leviathan
/
openssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16747 Commits
1 Branch
199 MiB
Tree: e33826f01b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e33826f01b'
${ noResults }
openssl/crypto/rsa/rsa_pk1.c

245 lines
6.5 KiB
Raw Normal View History

Copyright consolidation 08/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Copyright consolidation 08/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Identify and move OpenSSL internal header files There are header files in crypto/ that are used by the rest of OpenSSL. Move those to include/internal and adapt the affected source code, Makefiles and scripts. The header files that got moved are: crypto/constant_time_locl.h crypto/o_dir.h crypto/o_str.h Reviewed-by: Matt Caswell <matt@openssl.org>
7 years ago
RT3066: rewrite RSA padding checks to be slightly more constant time. Also tweak s3_cbc.c to use new constant-time methods. Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1 This patch is based on the original RT submission by Adam Langley <agl@chromium.org>, as well as code from BoringSSL and OpenSSL. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Identify and move common internal libcrypto header files There are header files in crypto/ that are used by a number of crypto/ submodules. Move those to crypto/include/internal and adapt the affected source code and Makefiles. The header files that got moved are: crypto/cryptolib.h crypto/md32_common.h Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Change #include filenames from <foo.h> to <openssl.h>. Submitted by: Reviewed by: PR:
24 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Change functions to ANSI C.
24 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Change functions to ANSI C.
24 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
RT4148 Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is stripped by BN_bn2bin but external callers may have other expectations. Reviewed-by: Kurt Roeckx<kurt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Change functions to ANSI C.
24 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Import of old SSLeay release: SSLeay 0.9.0b
24 years ago
Change functions to ANSI C.
24 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Add and use OPENSSL_zalloc There are many places (nearly 50) where we malloc and then memset. Add an OPENSSL_zalloc routine to encapsulate that. (Missed one conversion; thanks Richard) Also fixes GH328 Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free null cleanup finale Don't check for NULL before calling OPENSSL_free Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
 
  1. /*

  2.  * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  3.  *
  4.  * Licensed under the OpenSSL license (the "License").  You may not use
  5.  * this file except in compliance with the License.  You can obtain a copy
  6.  * in the file LICENSE in the source distribution or at
  7.  * https://www.openssl.org/source/license.html

  8.  */
  9. 

  10. #include "internal/constant_time_locl.h"

  11. 

  12. #include <stdio.h>

  13. #include "internal/cryptlib.h"

  14. #include <openssl/bn.h>

  15. #include <openssl/rsa.h>

  16. #include <openssl/rand.h>

  17. 

  18. int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
  19.                                  const unsigned char *from, int flen)
  20. {
  21.     int j;
  22.     unsigned char *p;
  23. 

  24.     if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
  25.         RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,
  26.                RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
  27.         return (0);
  28.     }
  29. 

  30.     p = (unsigned char *)to;
  31. 

  32.     *(p++) = 0;
  33.     *(p++) = 1;                 /* Private Key BT (Block Type) */
  34. 

  35.     /* pad out with 0xff data */
  36.     j = tlen - 3 - flen;
  37.     memset(p, 0xff, j);
  38.     p += j;
  39.     *(p++) = '\0';
  40.     memcpy(p, from, (unsigned int)flen);
  41.     return (1);
  42. }
  43. 

  44. int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
  45.                                    const unsigned char *from, int flen,
  46.                                    int num)
  47. {
  48.     int i, j;
  49.     const unsigned char *p;
  50. 

  51.     p = from;
  52. 

  53.     /*

  54.      * The format is
  55.      * 00 || 01 || PS || 00 || D
  56.      * PS - padding string, at least 8 bytes of FF
  57.      * D  - data.
  58.      */
  59. 

  60.     if (num < 11)
  61.         return -1;
  62. 

  63.     /* Accept inputs with and without the leading 0-byte. */
  64.     if (num == flen) {
  65.         if ((*p++) != 0x00) {
  66.             RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
  67.                    RSA_R_INVALID_PADDING);
  68.             return -1;
  69.         }
  70.         flen--;
  71.     }
  72. 

  73.     if ((num != (flen + 1)) || (*(p++) != 0x01)) {
  74.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
  75.                RSA_R_BLOCK_TYPE_IS_NOT_01);
  76.         return (-1);
  77.     }
  78. 

  79.     /* scan over padding data */
  80.     j = flen - 1;               /* one for type. */
  81.     for (i = 0; i < j; i++) {
  82.         if (*p != 0xff) {       /* should decrypt to 0xff */
  83.             if (*p == 0) {
  84.                 p++;
  85.                 break;
  86.             } else {
  87.                 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
  88.                        RSA_R_BAD_FIXED_HEADER_DECRYPT);
  89.                 return (-1);
  90.             }
  91.         }
  92.         p++;
  93.     }
  94. 

