Sākums Izpētīt Palīdzība
Pierakstīties
OWEALs
/
openssl
spogulis no git://git.openssl.org/openssl.git
2
0
Atdalīts 0
Faili Problēmas 1 Vikivietne
Koks: fe9a5107be
Atzari Tagi
openssl
/
crypto
/
rsa
/
rsa_oaep.c

rsa_oaep.c 6.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237 
  1. /* crypto/rsa/rsa_oaep.c */
    2. 

  2. /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    3. 

  3.    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
    4. 

  4. 

  5. /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
    6. 

  6. 

  7. /* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
    8. 

  8.  * <URL: http://www.shoup.net/papers/oaep.ps.Z>
    9. 

  9.  * for problems with the security proof for the
    10. 

  10.  * original OAEP scheme, which EME-OAEP is based on.
    11. 

  11.  * 
    12. 

  12.  * A new proof can be found in E. Fujisaki, T. Okamoto,
    13. 

  13.  * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
    14. 

  14.  * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
    15. 

  15.  * The new proof has stronger requirements for the
    16. 

  16.  * underlying permutation: "partial-one-wayness" instead
    17. 

  17.  * of one-wayness.  For the RSA function, this is
    18. 

  18.  * an equivalent notion.
    19. 

  19.  */
    20. 

  20. 

  21. #define OPENSSL_FIPSAPI
    22. 

  22. 

  23. 

  24. #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
    25. 

  25. #include <stdio.h>
    26. 

  26. #include "cryptlib.h"
    27. 

  27. #include <openssl/bn.h>
    28. 

  28. #include <openssl/rsa.h>
    29. 

  29. #include <openssl/evp.h>
    30. 

  30. #include <openssl/rand.h>
    31. 

  31. #include <openssl/sha.h>
    32. 

  32. 

  33. static int MGF1(unsigned char *mask, long len,
    34. 

  34. 	const unsigned char *seed, long seedlen);
    35. 

  35. 

  36. int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
    37. 

  37. 	const unsigned char *from, int flen,
    38. 

  38. 	const unsigned char *param, int plen)
    39. 

  39. 	{
    40. 

  40. 	int i, emlen = tlen - 1;
    41. 

  41. 	unsigned char *db, *seed;
    42. 

  42. 	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
    43. 

  43. 

  44. 	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
    45. 

  45. 		{
    46. 

  46. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
    47. 

  47. 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    48. 

  48. 		return 0;
    49. 

  49. 		}
    50. 

  50. 

  51. 	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
    52. 

  52. 		{
    53. 

  53. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
    54. 

  54. 		return 0;
    55. 

  55. 		}
    56. 

  56. 

  57. 	to[0] = 0;
    58. 

  58. 	seed = to + 1;
    59. 

  59. 	db = to + SHA_DIGEST_LENGTH + 1;
    60. 

  60. 

  61. 	if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
    62. 

  62. 		return 0;
    63. 

  63. 	memset(db + SHA_DIGEST_LENGTH, 0,
    64. 

  64. 		emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
    65. 

  65. 	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
    66. 

  66. 	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
    67. 

  67. 	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
    68. 

  68. 		return 0;
    69. 

  69. #ifdef PKCS_TESTVECT
    70. 

  70. 	memcpy(seed,
    71. 

  71. 	   "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
    72. 

  72. 	   20);
    73. 

  73. #endif
    74. 

  74. 

  75. 	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
    76. 

  76. 	if (dbmask == NULL)
    77. 

  77. 		{
    78. 

  78. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
    79. 

  79. 		return 0;
    80. 

  80. 		}
    81. 

  81. 

  82. 	if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
    83. 

  83. 		return 0;
    84. 

  84. 	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
    85. 

  85. 		db[i] ^= dbmask[i];
    86. 

  86. 

  87. 	if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
    88. 

  88. 		return 0;
    89. 

  89. 	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
    90. 

  90. 		seed[i] ^= seedmask[i];
    91. 

  91. 

  92. 	OPENSSL_free(dbmask);
    93. 

  93. 	return 1;
    94. 

  94. 	}
    95. 

  95. 

  96. int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
    97. 

  97. 	const unsigned char *from, int flen, int num,
    98. 

  98. 	const unsigned char *param, int plen)
    99. 

  99. 	{
    100. 

  100. 	int i, dblen, mlen = -1;
    101. 

  101. 	const unsigned char *maskeddb;
    102. 

  102. 	int lzero;
    103. 

  103. 	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
    104. 

  104. 	unsigned char *padded_from;
    105. 

  105. 	int bad = 0;
    106. 

  106. 

  107. 	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
    108. 

  108. 		/* 'num' is the length of the modulus, i.e. does not depend on the
    109. 

  109. 		 * particular ciphertext. */
    110. 

  110. 		goto decoding_err;
    111. 

  111. 

  112. 	lzero = num - flen;
    113. 

  113. 	if (lzero < 0)
    114. 

  114. 		{
    115. 

  115. 		/* signalling this error immediately after detection might allow
    116. 

  116. 		 * for side-channel attacks (e.g. timing if 'plen' is huge
    117. 

  117. 		 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
    118. 

  118. 		 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
    119. 

  119. 		 * so we use a 'bad' flag */
    120. 

  120. 		bad = 1;
    121. 

  121. 		lzero = 0;
    122. 

  122. 		flen = num; /* don't overflow the memcpy to padded_from */
    123. 

