1 /* crypto/rsa/rsa_oaep.c */
2 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
5 /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
7 /* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
22 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
25 #include <openssl/bn.h>
26 #include <openssl/rsa.h>
27 #include <openssl/evp.h>
28 #include <openssl/rand.h>
29 #include <openssl/sha.h>
31 int MGF1(unsigned char *mask
, long len
,
32 const unsigned char *seed
, long seedlen
);
34 int RSA_padding_add_PKCS1_OAEP(unsigned char *to
, int tlen
,
35 const unsigned char *from
, int flen
,
36 const unsigned char *param
, int plen
)
38 int i
, emlen
= tlen
- 1;
39 unsigned char *db
, *seed
;
40 unsigned char *dbmask
, seedmask
[SHA_DIGEST_LENGTH
];
42 if (flen
> emlen
- 2 * SHA_DIGEST_LENGTH
- 1)
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP
,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
49 if (emlen
< 2 * SHA_DIGEST_LENGTH
+ 1)
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP
, RSA_R_KEY_SIZE_TOO_SMALL
);
55 dbmask
= OPENSSL_malloc(emlen
- SHA_DIGEST_LENGTH
);
58 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP
, ERR_R_MALLOC_FAILURE
);
64 db
= to
+ SHA_DIGEST_LENGTH
+ 1;
66 EVP_Digest((void *)param
, plen
, db
, NULL
, EVP_sha1(), NULL
);
67 memset(db
+ SHA_DIGEST_LENGTH
, 0,
68 emlen
- flen
- 2 * SHA_DIGEST_LENGTH
- 1);
69 db
[emlen
- flen
- SHA_DIGEST_LENGTH
- 1] = 0x01;
70 memcpy(db
+ emlen
- flen
- SHA_DIGEST_LENGTH
, from
, (unsigned int) flen
);
71 if (RAND_bytes(seed
, SHA_DIGEST_LENGTH
) <= 0)
75 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
79 MGF1(dbmask
, emlen
- SHA_DIGEST_LENGTH
, seed
, SHA_DIGEST_LENGTH
);
80 for (i
= 0; i
< emlen
- SHA_DIGEST_LENGTH
; i
++)
83 MGF1(seedmask
, SHA_DIGEST_LENGTH
, db
, emlen
- SHA_DIGEST_LENGTH
);
84 for (i
= 0; i
< SHA_DIGEST_LENGTH
; i
++)
85 seed
[i
] ^= seedmask
[i
];
91 int RSA_padding_check_PKCS1_OAEP(unsigned char *to
, int tlen
,
92 const unsigned char *from
, int flen
, int num
,
93 const unsigned char *param
, int plen
)
95 int i
, dblen
, mlen
= -1;
96 const unsigned char *maskeddb
;
98 unsigned char *db
= NULL
, seed
[SHA_DIGEST_LENGTH
], phash
[SHA_DIGEST_LENGTH
];
101 if (--num
< 2 * SHA_DIGEST_LENGTH
+ 1)
102 /* 'num' is the length of the modulus, i.e. does not depend on the
103 * particular ciphertext. */
111 /* signalling this error immediately after detection might allow
112 * for side-channel attacks (e.g. timing if 'plen' is huge
113 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
114 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
115 * so we use a 'bad' flag */
119 maskeddb
= from
- lzero
+ SHA_DIGEST_LENGTH
;
121 dblen
= num
- SHA_DIGEST_LENGTH
;
122 db
= OPENSSL_malloc(dblen
);
125 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP
, ERR_R_MALLOC_FAILURE
);
129 MGF1(seed
, SHA_DIGEST_LENGTH
, maskeddb
, dblen
);
130 for (i
= lzero
; i
< SHA_DIGEST_LENGTH
; i
++)
131 seed
[i
] ^= from
[i
- lzero
];
133 MGF1(db
, dblen
, seed
, SHA_DIGEST_LENGTH
);
134 for (i
= 0; i
< dblen
; i
++)
135 db
[i
] ^= maskeddb
[i
];
137 EVP_Digest((void *)param
, plen
, phash
, NULL
, EVP_sha1(), NULL
);
139 if (memcmp(db
, phash
, SHA_DIGEST_LENGTH
) != 0 || bad
)
143 for (i
= SHA_DIGEST_LENGTH
; i
< dblen
; i
++)
146 if (db
[i
] != 0x01 || i
++ >= dblen
)
150 /* everything looks OK */
155 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP
, RSA_R_DATA_TOO_LARGE
);
159 memcpy(to
, db
+ i
, mlen
);
166 /* to avoid chosen ciphertext attacks, the error message should not reveal
167 * which kind of decoding error happened */
168 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP
, RSA_R_OAEP_DECODING_ERROR
);
169 if (db
!= NULL
) OPENSSL_free(db
);
173 int PKCS1_MGF1(unsigned char *mask
, long len
,
174 const unsigned char *seed
, long seedlen
, const EVP_MD
*dgst
)
177 unsigned char cnt
[4];
179 unsigned char md
[EVP_MAX_MD_SIZE
];
183 mdlen
= EVP_MD_size(dgst
);
184 for (i
= 0; outlen
< len
; i
++)
186 cnt
[0] = (unsigned char)((i
>> 24) & 255);
187 cnt
[1] = (unsigned char)((i
>> 16) & 255);
188 cnt
[2] = (unsigned char)((i
>> 8)) & 255;
189 cnt
[3] = (unsigned char)(i
& 255);
190 EVP_DigestInit_ex(&c
,dgst
, NULL
);
191 EVP_DigestUpdate(&c
, seed
, seedlen
);
192 EVP_DigestUpdate(&c
, cnt
, 4);
193 if (outlen
+ mdlen
<= len
)
195 EVP_DigestFinal_ex(&c
, mask
+ outlen
, NULL
);
200 EVP_DigestFinal_ex(&c
, md
, NULL
);
201 memcpy(mask
+ outlen
, md
, len
- outlen
);
205 EVP_MD_CTX_cleanup(&c
);
209 int MGF1(unsigned char *mask
, long len
, const unsigned char *seed
, long seedlen
)
211 return PKCS1_MGF1(mask
, len
, seed
, seedlen
, EVP_sha1());