kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1437 Commits
12 Branches
38 MiB
Tree: bd15a8e748
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'bd15a8e748'
${ noResults }
boringssl/crypto/rsa/padding.c

padding.c 21 KiB
Ruw Normale weergave Geschiedenis

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Consistently use RAND_bytes and check for failure. RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all callers within the library call the new one and use the simpler failure check. This fixes a few error checks that no longer work (< 0) and some missing ones. Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6 Reviewed-on: https://boringssl-review.googlesource.com/2621 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Consistently use RAND_bytes and check for failure. RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all callers within the library call the new one and use the simpler failure check. This fixes a few error checks that no longer work (< 0) and some missing ones. Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6 Reviewed-on: https://boringssl-review.googlesource.com/2621 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Constant-time, RSA PMS processing. This change alters the processing of invalid, RSA pre-master secrets so that bad encryptions are treated like random session keys in constant time.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Define the error case's output in RSA_message_index_PKCS1_type_2. The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but it's good to have the value be initialized and not a function of the input. (The old uninitialized case wasn't hit in s3_srvr.c because of the earlier bounds check.) Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195 Reviewed-on: https://boringssl-review.googlesource.com/2845 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Define the error case's output in RSA_message_index_PKCS1_type_2. The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but it's good to have the value be initialized and not a function of the input. (The old uninitialized case wasn't hit in s3_srvr.c because of the earlier bounds check.) Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195 Reviewed-on: https://boringssl-review.googlesource.com/2845 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Define the error case's output in RSA_message_index_PKCS1_type_2. The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but it's good to have the value be initialized and not a function of the input. (The old uninitialized case wasn't hit in s3_srvr.c because of the earlier bounds check.) Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195 Reviewed-on: https://boringssl-review.googlesource.com/2845 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Spell Bleichenbacher's name right. Change-Id: I2096f760165f7aaa9b5d922a2e6d4d755365087b Reviewed-on: https://boringssl-review.googlesource.com/1372 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Fix padding side-channels. This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end.
10 jaren geleden
Improve constant-time padding check in RSA key exchange. Although the PKCS#1 padding check is internally constant-time, it is not constant time at the crypto/ ssl/ API boundary. Expose a constant-time RSA_message_index_PKCS1_type_2 function and integrate it into the timing-sensitive portion of the RSA key exchange logic. Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3 Reviewed-on: https://boringssl-review.googlesource.com/1301 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix OAEP with non-SHA hash functions. Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into the code. https://code.google.com/p/chromium/issues/detail?id=397333 Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d Reviewed-on: https://boringssl-review.googlesource.com/1310 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix OAEP with non-SHA hash functions. Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into the code. https://code.google.com/p/chromium/issues/detail?id=397333 Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d Reviewed-on: https://boringssl-review.googlesource.com/1310 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Consistently use RAND_bytes and check for failure. RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all callers within the library call the new one and use the simpler failure check. This fixes a few error checks that no longer work (< 0) and some missing ones. Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6 Reviewed-on: https://boringssl-review.googlesource.com/2621 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix OAEP with non-SHA hash functions. Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into the code. https://code.google.com/p/chromium/issues/detail?id=397333 Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d Reviewed-on: https://boringssl-review.googlesource.com/1310 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Fix OAEP with non-SHA hash functions. Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into the code. https://code.google.com/p/chromium/issues/detail?id=397333 Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d Reviewed-on: https://boringssl-review.googlesource.com/1310 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error-handling bugs. Caught by clang scan-build. Change-Id: I133d0338fe38172d687c02099d909366a59ee95b Reviewed-on: https://boringssl-review.googlesource.com/1343 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error-handling bugs. Caught by clang scan-build. Change-Id: I133d0338fe38172d687c02099d909366a59ee95b Reviewed-on: https://boringssl-review.googlesource.com/1343 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error-handling bugs. Caught by clang scan-build. Change-Id: I133d0338fe38172d687c02099d909366a59ee95b Reviewed-on: https://boringssl-review.googlesource.com/1343 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error-handling bugs. Caught by clang scan-build. Change-Id: I133d0338fe38172d687c02099d909366a59ee95b Reviewed-on: https://boringssl-review.googlesource.com/1343 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error-handling bugs. Caught by clang scan-build. Change-Id: I133d0338fe38172d687c02099d909366a59ee95b Reviewed-on: https://boringssl-review.googlesource.com/1343 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Add in missing curly braces part 3. Everything else. Change-Id: Iac02b144465b4e7b6d69ea22ff2aaf52695ae732
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Add in missing curly braces part 3. Everything else. Change-Id: Iac02b144465b4e7b6d69ea22ff2aaf52695ae732
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix limit checks in RSA padding functions. More signed/unsigned issues, and some other missing checks. Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5 Reviewed-on: https://boringssl-review.googlesource.com/1252 Reviewed-by: Adam Langley <agl@google.com>
10 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Consistently use RAND_bytes and check for failure. RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all callers within the library call the new one and use the simpler failure check. This fixes a few error checks that no longer work (< 0) and some missing ones. Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6 Reviewed-on: https://boringssl-review.googlesource.com/2621 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772 
  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 2005.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/rsa.h>