  95.     if (i == j) {
  96.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
  97.                RSA_R_NULL_BEFORE_BLOCK_MISSING);
  98.         return (-1);
  99.     }
  100. 

  101.     if (i < 8) {
  102.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
  103.                RSA_R_BAD_PAD_BYTE_COUNT);
  104.         return (-1);
  105.     }
  106.     i++;                        /* Skip over the '\0' */
  107.     j -= i;
  108.     if (j > tlen) {
  109.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_DATA_TOO_LARGE);
  110.         return (-1);
  111.     }
  112.     memcpy(to, p, (unsigned int)j);
  113. 

  114.     return (j);
  115. }
  116. 

  117. int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
  118.                                  const unsigned char *from, int flen)
  119. {
  120.     int i, j;
  121.     unsigned char *p;
  122. 

  123.     if (flen > (tlen - 11)) {
  124.         RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
  125.                RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
  126.         return (0);
  127.     }
  128. 

  129.     p = (unsigned char *)to;
  130. 

  131.     *(p++) = 0;
  132.     *(p++) = 2;                 /* Public Key BT (Block Type) */
  133. 

  134.     /* pad out with non-zero random data */
  135.     j = tlen - 3 - flen;
  136. 

  137.     if (RAND_bytes(p, j) <= 0)
  138.         return (0);
  139.     for (i = 0; i < j; i++) {
  140.         if (*p == '\0')
  141.             do {
  142.                 if (RAND_bytes(p, 1) <= 0)
  143.                     return (0);
  144.             } while (*p == '\0');
  145.         p++;
  146.     }
  147. 

  148.     *(p++) = '\0';
  149. 

  150.     memcpy(p, from, (unsigned int)flen);
  151.     return (1);
  152. }
  153. 

  154. int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
  155.                                    const unsigned char *from, int flen,
  156.                                    int num)
  157. {
  158.     int i;
  159.     /* |em| is the encoded message, zero-padded to exactly |num| bytes */
  160.     unsigned char *em = NULL;
  161.     unsigned int good, found_zero_byte;
  162.     int zero_index = 0, msg_index, mlen = -1;
  163. 

  164.     if (tlen < 0 || flen < 0)
  165.         return -1;
  166. 

  167.     /*

  168.      * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard",
  169.      * section 7.2.2.
  170.      */
  171. 

  172.     if (flen > num)
  173.         goto err;
  174. 

  175.     if (num < 11)
  176.         goto err;
  177. 

  178.     em = OPENSSL_zalloc(num);
  179.     if (em == NULL) {
  180.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
  181.         return -1;
  182.     }
  183.     /*

  184.      * Always do this zero-padding copy (even when num == flen) to avoid
  185.      * leaking that information. The copy still leaks some side-channel
  186.      * information, but it's impossible to have a fixed  memory access
  187.      * pattern since we can't read out of the bounds of |from|.
  188.      *
  189.      * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
  190.      */
  191.     memcpy(em + num - flen, from, flen);
  192. 

  193.     good = constant_time_is_zero(em[0]);
  194.     good &= constant_time_eq(em[1], 2);
  195. 

  196.     found_zero_byte = 0;
  197.     for (i = 2; i < num; i++) {
  198.         unsigned int equals0 = constant_time_is_zero(em[i]);
  199.         zero_index =
  200.             constant_time_select_int(~found_zero_byte & equals0, i,
  201.                                      zero_index);
  202.         found_zero_byte |= equals0;
  203.     }
  204. 

  205.     /*

  206.      * PS must be at least 8 bytes long, and it starts two bytes into |em|.
  207.      * If we never found a 0-byte, then |zero_index| is 0 and the check
  208.      * also fails.
  209.      */
  210.     good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
  211. 

  212.     /*

  213.      * Skip the zero byte. This is incorrect if we never found a zero-byte
  214.      * but in this case we also do not copy the message out.
  215.      */
  216.     msg_index = zero_index + 1;
  217.     mlen = num - msg_index;
  218. 

  219.     /*

  220.      * For good measure, do this check in constant time as well; it could
  221.      * leak something if |tlen| was assuming valid padding.
  222.      */
  223.     good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
  224. 

  225.     /*

  226.      * We can't continue in constant-time because we need to copy the result
  227.      * and we cannot fake its length. This unavoidably leaks timing
  228.      * information at the API boundary.
  229.      * TODO(emilia): this could be addressed at the call site,
  230.      * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26.
  231.      */
  232.     if (!good) {
  233.         mlen = -1;
  234.         goto err;
  235.     }
  236. 

  237.     memcpy(to, em + msg_index, mlen);
  238. 

  239.  err:
  240.     OPENSSL_free(em);
  241.     if (mlen == -1)
  242.         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
  243.                RSA_R_PKCS_DECODING_ERROR);
  244.     return mlen;
  245. }