]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
d7f5e5ae | 2 | * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. |
58964a49 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
58964a49 RE |
8 | */ |
9 | ||
68570797 | 10 | #include "internal/constant_time_locl.h" |
294d1e36 | 11 | |
58964a49 | 12 | #include <stdio.h> |
b39fc560 | 13 | #include "internal/cryptlib.h" |
ec577822 BM |
14 | #include <openssl/bn.h> |
15 | #include <openssl/rsa.h> | |
16 | #include <openssl/rand.h> | |
58964a49 | 17 | |
6b691a5c | 18 | int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, |
0f113f3e MC |
19 | const unsigned char *from, int flen) |
20 | { | |
21 | int j; | |
22 | unsigned char *p; | |
23 | ||
24 | if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { | |
25 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1, | |
26 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
8686c474 | 27 | return 0; |
0f113f3e MC |
28 | } |
29 | ||
30 | p = (unsigned char *)to; | |
31 | ||
32 | *(p++) = 0; | |
33 | *(p++) = 1; /* Private Key BT (Block Type) */ | |
34 | ||
35 | /* pad out with 0xff data */ | |
36 | j = tlen - 3 - flen; | |
37 | memset(p, 0xff, j); | |
38 | p += j; | |
39 | *(p++) = '\0'; | |
40 | memcpy(p, from, (unsigned int)flen); | |
8686c474 | 41 | return 1; |
0f113f3e | 42 | } |
58964a49 | 43 | |
6b691a5c | 44 | int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, |
0f113f3e MC |
45 | const unsigned char *from, int flen, |
46 | int num) | |
47 | { | |
48 | int i, j; | |
49 | const unsigned char *p; | |
50 | ||
51 | p = from; | |
ba2de73b EK |
52 | |
53 | /* | |
54 | * The format is | |
55 | * 00 || 01 || PS || 00 || D | |
56 | * PS - padding string, at least 8 bytes of FF | |
57 | * D - data. | |
58 | */ | |
59 | ||
60 | if (num < 11) | |
61 | return -1; | |
62 | ||
63 | /* Accept inputs with and without the leading 0-byte. */ | |
64 | if (num == flen) { | |
65 | if ((*p++) != 0x00) { | |
66 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
67 | RSA_R_INVALID_PADDING); | |
68 | return -1; | |
69 | } | |
70 | flen--; | |
71 | } | |
72 | ||
73 | if ((num != (flen + 1)) || (*(p++) != 0x01)) { | |
0f113f3e MC |
74 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, |
75 | RSA_R_BLOCK_TYPE_IS_NOT_01); | |
8686c474 | 76 | return -1; |
0f113f3e MC |
77 | } |
78 | ||
79 | /* scan over padding data */ | |
80 | j = flen - 1; /* one for type. */ | |
81 | for (i = 0; i < j; i++) { | |
82 | if (*p != 0xff) { /* should decrypt to 0xff */ | |
83 | if (*p == 0) { | |
84 | p++; | |
85 | break; | |
86 | } else { | |
87 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
88 | RSA_R_BAD_FIXED_HEADER_DECRYPT); | |
8686c474 | 89 | return -1; |
0f113f3e MC |
90 | } |
91 | } | |
92 | p++; | |
93 | } | |
94 | ||
95 | if (i == j) { | |
96 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
97 | RSA_R_NULL_BEFORE_BLOCK_MISSING); | |
8686c474 | 98 | return -1; |
0f113f3e MC |
99 | } |
100 | ||
101 | if (i < 8) { | |
102 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, | |
103 | RSA_R_BAD_PAD_BYTE_COUNT); | |
8686c474 | 104 | return -1; |
0f113f3e MC |
105 | } |
106 | i++; /* Skip over the '\0' */ | |
107 | j -= i; | |
108 | if (j > tlen) { | |
109 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_DATA_TOO_LARGE); | |
8686c474 | 110 | return -1; |
0f113f3e MC |
111 | } |
112 | memcpy(to, p, (unsigned int)j); | |
113 | ||
8686c474 | 114 | return j; |
0f113f3e | 115 | } |
58964a49 | 116 | |
6b691a5c | 117 | int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, |
0f113f3e MC |
118 | const unsigned char *from, int flen) |
119 | { | |
120 | int i, j; | |
121 | unsigned char *p; | |
122 | ||
123 | if (flen > (tlen - 11)) { | |
124 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2, | |
125 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
8686c474 | 126 | return 0; |
0f113f3e MC |
127 | } |
128 | ||
129 | p = (unsigned char *)to; | |
130 | ||
131 | *(p++) = 0; | |
132 | *(p++) = 2; /* Public Key BT (Block Type) */ | |
133 | ||
134 | /* pad out with non-zero random data */ | |
135 | j = tlen - 3 - flen; | |
136 | ||
137 | if (RAND_bytes(p, j) <= 0) | |
8686c474 | 138 | return 0; |
0f113f3e MC |
139 | for (i = 0; i < j; i++) { |
140 | if (*p == '\0') | |
141 | do { | |
142 | if (RAND_bytes(p, 1) <= 0) | |
8686c474 | 143 | return 0; |
0f113f3e MC |
144 | } while (*p == '\0'); |
145 | p++; | |
146 | } | |
147 | ||
148 | *(p++) = '\0'; | |
149 | ||