  57. 

  58. #include <assert.h>

  59. #include <string.h>

  60. 

  61. #include <openssl/digest.h>

  62. #include <openssl/err.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/rand.h>

  65. #include <openssl/sha.h>

  66. 

  67. #include "internal.h"

  68. 

  69. /* TODO(fork): don't the check functions have to be constant time? */

  70. 

  71. int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,

  72.                                  const uint8_t *from, unsigned flen) {

  73.   unsigned j;

  74.   uint8_t *p;

  75. 

  76.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  77.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,

  78.                       RSA_R_KEY_SIZE_TOO_SMALL);

  79.     return 0;

  80.   }

  81. 

  82.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  83.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_1,

  84.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  85.     return 0;

  86.   }

  87. 

  88.   p = (uint8_t *)to;

  89. 

  90.   *(p++) = 0;

  91.   *(p++) = 1; /* Private Key BT (Block Type) */

  92. 

  93.   /* pad out with 0xff data */

  94.   j = tlen - 3 - flen;

  95.   memset(p, 0xff, j);

  96.   p += j;

  97.   *(p++) = 0;

  98.   memcpy(p, from, (unsigned int)flen);

  99.   return 1;

  100. }

  101. 

  102. int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,

  103.                                    const uint8_t *from, unsigned flen) {

  104.   unsigned i, j;

  105.   const uint8_t *p;

  106. 

  107.   if (flen < 2) {

  108.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  109.                       RSA_R_DATA_TOO_SMALL);

  110.     return -1;

  111.   }

  112. 

  113.   p = from;

  114.   if ((*(p++) != 0) || (*(p++) != 1)) {

  115.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  116.                       RSA_R_BLOCK_TYPE_IS_NOT_01);

  117.     return -1;

  118.   }

  119. 

  120.   /* scan over padding data */

  121.   j = flen - 2; /* one for leading 00, one for type. */

  122.   for (i = 0; i < j; i++) {

  123.     /* should decrypt to 0xff */

  124.     if (*p != 0xff) {

  125.       if (*p == 0) {

  126.         p++;

  127.         break;

  128.       } else {

  129.         OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  130.                           RSA_R_BAD_FIXED_HEADER_DECRYPT);

  131.         return -1;

  132.       }

  133.     }

  134.     p++;

  135.   }

  136. 

  137.   if (i == j) {

  138.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  139.                       RSA_R_NULL_BEFORE_BLOCK_MISSING);

  140.     return -1;

  141.   }

  142. 

  143.   if (i < 8) {

  144.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  145.                       RSA_R_BAD_PAD_BYTE_COUNT);

  146.     return -1;

  147.   }

  148.   i++; /* Skip over the '\0' */

  149.   j -= i;

  150.   if (j > tlen) {

  151.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_1,

  152.                       RSA_R_DATA_TOO_LARGE);

  153.     return -1;

  154.   }

  155.   memcpy(to, p, j);

  156. 

  157.   return j;

  158. }

  159. 

