/src/boringssl/crypto/rsa/rsa_crypt.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/base.h> |
16 | | |
17 | | #include <limits.h> |
18 | | |
19 | | #include <openssl/bn.h> |
20 | | #include <openssl/err.h> |
21 | | #include <openssl/evp.h> |
22 | | #include <openssl/mem.h> |
23 | | #include <openssl/rand.h> |
24 | | #include <openssl/rsa.h> |
25 | | |
26 | | #include "../fipsmodule/bn/internal.h" |
27 | | #include "../fipsmodule/rsa/internal.h" |
28 | | #include "../internal.h" |
29 | | #include "internal.h" |
30 | | |
31 | | |
32 | 2.72k | static void rand_nonzero(uint8_t *out, size_t len) { |
33 | 2.72k | RAND_bytes(out, len); |
34 | | |
35 | 527k | for (size_t i = 0; i < len; i++) { |
36 | | // Zero values are replaced, and the distribution of zero and non-zero bytes |
37 | | // is public, so leaking this is safe. |
38 | 527k | while (constant_time_declassify_int(out[i] == 0)) { |
39 | 2.07k | RAND_bytes(out + i, 1); |
40 | 2.07k | } |
41 | 524k | } |
42 | 2.72k | } |
43 | | |
44 | | int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, size_t to_len, |
45 | | const uint8_t *from, size_t from_len, |
46 | | const uint8_t *param, size_t param_len, |
47 | 0 | const EVP_MD *md, const EVP_MD *mgf1md) { |
48 | 0 | if (md == NULL) { |
49 | 0 | md = EVP_sha1(); |
50 | 0 | } |
51 | 0 | if (mgf1md == NULL) { |
52 | 0 | mgf1md = md; |
53 | 0 | } |
54 | |
|
55 | 0 | size_t mdlen = EVP_MD_size(md); |
56 | |
|
57 | 0 | if (to_len < 2 * mdlen + 2) { |
58 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
59 | 0 | return 0; |
60 | 0 | } |
61 | | |
62 | 0 | size_t emlen = to_len - 1; |
63 | 0 | if (from_len > emlen - 2 * mdlen - 1) { |
64 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
65 | 0 | return 0; |
66 | 0 | } |
67 | | |
68 | 0 | if (emlen < 2 * mdlen + 1) { |
69 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
70 | 0 | return 0; |
71 | 0 | } |
72 | | |
73 | 0 | to[0] = 0; |
74 | 0 | uint8_t *seed = to + 1; |
75 | 0 | uint8_t *db = to + mdlen + 1; |
76 | |
|
77 | 0 | uint8_t *dbmask = NULL; |
78 | 0 | int ret = 0; |
79 | 0 | if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) { |
80 | 0 | goto out; |
81 | 0 | } |
82 | 0 | OPENSSL_memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1); |
83 | 0 | db[emlen - from_len - mdlen - 1] = 0x01; |
84 | 0 | OPENSSL_memcpy(db + emlen - from_len - mdlen, from, from_len); |
85 | 0 | if (!RAND_bytes(seed, mdlen)) { |
86 | 0 | goto out; |
87 | 0 | } |
88 | | |
89 | 0 | dbmask = reinterpret_cast<uint8_t *>(OPENSSL_malloc(emlen - mdlen)); |
90 | 0 | if (dbmask == NULL) { |
91 | 0 | goto out; |
92 | 0 | } |
93 | | |
94 | 0 | if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) { |
95 | 0 | goto out; |
96 | 0 | } |
97 | 0 | for (size_t i = 0; i < emlen - mdlen; i++) { |
98 | 0 | db[i] ^= dbmask[i]; |
99 | 0 | } |
100 | |
|
101 | 0 | uint8_t seedmask[EVP_MAX_MD_SIZE]; |
102 | 0 | if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) { |
103 | 0 | goto out; |
104 | 0 | } |
105 | 0 | for (size_t i = 0; i < mdlen; i++) { |
106 | 0 | seed[i] ^= seedmask[i]; |
107 | 0 | } |
108 | 0 | ret = 1; |
109 | |
|
110 | 0 | out: |
111 | 0 | OPENSSL_free(dbmask); |
112 | 0 | return ret; |
113 | 0 | } |
114 | | |
115 | | int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len, |
116 | | size_t max_out, const uint8_t *from, |
117 | | size_t from_len, const uint8_t *param, |
118 | | size_t param_len, const EVP_MD *md, |
119 | 0 | const EVP_MD *mgf1md) { |
120 | 0 | uint8_t *db = NULL; |
121 | |
|
122 | 0 | { |
123 | 0 | if (md == NULL) { |
124 | 0 | md = EVP_sha1(); |
125 | 0 | } |
