]>
Commit | Line | Data |
---|---|---|
a4949896 | 1 | /* crypto/rsa/rsa_oaep.c */ |
40720ce3 MC |
2 | /* |
3 | * Written by Ulf Moeller. This software is distributed on an "AS IS" basis, | |
4 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. | |
5 | */ | |
a4949896 | 6 | |
9347ba48 BM |
7 | /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ |
8 | ||
40720ce3 MC |
9 | /* |
10 | * See Victor Shoup, "OAEP reconsidered," Nov. 2000, <URL: | |
11 | * http://www.shoup.net/papers/oaep.ps.Z> for problems with the security | |
12 | * proof for the original OAEP scheme, which EME-OAEP is based on. A new | |
13 | * proof can be found in E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, | |
14 | * "RSA-OEAP is Still Alive!", Dec. 2000, <URL: | |
15 | * http://eprint.iacr.org/2000/061/>. The new proof has stronger requirements | |
16 | * for the underlying permutation: "partial-one-wayness" instead of | |
17 | * one-wayness. For the RSA function, this is an equivalent notion. | |
9347ba48 BM |
18 | */ |
19 | ||
15b7f5bf | 20 | #include "constant_time_locl.h" |
a4949896 | 21 | |
cf1b7d96 | 22 | #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) |
40720ce3 MC |
23 | # include <stdio.h> |
24 | # include "cryptlib.h" | |
25 | # include <openssl/bn.h> | |
26 | # include <openssl/rsa.h> | |
27 | # include <openssl/evp.h> | |
28 | # include <openssl/rand.h> | |
29 | # include <openssl/sha.h> | |
a4949896 | 30 | |
29c1f061 | 31 | int MGF1(unsigned char *mask, long len, |
40720ce3 | 32 | const unsigned char *seed, long seedlen); |
a4949896 | 33 | |
6b691a5c | 34 | int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, |
40720ce3 MC |
35 | const unsigned char *from, int flen, |
36 | const unsigned char *param, int plen) | |
37 | { | |
38 | int i, emlen = tlen - 1; | |
39 | unsigned char *db, *seed; | |
40 | unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; | |
41 | ||
42 | if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) { | |
43 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, | |
44 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | |
45 | return 0; | |
46 | } | |
47 | ||
48 | if (emlen < 2 * SHA_DIGEST_LENGTH + 1) { | |
49 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); | |
50 | return 0; | |
51 | } | |
52 | ||
53 | to[0] = 0; | |
54 | seed = to + 1; | |
55 | db = to + SHA_DIGEST_LENGTH + 1; | |
56 | ||
57 | EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL); | |
58 | memset(db + SHA_DIGEST_LENGTH, 0, | |
59 | emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); | |
60 | db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; | |
61 | memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int)flen); | |
62 | if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) | |
63 | return 0; | |
64 | # ifdef PKCS_TESTVECT | |
65 | memcpy(seed, | |
66 | "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", | |
67 | 20); | |
68 | # endif | |
69 | ||
70 | dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH); | |
71 | if (dbmask == NULL) { | |
72 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); | |
73 | return 0; | |
74 | } | |
75 | ||
76 | MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); | |
77 | for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) | |
78 | db[i] ^= dbmask[i]; | |
79 | ||
80 | MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); | |
81 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) | |
82 | seed[i] ^= seedmask[i]; | |
83 | ||
84 | OPENSSL_free(dbmask); | |
85 | return 1; | |
86 | } | |
a4949896 | 87 | |
6b691a5c | 88 | int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, |
40720ce3 MC |
89 | const unsigned char *from, int flen, int num, |
90 | const unsigned char *param, int plen) | |
91 | { | |
92 | int i, dblen, mlen = -1, one_index = 0, msg_index; | |
93 | unsigned int good, found_one_byte; | |
94 | const unsigned char *maskedseed, *maskeddb; | |
95 | /* | |
96 | * |em| is the encoded message, zero-padded to exactly |num| bytes: em = | |
97 | * Y || maskedSeed || maskedDB | |
98 | */ | |
99 | unsigned char *db = NULL, *em = NULL, seed[EVP_MAX_MD_SIZE], | |
100 | phash[EVP_MAX_MD_SIZE]; | |
101 | ||
102 | if (tlen <= 0 || flen <= 0) | |
103 | return -1; | |
104 | ||
105 | /* | |
106 | * |num| is the length of the modulus; |flen| is the length of the | |
107 | * encoded message. Therefore, for any |from| that was obtained by | |
108 | * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, | |
109 | * num < 2 * SHA_DIGEST_LENGTH + 2 must hold for the modulus | |
110 | * irrespective of the ciphertext, see PKCS #1 v2.2, section 7.1.2. | |
111 | * This does not leak any side-channel information. | |