  160. int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,

  161.                                  const uint8_t *from, unsigned flen) {

  162.   unsigned i, j;

  163.   uint8_t *p;

  164. 

  165.   if (tlen < RSA_PKCS1_PADDING_SIZE) {

  166.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,

  167.                       RSA_R_KEY_SIZE_TOO_SMALL);

  168.     return 0;

  169.   }

  170. 

  171.   if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {

  172.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,

  173.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  174.     return 0;

  175.   }

  176. 

  177.   p = (unsigned char *)to;

  178. 

  179.   *(p++) = 0;

  180.   *(p++) = 2; /* Public Key BT (Block Type) */

  181. 

  182.   /* pad out with non-zero random data */

  183.   j = tlen - 3 - flen;

  184. 

  185.   if (!RAND_bytes(p, j)) {

  186.     return 0;

  187.   }

  188. 

  189.   for (i = 0; i < j; i++) {

  190.     while (*p == 0) {

  191.       if (!RAND_bytes(p, 1)) {

  192.         return 0;

  193.       }

  194.     }

  195.     p++;

  196.   }

  197. 

  198.   *(p++) = 0;

  199. 

  200.   memcpy(p, from, (unsigned int)flen);

  201.   return 1;

  202. }

  203. 

  204. /* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */

  205. static int constant_time_byte_eq(unsigned char a, unsigned char b) {

  206.   unsigned char z = ~(a ^ b);

  207.   z &= z >> 4;

  208.   z &= z >> 2;

  209.   z &= z >> 1;

  210. 

  211.   return z;

  212. }

  213. 

  214. /* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.

  215.  * Its behavior is undefined if |v| takes any other value. */

  216. static int constant_time_select(int v, int x, int y) {

  217.   return ((~(v - 1)) & x) | ((v - 1) & y);

  218. }

  219. 

  220. /* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.

  221.  * |x| and |y| must be positive. */

  222. static int constant_time_le(int x, int y) {

  223.   return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;

  224. }

  225. 

  226. int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,

  227.                                    size_t *out_index) {

  228.   size_t i;

  229.   int first_byte_is_zero, second_byte_is_two, looking_for_index;

  230.   int valid_index, zero_index = 0;

  231. 

  232.   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography

  233.    * Standard", section 7.2.2. */

  234.   if (from_len < RSA_PKCS1_PADDING_SIZE) {

  235.     /* |from| is zero-padded to the size of the RSA modulus, a public value, so

  236.      * this can be rejected in non-constant time. */

  237.     *out_index = 0;

  238.     return 0;

  239.   }

  240. 

  241.   first_byte_is_zero = constant_time_byte_eq(from[0], 0);

  242.   second_byte_is_two = constant_time_byte_eq(from[1], 2);

  243. 

  244.   looking_for_index = 1;

  245.   for (i = 2; i < from_len; i++) {

  246.     int equals0 = constant_time_byte_eq(from[i], 0);

  247.     zero_index =

  248.         constant_time_select(looking_for_index & equals0, i, zero_index);

  249.     looking_for_index = constant_time_select(equals0, 0, looking_for_index);

  250.   }

  251. 

  252.   /* The input must begin with 00 02. */

  253.   valid_index = first_byte_is_zero;

  254.   valid_index &= second_byte_is_two;

  255. 

  256.   /* We must have found the end of PS. */

  257.   valid_index &= ~looking_for_index;

  258. 

  259.   /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */

  260.   valid_index &= constant_time_le(2 + 8, zero_index);

  261. 

  262.   /* Skip the zero byte. */

  263.   zero_index++;

  264. 

  265.   *out_index = constant_time_select(valid_index, zero_index, 0);

  266.   return valid_index;

  267. }

  268. 

  269. int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,

  270.                                    const uint8_t *from, unsigned flen) {

  271.   size_t msg_index, msg_len;

  272. 

  273.   if (flen == 0) {

  274.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  275.                       RSA_R_EMPTY_PUBLIC_KEY);

  276.     return -1;

  277.   }

  278. 