126 | 0 | if (mgf1md == NULL) { |
127 | 0 | mgf1md = md; |
128 | 0 | } |
129 | |
|
130 | 0 | size_t mdlen = EVP_MD_size(md); |
131 | | |
132 | | // The encoded message is one byte smaller than the modulus to ensure that |
133 | | // it doesn't end up greater than the modulus. Thus there's an extra "+1" |
134 | | // here compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. |
135 | 0 | if (from_len < 1 + 2 * mdlen + 1) { |
136 | | // 'from_len' is the length of the modulus, i.e. does not depend on the |
137 | | // particular ciphertext. |
138 | 0 | goto decoding_err; |
139 | 0 | } |
140 | | |
141 | 0 | size_t dblen = from_len - mdlen - 1; |
142 | 0 | db = reinterpret_cast<uint8_t *>(OPENSSL_malloc(dblen)); |
143 | 0 | if (db == NULL) { |
144 | 0 | goto err; |
145 | 0 | } |
146 | | |
147 | 0 | const uint8_t *maskedseed = from + 1; |
148 | 0 | const uint8_t *maskeddb = from + 1 + mdlen; |
149 | |
|
150 | 0 | uint8_t seed[EVP_MAX_MD_SIZE]; |
151 | 0 | if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) { |
152 | 0 | goto err; |
153 | 0 | } |
154 | 0 | for (size_t i = 0; i < mdlen; i++) { |
155 | 0 | seed[i] ^= maskedseed[i]; |
156 | 0 | } |
157 | |
|
158 | 0 | if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) { |
159 | 0 | goto err; |
160 | 0 | } |
161 | 0 | for (size_t i = 0; i < dblen; i++) { |
162 | 0 | db[i] ^= maskeddb[i]; |
163 | 0 | } |
164 | |
|
165 | 0 | uint8_t phash[EVP_MAX_MD_SIZE]; |
166 | 0 | if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) { |
167 | 0 | goto err; |
168 | 0 | } |
169 | | |
170 | 0 | crypto_word_t bad = |
171 | 0 | ~constant_time_is_zero_w(CRYPTO_memcmp(db, phash, mdlen)); |
172 | 0 | bad |= ~constant_time_is_zero_w(from[0]); |
173 | |
|
174 | 0 | crypto_word_t looking_for_one_byte = CONSTTIME_TRUE_W; |
175 | 0 | size_t one_index = 0; |
176 | 0 | for (size_t i = mdlen; i < dblen; i++) { |
177 | 0 | crypto_word_t equals1 = constant_time_eq_w(db[i], 1); |
178 | 0 | crypto_word_t equals0 = constant_time_eq_w(db[i], 0); |
179 | 0 | one_index = |
180 | 0 | constant_time_select_w(looking_for_one_byte & equals1, i, one_index); |
181 | 0 | looking_for_one_byte = |
182 | 0 | constant_time_select_w(equals1, 0, looking_for_one_byte); |
183 | 0 | bad |= looking_for_one_byte & ~equals0; |
184 | 0 | } |
185 | |
|
186 | 0 | bad |= looking_for_one_byte; |
187 | | |
188 | | // Whether the overall padding was valid or not in OAEP is public. |
189 | 0 | if (constant_time_declassify_w(bad)) { |
190 | 0 | goto decoding_err; |
191 | 0 | } |
192 | | |
193 | | // Once the padding is known to be valid, the output length is also public. |
194 | 0 | static_assert(sizeof(size_t) <= sizeof(crypto_word_t), |
195 | 0 | "size_t does not fit in crypto_word_t"); |
196 | 0 | one_index = constant_time_declassify_w(one_index); |
197 | |
|
198 | 0 | one_index++; |
199 | 0 | size_t mlen = dblen - one_index; |
200 | 0 | if (max_out < mlen) { |
201 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); |
202 | 0 | goto err; |
203 | 0 | } |
204 | | |
205 | 0 | OPENSSL_memcpy(out, db + one_index, mlen); |
206 | 0 | *out_len = mlen; |
207 | 0 | OPENSSL_free(db); |
208 | 0 | return 1; |
209 | 0 | } |
210 | | |
211 | 0 | decoding_err: |
212 | | // To avoid chosen ciphertext attacks, the error message should not reveal |
213 | | // which kind of decoding error happened. |
214 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR); |
215 | 0 | err: |
216 | 0 | OPENSSL_free(db); |
217 | 0 | return 0; |
218 | 0 | } |
219 | | |
220 | | static int rsa_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len, |
221 | 2.72k | const uint8_t *from, size_t from_len) { |