112 | */ | |
113 | if (num < flen || num < 2 * SHA_DIGEST_LENGTH + 2) | |
114 | goto decoding_err; | |
115 | ||
116 | dblen = num - SHA_DIGEST_LENGTH - 1; | |
117 | db = OPENSSL_malloc(dblen); | |
118 | em = OPENSSL_malloc(num); | |
119 | if (db == NULL || em == NULL) { | |
120 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); | |
121 | goto cleanup; | |
122 | } | |
123 | ||
124 | /* | |
125 | * Always do this zero-padding copy (even when num == flen) to avoid | |
126 | * leaking that information. The copy still leaks some side-channel | |
127 | * information, but it's impossible to have a fixed memory access | |
128 | * pattern since we can't read out of the bounds of |from|. | |
129 | * | |
130 | * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. | |
131 | */ | |
132 | memset(em, 0, num); | |
133 | memcpy(em + num - flen, from, flen); | |
134 | ||
135 | /* | |
136 | * The first byte must be zero, however we must not leak if this is | |
137 | * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA | |
138 | * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). | |
139 | */ | |
140 | good = constant_time_is_zero(em[0]); | |
141 | ||
142 | maskedseed = em + 1; | |
143 | maskeddb = em + 1 + SHA_DIGEST_LENGTH; | |
144 | ||
145 | MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); | |
146 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) | |
147 | seed[i] ^= maskedseed[i]; | |
148 | ||
149 | MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); | |
150 | for (i = 0; i < dblen; i++) | |
151 | db[i] ^= maskeddb[i]; | |
152 | ||
153 | EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); | |
154 | ||
155 | good &= | |
156 | constant_time_is_zero(CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH)); | |
157 | ||
158 | found_one_byte = 0; | |
159 | for (i = SHA_DIGEST_LENGTH; i < dblen; i++) { | |
160 | /* | |
161 | * Padding consists of a number of 0-bytes, followed by a 1. | |
162 | */ | |
163 | unsigned int equals1 = constant_time_eq(db[i], 1); | |
164 | unsigned int equals0 = constant_time_is_zero(db[i]); | |
165 | one_index = constant_time_select_int(~found_one_byte & equals1, | |
166 | i, one_index); | |
167 | found_one_byte |= equals1; | |
168 | good &= (found_one_byte | equals0); | |
169 | } | |
170 | ||
171 | good &= found_one_byte; | |
172 | ||
173 | /* | |
174 | * At this point |good| is zero unless the plaintext was valid, | |
175 | * so plaintext-awareness ensures timing side-channels are no longer a | |
176 | * concern. | |
177 | */ | |
178 | if (!good) | |
179 | goto decoding_err; | |
180 | ||
181 | msg_index = one_index + 1; | |
182 | mlen = dblen - msg_index; | |
183 | ||
184 | if (tlen < mlen) { | |
185 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); | |
186 | mlen = -1; | |
187 | } else { | |
188 | memcpy(to, db + msg_index, mlen); | |
189 | goto cleanup; | |
190 | } | |
191 | ||
192 | decoding_err: | |
193 | /* | |
194 | * To avoid chosen ciphertext attacks, the error message should not | |
195 | * reveal which kind of decoding error happened. | |
196 | */ | |
197 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | |
198 | cleanup: | |
199 | if (db != NULL) | |
200 | OPENSSL_free(db); | |
201 | if (em != NULL) | |
202 | OPENSSL_free(em); | |
203 | return mlen; | |
204 | } | |
a4949896 | 205 | |
dea446d9 | 206 | int PKCS1_MGF1(unsigned char *mask, long len, |
40720ce3 MC |
207 | const unsigned char *seed, long seedlen, const EVP_MD *dgst) |
208 | { | |
209 | long i, outlen = 0; | |
210 | unsigned char cnt[4]; | |
211 | EVP_MD_CTX c; | |
212 | unsigned char md[EVP_MAX_MD_SIZE]; | |
213 | int mdlen; | |
214 | ||
215 | EVP_MD_CTX_init(&c); | |
216 | mdlen = M_EVP_MD_size(dgst); | |
217 | for (i = 0; outlen < len; i++) { | |
218 | cnt[0] = (unsigned char)((i >> 24) & 255); | |
219 | cnt[1] = (unsigned char)((i >> 16) & 255); | |
220 | cnt[2] = (unsigned char)((i >> 8)) & 255; | |
221 | cnt[3] = (unsigned char)(i & 255); | |
222 | EVP_DigestInit_ex(&c, dgst, NULL); | |
223 | EVP_DigestUpdate(&c, seed, seedlen); | |
224 | EVP_DigestUpdate(&c, cnt, 4); | |
225 | if (outlen + mdlen <= len) { | |
226 | EVP_DigestFinal_ex(&c, mask + outlen, NULL); | |
227 | outlen += mdlen; | |
228 | } else { | |
229 | EVP_DigestFinal_ex(&c, md, NULL); | |
230 | memcpy(mask + outlen, md, len - outlen); | |
231 | outlen = len; | |
232 | } | |
233 | } | |
234 | EVP_MD_CTX_cleanup(&c); | |
235 | return 0; | |
236 | } | |
237 | ||
238 | int MGF1(unsigned char *mask, long len, const unsigned char *seed, | |
239 | long seedlen) | |
240 | { | |
241 | return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); | |
242 | } | |
79df9d62 | 243 | #endif |