  279.   /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,

  280.    * the API contracts of this function and |RSA_decrypt| with

  281.    * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's

  282.    * attack. */

  283.   if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {

  284.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  285.                       RSA_R_PKCS_DECODING_ERROR);

  286.     return -1;

  287.   }

  288. 

  289.   msg_len = flen - msg_index;

  290.   if (msg_len > tlen) {

  291.     /* This shouldn't happen because this function is always called with |tlen|

  292.      * the key size and |flen| is bounded by the key size. */

  293.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_type_2,

  294.                       RSA_R_PKCS_DECODING_ERROR);

  295.     return -1;

  296.   }

  297.   memcpy(to, &from[msg_index], msg_len);

  298.   return msg_len;

  299. }

  300. 

  301. int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {

  302.   if (flen > tlen) {

  303.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,

  304.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  305.     return 0;

  306.   }

  307. 

  308.   if (flen < tlen) {

  309.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_none,

  310.                       RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);

  311.     return 0;

  312.   }

  313. 

  314.   memcpy(to, from, (unsigned int)flen);

  315.   return 1;

  316. }

  317. 

  318. int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,

  319.                            unsigned flen) {

  320.   if (flen > tlen) {

  321.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_none, RSA_R_DATA_TOO_LARGE);

  322.     return -1;

  323.   }

  324. 

  325.   memcpy(to, from, flen);

  326.   return flen;

  327. }

  328. 

  329. int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,

  330.                unsigned seedlen, const EVP_MD *dgst) {

  331.   unsigned outlen = 0;

  332.   uint32_t i;

  333.   uint8_t cnt[4];

  334.   EVP_MD_CTX c;

  335.   uint8_t md[EVP_MAX_MD_SIZE];

  336.   unsigned mdlen;

  337.   int ret = -1;

  338. 

  339.   EVP_MD_CTX_init(&c);

  340.   mdlen = EVP_MD_size(dgst);

  341. 

  342.   for (i = 0; outlen < len; i++) {

  343.     cnt[0] = (uint8_t)((i >> 24) & 255);

  344.     cnt[1] = (uint8_t)((i >> 16) & 255);

  345.     cnt[2] = (uint8_t)((i >> 8)) & 255;

  346.     cnt[3] = (uint8_t)(i & 255);

  347.     if (!EVP_DigestInit_ex(&c, dgst, NULL) ||

  348.         !EVP_DigestUpdate(&c, seed, seedlen) || !EVP_DigestUpdate(&c, cnt, 4)) {

  349.       goto err;

  350.     }

  351. 

  352.     if (outlen + mdlen <= len) {

  353.       if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {

  354.         goto err;

  355.       }

  356.       outlen += mdlen;

  357.     } else {

  358.       if (!EVP_DigestFinal_ex(&c, md, NULL)) {

  359.         goto err;

  360.       }

  361.       memcpy(mask + outlen, md, len - outlen);

  362.       outlen = len;

  363.     }

  364.   }

  365.   ret = 0;

  366. 

  367. err:

  368.   EVP_MD_CTX_cleanup(&c);

  369.   return ret;

  370. }

  371. 

  372. int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  373.                                     const uint8_t *from, unsigned flen,

  374.                                     const uint8_t *param, unsigned plen,

  375.                                     const EVP_MD *md, const EVP_MD *mgf1md) {

  376.   unsigned i, emlen, mdlen;

  377.   uint8_t *db, *seed;

  378.   uint8_t *dbmask = NULL, seedmask[EVP_MAX_MD_SIZE];

  379.   int ret = 0;

  380. 

  381.   if (md == NULL) {

  382.     md = EVP_sha1();

  383.   }

  384.   if (mgf1md == NULL) {

  385.     mgf1md = md;

  386.   }

  387. 

  388.   mdlen = EVP_MD_size(md);

  389. 

  390.   if (tlen < 2 * mdlen + 2) {

  391.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  392.                       RSA_R_KEY_SIZE_TOO_SMALL);

  393.     return 0;

  394.   }

  395. 

  396.   emlen = tlen - 1;

  397.   if (flen > emlen - 2 * mdlen - 1) {

  398.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  399.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  400.     return 0;

  401.   }

  402. 