150 | memcpy(p, from, (unsigned int)flen); | |
8686c474 | 151 | return 1; |
0f113f3e | 152 | } |
58964a49 | 153 | |
6b691a5c | 154 | int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, |
0f113f3e MC |
155 | const unsigned char *from, int flen, |
156 | int num) | |
157 | { | |
158 | int i; | |
159 | /* |em| is the encoded message, zero-padded to exactly |num| bytes */ | |
160 | unsigned char *em = NULL; | |
e875b0cf | 161 | unsigned int good, found_zero_byte, mask; |
0f113f3e MC |
162 | int zero_index = 0, msg_index, mlen = -1; |
163 | ||
4fea7005 | 164 | if (tlen <= 0 || flen <= 0) |
0f113f3e MC |
165 | return -1; |
166 | ||
167 | /* | |
168 | * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", | |
169 | * section 7.2.2. | |
170 | */ | |
171 | ||
e875b0cf AP |
172 | if (flen > num || num < 11) { |
173 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, | |
174 | RSA_R_PKCS_DECODING_ERROR); | |
175 | return -1; | |
176 | } | |
0f113f3e | 177 | |
e875b0cf AP |
178 | em = OPENSSL_malloc(num); |
179 | if (em == NULL) { | |
180 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); | |
181 | return -1; | |
182 | } | |
183 | /* | |
184 | * Caller is encouraged to pass zero-padded message created with | |
185 | * BN_bn2binpad. Trouble is that since we can't read out of |from|'s | |
186 | * bounds, it's impossible to have an invariant memory access pattern | |
187 | * in case |from| was not zero-padded in advance. | |
188 | */ | |
189 | for (from += flen, em += num, i = 0; i < num; i++) { | |
190 | mask = ~constant_time_is_zero(flen); | |
191 | flen -= 1 & mask; | |
192 | from -= 1 & mask; | |
193 | *--em = *from & mask; | |
0f113f3e | 194 | } |
0f113f3e | 195 | |
d7f5e5ae BE |
196 | good = constant_time_is_zero(em[0]); |
197 | good &= constant_time_eq(em[1], 2); | |
0f113f3e | 198 | |
e875b0cf | 199 | /* scan over padding data */ |
0f113f3e MC |
200 | found_zero_byte = 0; |
201 | for (i = 2; i < num; i++) { | |
d7f5e5ae | 202 | unsigned int equals0 = constant_time_is_zero(em[i]); |
e875b0cf AP |
203 | |
204 | zero_index = constant_time_select_int(~found_zero_byte & equals0, | |
205 | i, zero_index); | |
0f113f3e MC |
206 | found_zero_byte |= equals0; |
207 | } | |
208 | ||
209 | /* | |
d7f5e5ae | 210 | * PS must be at least 8 bytes long, and it starts two bytes into |em|. |
0f113f3e MC |
211 | * If we never found a 0-byte, then |zero_index| is 0 and the check |
212 | * also fails. | |
213 | */ | |
e875b0cf | 214 | good &= constant_time_ge(zero_index, 2 + 8); |
0f113f3e MC |
215 | |
216 | /* | |
217 | * Skip the zero byte. This is incorrect if we never found a zero-byte | |
218 | * but in this case we also do not copy the message out. | |
219 | */ | |
220 | msg_index = zero_index + 1; | |
221 | mlen = num - msg_index; | |
222 | ||
223 | /* | |
e875b0cf | 224 | * For good measure, do this check in constant time as well. |
0f113f3e | 225 | */ |
e875b0cf | 226 | good &= constant_time_ge(tlen, mlen); |
0f113f3e MC |
227 | |
228 | /* | |
9c0cf214 BE |
229 | * Move the result in-place by |num|-11-|mlen| bytes to the left. |
230 | * Then if |good| move |mlen| bytes from |em|+11 to |to|. | |
231 | * Otherwise leave |to| unchanged. | |
232 | * Copy the memory back in a way that does not reveal the size of | |
233 | * the data being copied via a timing side channel. This requires copying | |
234 | * parts of the buffer multiple times based on the bits set in the real | |
235 | * length. Clear bits do a non-copy with identical access pattern. | |
236 | * The loop below has overall complexity of O(N*log(N)). | |
0f113f3e | 237 | */ |
d7f5e5ae BE |
238 | tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), |
239 | num - 11, tlen); | |
9c0cf214 BE |
240 | for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { |
241 | mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); | |
242 | for (i = 11; i < num - msg_index; i++) | |
243 | em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); | |
244 | } | |
245 | for (i = 0; i < tlen; i++) { | |
246 | mask = good & constant_time_lt(i, mlen); | |
247 | to[i] = constant_time_select_8(mask, em[i + 11], to[i]); | |
e875b0cf | 248 | } |
0f113f3e | 249 | |
e670db01 | 250 | OPENSSL_clear_free(em, num); |
e875b0cf AP |
251 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); |
252 | err_clear_last_constant_time(1 & good); | |
253 | ||
254 | return constant_time_select_int(good, mlen, -1); | |
0f113f3e | 255 | } |