2
0

rsa_oaep.c 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281
  1. /*
  2. * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
  10. /*
  11. * See Victor Shoup, "OAEP reconsidered," Nov. 2000, <URL:
  12. * http://www.shoup.net/papers/oaep.ps.Z> for problems with the security
  13. * proof for the original OAEP scheme, which EME-OAEP is based on. A new
  14. * proof can be found in E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern,
  15. * "RSA-OEAP is Still Alive!", Dec. 2000, <URL:
  16. * http://eprint.iacr.org/2000/061/>. The new proof has stronger requirements
  17. * for the underlying permutation: "partial-one-wayness" instead of
  18. * one-wayness. For the RSA function, this is an equivalent notion.
  19. */
  20. #include "internal/constant_time_locl.h"
  21. #include <stdio.h>
  22. #include "internal/cryptlib.h"
  23. #include <openssl/bn.h>
  24. #include <openssl/evp.h>
  25. #include <openssl/rand.h>
  26. #include <openssl/sha.h>
  27. #include "rsa_locl.h"
  28. int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
  29. const unsigned char *from, int flen,
  30. const unsigned char *param, int plen)
  31. {
  32. return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
  33. param, plen, NULL, NULL);
  34. }
  35. int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
  36. const unsigned char *from, int flen,
  37. const unsigned char *param, int plen,
  38. const EVP_MD *md, const EVP_MD *mgf1md)
  39. {
  40. int i, emlen = tlen - 1;
  41. unsigned char *db, *seed;
  42. unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];
  43. int mdlen;
  44. if (md == NULL)
  45. md = EVP_sha1();
  46. if (mgf1md == NULL)
  47. mgf1md = md;
  48. mdlen = EVP_MD_size(md);
  49. if (flen > emlen - 2 * mdlen - 1) {
  50. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
  51. RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
  52. return 0;
  53. }
  54. if (emlen < 2 * mdlen + 1) {
  55. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
  56. RSA_R_KEY_SIZE_TOO_SMALL);
  57. return 0;
  58. }
  59. to[0] = 0;
  60. seed = to + 1;
  61. db = to + mdlen + 1;
  62. if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
  63. return 0;
  64. memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
  65. db[emlen - flen - mdlen - 1] = 0x01;
  66. memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
  67. if (RAND_bytes(seed, mdlen) <= 0)
  68. return 0;
  69. dbmask = OPENSSL_malloc(emlen - mdlen);
  70. if (dbmask == NULL) {
  71. RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
  72. return 0;
  73. }
  74. if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
  75. goto err;
  76. for (i = 0; i < emlen - mdlen; i++)
  77. db[i] ^= dbmask[i];
  78. if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
  79. goto err;
  80. for (i = 0; i < mdlen; i++)
  81. seed[i] ^= seedmask[i];
  82. OPENSSL_free(dbmask);
  83. return 1;
  84. err:
  85. OPENSSL_free(dbmask);
  86. return 0;
  87. }
  88. int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
  89. const unsigned char *from, int flen, int num,
  90. const unsigned char *param, int plen)
  91. {
  92. return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from, flen, num,
  93. param, plen, NULL, NULL);
  94. }
  95. int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
  96. const unsigned char *from, int flen,
  97. int num, const unsigned char *param,
  98. int plen, const EVP_MD *md,
  99. const EVP_MD *mgf1md)
  100. {
  101. int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
  102. unsigned int good, found_one_byte;
  103. const unsigned char *maskedseed, *maskeddb;
  104. /*
  105. * |em| is the encoded message, zero-padded to exactly |num| bytes: em =
  106. * Y || maskedSeed || maskedDB
  107. */
  108. unsigned char *db = NULL, *em = NULL, seed[EVP_MAX_MD_SIZE],
  109. phash[EVP_MAX_MD_SIZE];
  110. int mdlen;
  111. if (md == NULL)
  112. md = EVP_sha1();
  113. if (mgf1md == NULL)
  114. mgf1md = md;
  115. mdlen = EVP_MD_size(md);
  116. if (tlen <= 0 || flen <= 0)
  117. return -1;
  118. /*
  119. * |num| is the length of the modulus; |flen| is the length of the
  120. * encoded message. Therefore, for any |from| that was obtained by
  121. * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
  122. * num < 2 * mdlen + 2 must hold for the modulus irrespective of
  123. * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
  124. * This does not leak any side-channel information.