  403.   if (emlen < 2 * mdlen + 1) {

  404.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  405.                       RSA_R_KEY_SIZE_TOO_SMALL);

  406.     return 0;

  407.   }

  408. 

  409.   to[0] = 0;

  410.   seed = to + 1;

  411.   db = to + mdlen + 1;

  412. 

  413.   if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) {

  414.     return 0;

  415.   }

  416.   memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);

  417.   db[emlen - flen - mdlen - 1] = 0x01;

  418.   memcpy(db + emlen - flen - mdlen, from, flen);

  419.   if (!RAND_bytes(seed, mdlen)) {

  420.     return 0;

  421.   }

  422. 

  423.   dbmask = OPENSSL_malloc(emlen - mdlen);

  424.   if (dbmask == NULL) {

  425.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_OAEP_mgf1,

  426.                       ERR_R_MALLOC_FAILURE);

  427.     return 0;

  428.   }

  429. 

  430.   if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {

  431.     goto out;

  432.   }

  433.   for (i = 0; i < emlen - mdlen; i++) {

  434.     db[i] ^= dbmask[i];

  435.   }

  436. 

  437.   if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {

  438.     goto out;

  439.   }

  440.   for (i = 0; i < mdlen; i++) {

  441.     seed[i] ^= seedmask[i];

  442.   }

  443.   ret = 1;

  444. 

  445. out:

  446.   OPENSSL_free(dbmask);

  447.   return ret;

  448. }

  449. 

  450. int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,

  451.                                       const uint8_t *from, unsigned flen,

  452.                                       const uint8_t *param, unsigned plen,

  453.                                       const EVP_MD *md, const EVP_MD *mgf1md) {

  454.   unsigned i, dblen, mlen = -1, mdlen;

  455.   const uint8_t *maskeddb, *maskedseed;

  456.   uint8_t *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

  457.   int bad, looking_for_one_byte, one_index = 0;

  458. 

  459.   if (md == NULL) {

  460.     md = EVP_sha1();

  461.   }

  462.   if (mgf1md == NULL) {

  463.     mgf1md = md;

  464.   }

  465. 

  466.   mdlen = EVP_MD_size(md);

  467. 

  468.   /* The encoded message is one byte smaller than the modulus to ensure that it

  469.    * doesn't end up greater than the modulus. Thus there's an extra "+1" here

  470.    * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */

  471.   if (flen < 1 + 2*mdlen + 1) {

  472.     /* 'flen' is the length of the modulus, i.e. does not depend on the

  473.      * particular ciphertext. */

  474.     goto decoding_err;

  475.   }

  476. 

  477.   dblen = flen - mdlen - 1;

  478.   db = OPENSSL_malloc(dblen);

  479.   if (db == NULL) {

  480.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  481.                       ERR_R_MALLOC_FAILURE);

  482.     goto err;

  483.   }

  484. 

  485.   maskedseed = from + 1;

  486.   maskeddb = from + 1 + mdlen;

  487. 

  488.   if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {

  489.     goto err;

  490.   }

  491.   for (i = 0; i < mdlen; i++) {

  492.     seed[i] ^= maskedseed[i];

  493.   }

  494. 

  495.   if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {

  496.     goto err;

  497.   }

  498.   for (i = 0; i < dblen; i++) {

  499.     db[i] ^= maskeddb[i];

  500.   }

  501. 

  502.   if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) {

  503.     goto err;

  504.   }

  505. 

  506.   bad = CRYPTO_memcmp(db, phash, mdlen);

  507.   bad |= from[0];

  508. 

  509.   looking_for_one_byte = 1;

  510.   for (i = mdlen; i < dblen; i++) {

  511.     int equals1 = constant_time_byte_eq(db[i], 1);

  512.     int equals0 = constant_time_byte_eq(db[i], 0);

  513.     one_index =

  514.         constant_time_select(looking_for_one_byte & equals1, i, one_index);

  515.     looking_for_one_byte =

  516.         constant_time_select(equals1, 0, looking_for_one_byte);

  517.     bad |= looking_for_one_byte & ~equals0;

  518.   }

  519. 