  123. 		}
    124. 

  124. 

  125. 	dblen = num - SHA_DIGEST_LENGTH;
    126. 

  126. 	db = OPENSSL_malloc(dblen + num);
    127. 

  127. 	if (db == NULL)
    128. 

  128. 		{
    129. 

  129. 		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
    130. 

  130. 		return -1;
    131. 

  131. 		}
    132. 

  132. 

  133. 	/* Always do this zero-padding copy (even when lzero == 0)
    134. 

  134. 	 * to avoid leaking timing info about the value of lzero. */
    135. 

  135. 	padded_from = db + dblen;
    136. 

  136. 	memset(padded_from, 0, lzero);
    137. 

  137. 	memcpy(padded_from + lzero, from, flen);
    138. 

  138. 

  139. 	maskeddb = padded_from + SHA_DIGEST_LENGTH;
    140. 

  140. 

  141. 	if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
    142. 

  142. 		return -1;
    143. 

  143. 	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
    144. 

  144. 		seed[i] ^= padded_from[i];
    145. 

  145.   
    146. 

  146. 	if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
    147. 

  147. 		return -1;
    148. 

  148. 	for (i = 0; i < dblen; i++)
    149. 

  149. 		db[i] ^= maskeddb[i];
    150. 

  150. 

  151. 	if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
    152. 

  152. 		return -1;
    153. 

  153. 

  154. 	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
    155. 

  155. 		goto decoding_err;
    156. 

  156. 	else
    157. 

  157. 		{
    158. 

  158. 		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
    159. 

  159. 			if (db[i] != 0x00)
    160. 

  160. 				break;
    161. 

  161. 		if (i == dblen || db[i] != 0x01)
    162. 

  162. 			goto decoding_err;
    163. 

  163. 		else
    164. 

  164. 			{
    165. 

  165. 			/* everything looks OK */
    166. 

  166. 

  167. 			mlen = dblen - ++i;
    168. 

  168. 			if (tlen < mlen)
    169. 

  169. 				{
    170. 

  170. 				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
    171. 

  171. 				mlen = -1;
    172. 

  172. 				}
    173. 

  173. 			else
    174. 

  174. 				memcpy(to, db + i, mlen);
    175. 

  175. 			}
    176. 

  176. 		}
    177. 

  177. 	OPENSSL_free(db);
    178. 

  178. 	return mlen;
    179. 

  179. 

  180. decoding_err:
    181. 

  181. 	/* to avoid chosen ciphertext attacks, the error message should not reveal
    182. 

  182. 	 * which kind of decoding error happened */
    183. 

  183. 	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
    184. 

  184. 	if (db != NULL) OPENSSL_free(db);
    185. 

  185. 	return -1;
    186. 

  186. 	}
    187. 

  187. 

  188. int PKCS1_MGF1(unsigned char *mask, long len,
    189. 

  189. 	const unsigned char *seed, long seedlen, const EVP_MD *dgst)
    190. 

  190. 	{
    191. 

  191. 	long i, outlen = 0;
    192. 

  192. 	unsigned char cnt[4];
    193. 

  193. 	EVP_MD_CTX c;
    194. 

  194. 	unsigned char md[EVP_MAX_MD_SIZE];
    195. 

  195. 	int mdlen;
    196. 

  196. 	int rv = -1;
    197. 

  197. 

  198. 	EVP_MD_CTX_init(&c);
    199. 

  199. 	mdlen = M_EVP_MD_size(dgst);
    200. 

  200. 	if (mdlen < 0)
    201. 

  201. 		goto err;
    202. 

  202. 	for (i = 0; outlen < len; i++)
    203. 

  203. 		{
    204. 

  204. 		cnt[0] = (unsigned char)((i >> 24) & 255);
    205. 

  205. 		cnt[1] = (unsigned char)((i >> 16) & 255);
    206. 

  206. 		cnt[2] = (unsigned char)((i >> 8)) & 255;
    207. 

  207. 		cnt[3] = (unsigned char)(i & 255);
    208. 

  208. 		if (!EVP_DigestInit_ex(&c,dgst, NULL)
    209. 

  209. 			|| !EVP_DigestUpdate(&c, seed, seedlen)
    210. 

  210. 			|| !EVP_DigestUpdate(&c, cnt, 4))
    211. 

  211. 			goto err;
    212. 

  212. 		if (outlen + mdlen <= len)
    213. 

  213. 			{
    214. 

  214. 			if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
    215. 

  215. 				goto err;
    216. 

  216. 			outlen += mdlen;
    217. 

  217. 			}
    218. 

  218. 		else
    219. 

  219. 			{
    220. 

  220. 			if (!EVP_DigestFinal_ex(&c, md, NULL))
    221. 

  221. 				goto err;
    222. 

  222. 			memcpy(mask + outlen, md, len - outlen);
    223. 

  223. 			outlen = len;
    224. 

  224. 			}
    225. 

  225. 		}
    226. 

  226. 	rv = 0;
    227. 

  227. 	err:
    228. 

  228. 	EVP_MD_CTX_cleanup(&c);
    229. 

  229. 	return rv;
    230. 

  230. 	}
    231. 

  231. 

  232. static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
    233. 

  233. 		 long seedlen)
    234. 

  234. 	{
    235. 

  235. 	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
    236. 

  236. 	}
    237. 

  237. #endif
    238.