]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
d7f5e5ae | 2 | * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. |
58964a49 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
58964a49 RE |
8 | */ |
9 | ||
10 | #include <stdio.h> | |
b39fc560 | 11 | #include "internal/cryptlib.h" |
ec577822 BM |
12 | #include <openssl/bn.h> |
13 | #include <openssl/rsa.h> | |
14 | #include <openssl/rand.h> | |
60322140 | 15 | #include "internal/constant_time_locl.h" |
58964a49 | 16 | |
29c1f061 | 17 | int RSA_padding_add_SSLv23(unsigned char *to, int tlen, |
0f113f3e MC |
18 | const unsigned char *from, int flen) |
19 | { | |
20 | int i, j; | |
21 | unsigned char *p; | |
22 | ||
23 | if (flen > (tlen - 11)) { | |
24 | RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23, | |
25 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
8686c474 | 26 | return 0; |
0f113f3e MC |
27 | } |
28 | ||
29 | p = (unsigned char *)to; | |
30 | ||
31 | *(p++) = 0; | |
32 | *(p++) = 2; /* Public Key BT (Block Type) */ | |
33 | ||
34 | /* pad out with non-zero random data */ | |
35 | j = tlen - 3 - 8 - flen; | |
36 | ||
37 | if (RAND_bytes(p, j) <= 0) | |
8686c474 | 38 | return 0; |
0f113f3e MC |
39 | for (i = 0; i < j; i++) { |
40 | if (*p == '\0') | |
41 | do { | |
42 | if (RAND_bytes(p, 1) <= 0) | |
8686c474 | 43 | return 0; |
0f113f3e MC |
44 | } while (*p == '\0'); |
45 | p++; | |
46 | } | |
47 | ||
48 | memset(p, 3, 8); | |
49 | p += 8; | |
50 | *(p++) = '\0'; | |
51 | ||
52 | memcpy(p, from, (unsigned int)flen); | |
8686c474 | 53 | return 1; |
0f113f3e | 54 | } |
58964a49 | 55 | |
60322140 AP |
56 | /* |
57 | * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding | |
d7f5e5ae | 58 | * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also |
60322140 AP |
59 | * preserves error code reporting for backward compatibility. |
60 | */ | |
29c1f061 | 61 | int RSA_padding_check_SSLv23(unsigned char *to, int tlen, |
0f113f3e MC |
62 | const unsigned char *from, int flen, int num) |
63 | { | |
60322140 AP |
64 | int i; |
65 | /* |em| is the encoded message, zero-padded to exactly |num| bytes */ | |
66 | unsigned char *em = NULL; | |
67 | unsigned int good, found_zero_byte, mask, threes_in_row; | |
68 | int zero_index = 0, msg_index, mlen = -1, err; | |
0f113f3e | 69 | |
d7f5e5ae BE |
70 | if (tlen <= 0 || flen <= 0) |
71 | return -1; | |
72 | ||
73 | if (flen > num || num < 11) { | |
0f113f3e | 74 | RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); |
8686c474 | 75 | return -1; |
0f113f3e | 76 | } |
0f113f3e | 77 | |
60322140 AP |
78 | em = OPENSSL_malloc(num); |
79 | if (em == NULL) { | |
80 | RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE); | |
8686c474 | 81 | return -1; |
0f113f3e | 82 | } |
60322140 AP |
83 | /* |
84 | * Caller is encouraged to pass zero-padded message created with | |
85 | * BN_bn2binpad. Trouble is that since we can't read out of |from|'s | |
86 | * bounds, it's impossible to have an invariant memory access pattern | |
87 | * in case |from| was not zero-padded in advance. | |
88 | */ | |
89 | for (from += flen, em += num, i = 0; i < num; i++) { | |
90 | mask = ~constant_time_is_zero(flen); | |
91 | flen -= 1 & mask; | |
92 | from -= 1 & mask; | |
93 | *--em = *from & mask; | |
0f113f3e | 94 | } |
60322140 | 95 | |
d7f5e5ae BE |
96 | good = constant_time_is_zero(em[0]); |
97 | good &= constant_time_eq(em[1], 2); | |
60322140 AP |
98 | err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); |
99 | mask = ~good; | |
100 | ||
101 | /* scan over padding data */ | |
102 | found_zero_byte = 0; | |
103 | threes_in_row = 0; | |
104 | for (i = 2; i < num; i++) { | |
d7f5e5ae | 105 | unsigned int equals0 = constant_time_is_zero(em[i]); |
60322140 AP |
106 | |
107 | zero_index = constant_time_select_int(~found_zero_byte & equals0, | |
108 | i, zero_index); | |
109 | found_zero_byte |= equals0; | |
110 | ||
111 | threes_in_row += 1 & ~found_zero_byte; | |
d7f5e5ae | 112 | threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); |
0f113f3e MC |
113 | } |
114 | ||
60322140 | 115 | /* |
d7f5e5ae | 116 | * PS must be at least 8 bytes long, and it starts two bytes into |em|. |
60322140 AP |
117 | * If we never found a 0-byte, then |zero_index| is 0 and the check |
118 | * also fails. | |
119 | */ | |
120 | good &= constant_time_ge(zero_index, 2 + 8); | |
121 | err = constant_time_select_int(mask | good, err, | |
122 | RSA_R_NULL_BEFORE_BLOCK_MISSING); | |
123 | mask = ~good; | |
124 | ||
d7f5e5ae | 125 | good &= constant_time_ge(threes_in_row, 8); |
60322140 AP |
126 | err = constant_time_select_int(mask | good, err, |
127 | RSA_R_SSLV3_ROLLBACK_ATTACK); | |
128 | mask = ~good; | |
129 | ||
130 | /* | |
131 | * Skip the zero byte. This is incorrect if we never found a zero-byte | |
132 | * but in this case we also do not copy the message out. | |
133 | */ | |
134 | msg_index = zero_index + 1; | |
135 | mlen = num - msg_index; | |
136 | ||
137 | /* | |
138 | * For good measure, do this check in constant time as well. | |
139 | */ | |
140 | good &= constant_time_ge(tlen, mlen); | |
141 | err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); | |
142 | ||
143 | /* | |
144 | * Even though we can't fake result's length, we can pretend copying | |
145 | * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| | |
146 | * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, | |
147 | * where |mlen'| is "saturated" |mlen| value. Deducing information | |
148 | * about failure or |mlen| would take attacker's ability to observe | |
149 | * memory access pattern with byte granularity *as it occurs*. It | |
150 | * should be noted that failure is indistinguishable from normal | |
151 | * operation if |tlen| is fixed by protocol. | |
152 | */ | |
d7f5e5ae BE |
153 | tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), |
154 | num - 11, tlen); | |
60322140 AP |
155 | msg_index = constant_time_select_int(good, msg_index, num - tlen); |
156 | mlen = num - msg_index; | |
d7f5e5ae BE |
157 | for (mask = good, i = 0; i < tlen; i++) { |
158 | unsigned int equals = constant_time_eq(msg_index, num); | |
60322140 | 159 | |
d7f5e5ae BE |
160 | msg_index -= tlen & equals; /* rewind at EOF */ |
161 | mask &= ~equals; /* mask = 0 at EOF */ | |
162 | to[i] = constant_time_select_8(mask, em[msg_index++], to[i]); | |
0f113f3e | 163 | } |
0f113f3e | 164 | |
60322140 AP |
165 | OPENSSL_clear_free(em, num); |
166 | RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err); | |
167 | err_clear_last_constant_time(1 & good); | |
168 | ||
169 | return constant_time_select_int(good, mlen, -1); | |
0f113f3e | 170 | } |