  520.   bad |= looking_for_one_byte;

  521. 

  522.   if (bad) {

  523.     goto decoding_err;

  524.   }

  525. 

  526.   one_index++;

  527.   mlen = dblen - one_index;

  528.   if (tlen < mlen) {

  529.     OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  530.                       RSA_R_DATA_TOO_LARGE);

  531.     mlen = -1;

  532.   } else {

  533.     memcpy(to, db + one_index, mlen);

  534.   }

  535. 

  536.   OPENSSL_free(db);

  537.   return mlen;

  538. 

  539. decoding_err:

  540.   /* to avoid chosen ciphertext attacks, the error message should not reveal

  541.    * which kind of decoding error happened */

  542.   OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,

  543.                     RSA_R_OAEP_DECODING_ERROR);

  544.  err:

  545.   OPENSSL_free(db);

  546.   return -1;

  547. }

  548. 

  549. static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};

  550. 

  551. int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,

  552.                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  553.                               const uint8_t *EM, int sLen) {

  554.   int i;

  555.   int ret = 0;

  556.   int maskedDBLen, MSBits, emLen;

  557.   size_t hLen;

  558.   const uint8_t *H;

  559.   uint8_t *DB = NULL;

  560.   EVP_MD_CTX ctx;

  561.   uint8_t H_[EVP_MAX_MD_SIZE];

  562.   EVP_MD_CTX_init(&ctx);

  563. 

  564.   if (mgf1Hash == NULL) {

  565.     mgf1Hash = Hash;

  566.   }

  567. 

  568.   hLen = EVP_MD_size(Hash);

  569. 

  570.   /* Negative sLen has special meanings:

  571.    *	-1	sLen == hLen

  572.    *	-2	salt length is autorecovered from signature

  573.    *	-N	reserved */

  574.   if (sLen == -1) {

  575.     sLen = hLen;

  576.   } else if (sLen == -2) {

  577.     sLen = -2;

  578.   } else if (sLen < -2) {

  579.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);

  580.     goto err;

  581.   }

  582. 

  583.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  584.   emLen = RSA_size(rsa);

  585.   if (EM[0] & (0xFF << MSBits)) {

  586.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,

  587.                       RSA_R_FIRST_OCTET_INVALID);

  588.     goto err;

  589.   }

  590.   if (MSBits == 0) {

  591.     EM++;

  592.     emLen--;

  593.   }

  594.   if (emLen < ((int)hLen + sLen + 2)) {

  595.     /* sLen can be small negative */

  596.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_DATA_TOO_LARGE);

  597.     goto err;

  598.   }

  599.   if (EM[emLen - 1] != 0xbc) {

  600.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_LAST_OCTET_INVALID);

  601.     goto err;

  602.   }

  603.   maskedDBLen = emLen - hLen - 1;

  604.   H = EM + maskedDBLen;

  605.   DB = OPENSSL_malloc(maskedDBLen);

  606.   if (!DB) {

  607.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, ERR_R_MALLOC_FAILURE);

  608.     goto err;

  609.   }

  610.   if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {

  611.     goto err;

  612.   }

  613.   for (i = 0; i < maskedDBLen; i++) {

  614.     DB[i] ^= EM[i];

  615.   }

  616.   if (MSBits) {

  617.     DB[0] &= 0xFF >> (8 - MSBits);

  618.   }

  619.   for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {

  620.     ;

  621.   }

  622.   if (DB[i++] != 0x1) {

  623.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,

  624.                       RSA_R_SLEN_RECOVERY_FAILED);

  625.     goto err;

  626.   }

  627.   if (sLen >= 0 && (maskedDBLen - i) != sLen) {

  628.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_SLEN_CHECK_FAILED);

  629.     goto err;

  630.   }

  631.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  632.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  633.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  634.     goto err;

  635.   }

  636.   if (maskedDBLen - i) {

  637.     if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) {

  638.       goto err;

  639.     }

  640.   }

  641.   if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) {

  642.     goto err;

  643.   }

  644.   if (memcmp(H_, H, hLen)) {

  645.     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1, RSA_R_BAD_SIGNATURE);

  646.     ret = 0;

  647.   } else {

  648.     ret = 1;

  649.   }

  650. 