222 | | // See RFC 8017, section 7.2.1. |
223 | 2.72k | if (to_len < RSA_PKCS1_PADDING_SIZE) { |
224 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
225 | 0 | return 0; |
226 | 0 | } |
227 | | |
228 | 2.72k | if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) { |
229 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); |
230 | 0 | return 0; |
231 | 0 | } |
232 | | |
233 | 2.72k | to[0] = 0; |
234 | 2.72k | to[1] = 2; |
235 | | |
236 | 2.72k | size_t padding_len = to_len - 3 - from_len; |
237 | 2.72k | rand_nonzero(to + 2, padding_len); |
238 | 2.72k | to[2 + padding_len] = 0; |
239 | 2.72k | OPENSSL_memcpy(to + to_len - from_len, from, from_len); |
240 | 2.72k | return 1; |
241 | 2.72k | } |
242 | | |
243 | | static int rsa_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len, |
244 | | size_t max_out, const uint8_t *from, |
245 | 0 | size_t from_len) { |
246 | 0 | if (from_len == 0) { |
247 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY); |
248 | 0 | return 0; |
249 | 0 | } |
250 | | |
251 | | // PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography |
252 | | // Standard", section 7.2.2. |
253 | 0 | if (from_len < RSA_PKCS1_PADDING_SIZE) { |
254 | | // |from| is zero-padded to the size of the RSA modulus, a public value, so |
255 | | // this can be rejected in non-constant time. |
256 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
257 | 0 | return 0; |
258 | 0 | } |
259 | | |
260 | 0 | crypto_word_t first_byte_is_zero = constant_time_eq_w(from[0], 0); |
261 | 0 | crypto_word_t second_byte_is_two = constant_time_eq_w(from[1], 2); |
262 | |
|
263 | 0 | crypto_word_t zero_index = 0, looking_for_index = CONSTTIME_TRUE_W; |
264 | 0 | for (size_t i = 2; i < from_len; i++) { |
265 | 0 | crypto_word_t equals0 = constant_time_is_zero_w(from[i]); |
266 | 0 | zero_index = |
267 | 0 | constant_time_select_w(looking_for_index & equals0, i, zero_index); |
268 | 0 | looking_for_index = constant_time_select_w(equals0, 0, looking_for_index); |
269 | 0 | } |
270 | | |
271 | | // The input must begin with 00 02. |
272 | 0 | crypto_word_t valid_index = first_byte_is_zero; |
273 | 0 | valid_index &= second_byte_is_two; |
274 | | |
275 | | // We must have found the end of PS. |
276 | 0 | valid_index &= ~looking_for_index; |
277 | | |
278 | | // PS must be at least 8 bytes long, and it starts two bytes into |from|. |
279 | 0 | valid_index &= constant_time_ge_w(zero_index, 2 + 8); |
280 | | |
281 | | // Skip the zero byte. |
282 | 0 | zero_index++; |
283 | | |
284 | | // NOTE: Although this logic attempts to be constant time, the API contracts |
285 | | // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it |
286 | | // impossible to completely avoid Bleichenbacher's attack. Consumers should |
287 | | // use |RSA_PADDING_NONE| and perform the padding check in constant-time |
288 | | // combined with a swap to a random session key or other mitigation. |
289 | 0 | CONSTTIME_DECLASSIFY(&valid_index, sizeof(valid_index)); |
290 | 0 | CONSTTIME_DECLASSIFY(&zero_index, sizeof(zero_index)); |
291 | |
|
292 | 0 | if (!valid_index) { |
293 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR); |
294 | 0 | return 0; |
295 | 0 | } |
296 | | |
297 | 0 | const size_t msg_len = from_len - zero_index; |
298 | 0 | if (msg_len > max_out) { |
299 | | // This shouldn't happen because this function is always called with |
300 | | // |max_out| as the key size and |from_len| is bounded by the key size. |
301 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR); |
302 | 0 | return 0; |
303 | 0 | } |
304 | | |