  125. */
  126. if (num < flen || num < 2 * mdlen + 2)
  127. goto decoding_err;
  128. dblen = num - mdlen - 1;
  129. db = OPENSSL_malloc(dblen);
  130. em = OPENSSL_malloc(num);
  131. if (db == NULL || em == NULL) {
  132. RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
  133. goto cleanup;
  134. }
  135. /*
  136. * Always do this zero-padding copy (even when num == flen) to avoid
  137. * leaking that information. The copy still leaks some side-channel
  138. * information, but it's impossible to have a fixed memory access
  139. * pattern since we can't read out of the bounds of |from|.
  140. *
  141. * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
  142. */
  143. memset(em, 0, num);
  144. memcpy(em + num - flen, from, flen);
  145. /*
  146. * The first byte must be zero, however we must not leak if this is
  147. * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
  148. * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
  149. */
  150. good = constant_time_is_zero(em[0]);
  151. maskedseed = em + 1;
  152. maskeddb = em + 1 + mdlen;
  153. if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
  154. goto cleanup;
  155. for (i = 0; i < mdlen; i++)
  156. seed[i] ^= maskedseed[i];
  157. if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))
  158. goto cleanup;
  159. for (i = 0; i < dblen; i++)
  160. db[i] ^= maskeddb[i];
  161. if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))
  162. goto cleanup;
  163. good &= constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));
  164. found_one_byte = 0;
  165. for (i = mdlen; i < dblen; i++) {
  166. /*
  167. * Padding consists of a number of 0-bytes, followed by a 1.
  168. */
  169. unsigned int equals1 = constant_time_eq(db[i], 1);
  170. unsigned int equals0 = constant_time_is_zero(db[i]);
  171. one_index = constant_time_select_int(~found_one_byte & equals1,
  172. i, one_index);
  173. found_one_byte |= equals1;
  174. good &= (found_one_byte | equals0);
  175. }
  176. good &= found_one_byte;
  177. /*
  178. * At this point |good| is zero unless the plaintext was valid,
  179. * so plaintext-awareness ensures timing side-channels are no longer a
  180. * concern.
  181. */
  182. if (!good)
  183. goto decoding_err;
  184. msg_index = one_index + 1;
  185. mlen = dblen - msg_index;
  186. if (tlen < mlen) {
  187. RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
  188. mlen = -1;
  189. } else {
  190. memcpy(to, db + msg_index, mlen);
  191. goto cleanup;
  192. }
  193. decoding_err:
  194. /*
  195. * To avoid chosen ciphertext attacks, the error message should not
  196. * reveal which kind of decoding error happened.
  197. */
  198. RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
  199. RSA_R_OAEP_DECODING_ERROR);
  200. cleanup:
  201. OPENSSL_clear_free(db, dblen);
  202. OPENSSL_clear_free(em, num);
  203. return mlen;
  204. }
  205. int PKCS1_MGF1(unsigned char *mask, long len,
  206. const unsigned char *seed, long seedlen, const EVP_MD *dgst)
  207. {
  208. long i, outlen = 0;
  209. unsigned char cnt[4];
  210. EVP_MD_CTX *c = EVP_MD_CTX_new();
  211. unsigned char md[EVP_MAX_MD_SIZE];
  212. int mdlen;
  213. int rv = -1;
  214. if (c == NULL)
  215. goto err;
  216. mdlen = EVP_MD_size(dgst);
  217. if (mdlen < 0)
  218. goto err;
  219. for (i = 0; outlen < len; i++) {
  220. cnt[0] = (unsigned char)((i >> 24) & 255);
  221. cnt[1] = (unsigned char)((i >> 16) & 255);
  222. cnt[2] = (unsigned char)((i >> 8)) & 255;
  223. cnt[3] = (unsigned char)(i & 255);
  224. if (!EVP_DigestInit_ex(c, dgst, NULL)
  225. || !EVP_DigestUpdate(c, seed, seedlen)
  226. || !EVP_DigestUpdate(c, cnt, 4))
  227. goto err;
  228. if (outlen + mdlen <= len) {
  229. if (!EVP_DigestFinal_ex(c, mask + outlen, NULL))
  230. goto err;
  231. outlen += mdlen;
  232. } else {
  233. if (!EVP_DigestFinal_ex(c, md, NULL))
  234. goto err;
  235. memcpy(mask + outlen, md, len - outlen);
  236. outlen = len;
  237. }
  238. }
  239. rv = 0;
  240. err:
  241. EVP_MD_CTX_free(c);
  242. return rv;
  243. }