexity of O(N*log(N)). | |
0f113f3e | 246 | */ |
f1d1903d DMSP |
247 | tlen = constant_time_select_int(constant_time_lt(num - RSA_PKCS1_PADDING_SIZE, tlen), |
248 | num - RSA_PKCS1_PADDING_SIZE, tlen); | |
249 | for (msg_index = 1; msg_index < num - RSA_PKCS1_PADDING_SIZE; msg_index <<= 1) { | |
250 | mask = ~constant_time_eq(msg_index & (num - RSA_PKCS1_PADDING_SIZE - mlen), 0); | |
251 | for (i = RSA_PKCS1_PADDING_SIZE; i < num - msg_index; i++) | |
9c0cf214 BE |
252 | em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); |
253 | } | |
254 | for (i = 0; i < tlen; i++) { | |
255 | mask = good & constant_time_lt(i, mlen); | |
f1d1903d | 256 | to[i] = constant_time_select_8(mask, em[i + RSA_PKCS1_PADDING_SIZE], to[i]); |
e875b0cf | 257 | } |
0f113f3e | 258 | |
e670db01 | 259 | OPENSSL_clear_free(em, num); |
afb638f1 MC |
260 | #ifndef FIPS_MODE |
261 | /* | |
262 | * This trick doesn't work in the FIPS provider because libcrypto manages | |
263 | * the error stack. Instead we opt not to put an error on the stack at all | |
264 | * in case of padding failure in the FIPS provider. | |
265 | */ | |
e875b0cf AP |
266 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); |
267 | err_clear_last_constant_time(1 & good); | |
afb638f1 | 268 | #endif |
e875b0cf AP |
269 | |
270 | return constant_time_select_int(good, mlen, -1); | |
0f113f3e | 271 | } |
d9a75107 MC |
272 | |
273 | /* | |
274 | * rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 | |
275 | * padding from a decrypted RSA message in a TLS signature. The result is stored | |
276 | * in the buffer pointed to by |to| which should be |tlen| bytes long. |tlen| | |
277 | * must be at least SSL_MAX_MASTER_KEY_LENGTH. The original decrypted message | |
278 | * should be stored in |from| which must be |flen| bytes in length and padded | |
279 | * such that |flen == RSA_size()|. The TLS protocol version that the client | |
280 | * originally requested should be passed in |client_version|. Some buggy clients | |
281 | * can exist which use the negotiated version instead of the originally | |
282 | * requested protocol version. If it is necessary to work around this bug then | |
283 | * the negotiated protocol version can be passed in |alt_version|, otherwise 0 | |
284 | * should be passed. | |
285 | * | |
286 | * If the passed message is publicly invalid or some other error that can be | |
287 | * treated in non-constant time occurs then -1 is returned. On success the | |
288 | * length of the decrypted data is returned. This will always be | |
289 | * SSL_MAX_MASTER_KEY_LENGTH. If an error occurs that should be treated in | |
290 | * constant time then this function will appear to return successfully, but the | |
291 | * decrypted data will be randomly generated (as per | |
292 | * https://tools.ietf.org/html/rfc5246#section-7.4.7.1). | |
293 | */ | |
294 | int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen, | |
295 | const unsigned char *from, size_t flen, | |
296 | int client_version, int alt_version) | |
297 | { | |
298 | unsigned int i, good, version_good; | |
299 | unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; | |
300 | ||
301 | /* | |
302 | * If these checks fail then either the message in publicly invalid, or | |
303 | * we've been called incorrectly. We can fail immediately. | |
304 | */ | |
305 | if (flen < RSA_PKCS1_PADDING_SIZE + SSL_MAX_MASTER_KEY_LENGTH | |
306 | || tlen < SSL_MAX_MASTER_KEY_LENGTH) { | |
307 | ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); | |
308 | return -1; | |
309 | } | |
310 | ||
311 | /* | |
312 | * Generate a random premaster secret to use in the event that we fail | |
313 | * to decrypt. | |
314 | */ | |
315 | if (RAND_priv_bytes(rand_premaster_secret, | |
316 | sizeof(rand_premaster_secret)) <= 0) { | |
317 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
318 | return -1; | |
319 | } | |
320 | ||
321 | good = constant_time_is_zero(from[0]); | |
322 | good &= constant_time_eq(from[1], 2); | |
323 | ||
324 | /* Check we have the expected padding data */ | |
325 | for (i = 2; i < flen - SSL_MAX_MASTER_KEY_LENGTH - 1; i++) | |
326 | good &= ~constant_time_is_zero_8(from[i]); | |
327 | good &= constant_time_is_zero_8(from[flen - SSL_MAX_MASTER_KEY_LENGTH - 1]); | |
328 | ||
329 | ||
330 | /* | |
331 | * If the version in the decrypted pre-master secret is correct then | |
332 | * version_good will be 0xff, otherwise it'll be zero. The | |
333 | * Klima-Pokorny-Rosa extension of Bleichenbacher's attack | |
334 | * (http://eprint.iacr.org/2003/052/) exploits the version number | |
335 | * check as a "bad version oracle". Thus version checks are done in | |
336 | * constant time and are treated like any other decryption error. | |
337 | */ | |
338 | version_good = | |
339 | constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], | |
340 | (client_version >> 8) & 0xff); | |
341 | version_good &= | |
342 | constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], | |
343 | client_version & 0xff); | |
344 | ||
345 | /* | |
346 | * The premaster secret must contain the same version number as the | |
347 | * ClientHello to detect version rollback attacks (strangely, the | |
348 | * protocol does not offer such protection for DH ciphersuites). | |
349 | * However, buggy clients exist that send the negotiated protocol | |
350 | * version instead if the server does not support the requested | |
351 | * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set then we tolerate | |
352 | * such clients. In that case alt_version will be non-zero and set to | |
353 | * the negotiated version. | |
354 | */ | |
355 | if (alt_version > 0) { | |
356 | unsigned int workaround_good; | |
357 | ||
358 | workaround_good = | |
359 | constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], | |
360 | (alt_version >> 8) & 0xff); | |
361 | workaround_good &= | |
362 | constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], | |
363 | alt_version & 0xff); | |
364 | version_good |= workaround_good; | |
365 | } | |
366 | ||
367 | good &= version_good; | |
368 | ||
369 | ||
370 | /* | |
371 | * Now copy the result over to the to buffer if good, or random data if | |
372 | * not good. | |
373 | */ | |
374 | for (i = 0; i < SSL_MAX_MASTER_KEY_LENGTH; i++) { | |
375 | to[i] = | |
376 | constant_time_select_8(good, | |
377 | from[flen - SSL_MAX_MASTER_KEY_LENGTH + i], | |
378 | rand_premaster_secret[i]); | |
379 | } | |
380 | ||
381 | /* | |
382 | * We must not leak whether a decryption failure occurs because of | |
383 | * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, | |
384 | * section 7.4.7.1). The code follows that advice of the TLS RFC and | |
385 | * generates a random premaster secret for the case that the decrypt | |
386 | * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 | |
387 | * So, whether we actually succeeded or not, return success. | |
388 | */ | |
389 | ||
390 | return SSL_MAX_MASTER_KEY_LENGTH; | |
391 | } |