305 | 0 | OPENSSL_memcpy(out, &from[zero_index], msg_len); |
306 | 0 | *out_len = msg_len; |
307 | 0 | return 1; |
308 | 0 | } |
309 | | |
310 | | int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, |
311 | 0 | int padding) { |
312 | 0 | size_t out_len; |
313 | |
|
314 | 0 | if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { |
315 | 0 | return -1; |
316 | 0 | } |
317 | | |
318 | 0 | if (out_len > INT_MAX) { |
319 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
320 | 0 | return -1; |
321 | 0 | } |
322 | 0 | return (int)out_len; |
323 | 0 | } |
324 | | |
325 | | int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, |
326 | 0 | int padding) { |
327 | 0 | size_t out_len; |
328 | |
|
329 | 0 | if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { |
330 | 0 | return -1; |
331 | 0 | } |
332 | | |
333 | 0 | if (out_len > INT_MAX) { |
334 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
335 | 0 | return -1; |
336 | 0 | } |
337 | 0 | return (int)out_len; |
338 | 0 | } |
339 | | |
340 | | int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
341 | 2.72k | const uint8_t *in, size_t in_len, int padding) { |
342 | 2.72k | if (rsa->n == NULL || rsa->e == NULL) { |
343 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); |
344 | 0 | return 0; |
345 | 0 | } |
346 | | |
347 | 2.72k | if (!rsa_check_public_key(rsa)) { |
348 | 0 | return 0; |
349 | 0 | } |
350 | | |
351 | 2.72k | const unsigned rsa_size = RSA_size(rsa); |
352 | 2.72k | if (max_out < rsa_size) { |
353 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); |
354 | 0 | return 0; |
355 | 0 | } |
356 | | |
357 | 2.72k | bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); |
358 | 2.72k | if (ctx == nullptr) { |
359 | 0 | return 0; |
360 | 0 | } |
361 | | |
362 | 2.72k | bssl::BN_CTXScope scope(ctx.get()); |
363 | 2.72k | BIGNUM *f = BN_CTX_get(ctx.get()); |
364 | 2.72k | BIGNUM *result = BN_CTX_get(ctx.get()); |
365 | 2.72k | uint8_t *buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(rsa_size)); |
366 | 2.72k | int i, ret = 0; |
367 | 2.72k | if (!f || !result || !buf) { |
368 | 0 | goto err; |
369 | 0 | } |
370 | | |
371 | 2.72k | switch (padding) { |
372 | 2.72k | case RSA_PKCS1_PADDING: |
373 | 2.72k | i = rsa_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len); |
374 | 2.72k | break; |
375 | 0 | case RSA_PKCS1_OAEP_PADDING: |
376 | | // Use the default parameters: SHA-1 for both hashes and no label. |
377 | 0 | i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len, nullptr, 0, |
378 | 0 | nullptr, nullptr); |
379 | 0 | break; |
380 | 0 | case RSA_NO_PADDING: |
381 | 0 | i = RSA_padding_add_none(buf, rsa_size, in, in_len); |
382 | 0 | break; |
383 | 0 | default: |
384 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
385 | 0 | goto err; |
386 | 2.72k | } |
387 | | |
388 | 2.72k | if (i <= 0) { |
389 | 0 | goto err; |
390 | 0 | } |
391 | | |
392 | 2.72k | if (BN_bin2bn(buf, rsa_size, f) == nullptr) { |
393 | 0 | goto err; |
394 | 0 | } |
395 | | |
396 | 2.72k | if (BN_ucmp(f, rsa->n) >= 0) { |
397 | | // usually the padding functions would catch this |
398 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
399 | 0 | goto err; |
400 | 0 | } |
401 | | |
402 | 2.72k | if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx.get()) || |
403 | 2.72k | !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx.get(), |
404 | 2.72k | rsa->mont_n)) { |
405 | 0 | goto err; |
406 | 0 | } |
407 | | |
408 | | // put in leading 0 bytes if the number is less than the length of the |
409 | | // modulus |
410 | 2.72k | if (!BN_bn2bin_padded(out, rsa_size, result)) { |