  651. err:

  652.   OPENSSL_free(DB);

  653.   EVP_MD_CTX_cleanup(&ctx);

  654. 

  655.   return ret;

  656. }

  657. 

  658. int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,

  659.                                    const unsigned char *mHash,

  660.                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,

  661.                                    int sLen) {

  662.   int i;

  663.   int ret = 0;

  664.   size_t maskedDBLen, MSBits, emLen;

  665.   size_t hLen;

  666.   unsigned char *H, *salt = NULL, *p;

  667.   EVP_MD_CTX ctx;

  668. 

  669.   if (mgf1Hash == NULL) {

  670.     mgf1Hash = Hash;

  671.   }

  672. 

  673.   hLen = EVP_MD_size(Hash);

  674. 

  675.   /* Negative sLen has special meanings:

  676.    *	-1	sLen == hLen

  677.    *	-2	salt length is maximized

  678.    *	-N	reserved */

  679.   if (sLen == -1) {

  680.     sLen = hLen;

  681.   } else if (sLen == -2) {

  682.     sLen = -2;

  683.   } else if (sLen < -2) {

  684.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  685.                       RSA_R_SLEN_CHECK_FAILED);

  686.     goto err;

  687.   }

  688. 

  689.   if (BN_is_zero(rsa->n)) {

  690.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  691.                       RSA_R_EMPTY_PUBLIC_KEY);

  692.     goto err;

  693.   }

  694. 

  695.   MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;

  696.   emLen = RSA_size(rsa);

  697.   if (MSBits == 0) {

  698.     assert(emLen >= 1);

  699.     *EM++ = 0;

  700.     emLen--;

  701.   }

  702.   if (sLen == -2) {

  703.     if (emLen < hLen + 2) {

  704.       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  705.                         RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  706.       goto err;

  707.     }

  708.     sLen = emLen - hLen - 2;

  709.   } else if (emLen < hLen + sLen + 2) {

  710.     OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  711.                       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

  712.     goto err;

  713.   }

  714.   if (sLen > 0) {

  715.     salt = OPENSSL_malloc(sLen);

  716.     if (!salt) {

  717.       OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_PSS_mgf1,

  718.                         ERR_R_MALLOC_FAILURE);

  719.       goto err;

  720.     }

  721.     if (!RAND_bytes(salt, sLen)) {

  722.       goto err;

  723.     }

  724.   }

  725.   maskedDBLen = emLen - hLen - 1;

  726.   H = EM + maskedDBLen;

  727.   EVP_MD_CTX_init(&ctx);

  728.   if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||

  729.       !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||

  730.       !EVP_DigestUpdate(&ctx, mHash, hLen)) {

  731.     goto err;

  732.   }

  733.   if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) {

  734.     goto err;

  735.   }

  736.   if (!EVP_DigestFinal_ex(&ctx, H, NULL)) {

  737.     goto err;

  738.   }

  739.   EVP_MD_CTX_cleanup(&ctx);

  740. 

  741.   /* Generate dbMask in place then perform XOR on it */

  742.   if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {

  743.     goto err;

  744.   }

  745. 

  746.   p = EM;

  747. 

  748.   /* Initial PS XORs with all zeroes which is a NOP so just update

  749.    * pointer. Note from a test above this value is guaranteed to

  750.    * be non-negative. */

  751.   p += emLen - sLen - hLen - 2;

  752.   *p++ ^= 0x1;

  753.   if (sLen > 0) {

  754.     for (i = 0; i < sLen; i++) {

  755.       *p++ ^= salt[i];

  756.     }

  757.   }

  758.   if (MSBits) {

  759.     EM[0] &= 0xFF >> (8 - MSBits);

  760.   }

  761. 

  762.   /* H is already in place so just set final 0xbc */

  763. 

  764.   EM[emLen - 1] = 0xbc;

  765. 

  766.   ret = 1;

  767. 

  768. err:

  769.   OPENSSL_free(salt);

  770. 

  771.   return ret;

  772. }