411 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
412 | 0 | goto err; |
413 | 0 | } |
414 | | |
415 | 2.72k | *out_len = rsa_size; |
416 | 2.72k | ret = 1; |
417 | | |
418 | 2.72k | err: |
419 | 2.72k | OPENSSL_free(buf); |
420 | 2.72k | return ret; |
421 | 2.72k | } |
422 | | |
423 | | static int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, |
424 | | size_t max_out, const uint8_t *in, size_t in_len, |
425 | 50 | int padding) { |
426 | 50 | const unsigned rsa_size = RSA_size(rsa); |
427 | 50 | uint8_t *buf = NULL; |
428 | 50 | int ret = 0; |
429 | | |
430 | 50 | if (max_out < rsa_size) { |
431 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); |
432 | 0 | return 0; |
433 | 0 | } |
434 | | |
435 | 50 | if (padding == RSA_NO_PADDING) { |
436 | 50 | buf = out; |
437 | 50 | } else { |
438 | | // Allocate a temporary buffer to hold the padded plaintext. |
439 | 0 | buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(rsa_size)); |
440 | 0 | if (buf == NULL) { |
441 | 0 | goto err; |
442 | 0 | } |
443 | 0 | } |
444 | | |
445 | 50 | if (in_len != rsa_size) { |
446 | 7 | OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN); |
447 | 7 | goto err; |
448 | 7 | } |
449 | | |
450 | 43 | if (!rsa_private_transform(rsa, buf, in, rsa_size)) { |
451 | 3 | goto err; |
452 | 3 | } |
453 | | |
454 | 40 | switch (padding) { |
455 | 0 | case RSA_PKCS1_PADDING: |
456 | 0 | ret = |
457 | 0 | rsa_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size); |
458 | 0 | break; |
459 | 0 | case RSA_PKCS1_OAEP_PADDING: |
460 | | // Use the default parameters: SHA-1 for both hashes and no label. |
461 | 0 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf, |
462 | 0 | rsa_size, NULL, 0, NULL, NULL); |
463 | 0 | break; |
464 | 40 | case RSA_NO_PADDING: |
465 | 40 | *out_len = rsa_size; |
466 | 40 | ret = 1; |
467 | 40 | break; |
468 | 0 | default: |
469 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
470 | 0 | goto err; |
471 | 40 | } |
472 | | |
473 | 40 | CONSTTIME_DECLASSIFY(&ret, sizeof(ret)); |
474 | 40 | if (!ret) { |
475 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED); |
476 | 40 | } else { |
477 | 40 | CONSTTIME_DECLASSIFY(out, *out_len); |
478 | 40 | } |
479 | | |
480 | 50 | err: |
481 | 50 | if (padding != RSA_NO_PADDING) { |
482 | 0 | OPENSSL_free(buf); |
483 | 0 | } |
484 | | |
485 | 50 | return ret; |
486 | 40 | } |
487 | | |
488 | | int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
489 | 50 | const uint8_t *in, size_t in_len, int padding) { |
490 | 50 | if (rsa->meth->decrypt) { |
491 | 0 | return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding); |
492 | 0 | } |
493 | | |
494 | 50 | return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding); |
495 | 50 | } |
496 | | |
497 | | int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, |
498 | 0 | int padding) { |
499 | 0 | size_t out_len; |
500 | 0 | if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { |
501 | 0 | return -1; |
502 | 0 | } |
503 | | |
504 | 0 | if (out_len > INT_MAX) { |
505 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
506 | 0 | return -1; |
507 | 0 | } |
508 | 0 | return (int)out_len; |
509 | 0 | } |
510 | | |
511 | | int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, |
512 | 0 | int padding) { |
513 | 0 | size_t out_len; |
514 | 0 | if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { |
515 | 0 | return -1; |
516 | 0 | } |
517 | | |
518 | 0 | if (out_len > INT_MAX) { |
519 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
520 | 0 | return -1; |
521 | 0 | } |
522 | 0 | return (int)out_len; |
523 | 0 | } |