/src/openssl/crypto/rsa/rsa_oaep.c

Source (jump to first uncovered line)
/*
 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */

/*
 * See Victor Shoup, "OAEP reconsidered," Nov. 2000, <URL:
 * http://www.shoup.net/papers/oaep.ps.Z> for problems with the security
 * proof for the original OAEP scheme, which EME-OAEP is based on. A new
 * proof can be found in E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern,
 * "RSA-OEAP is Still Alive!", Dec. 2000, <URL:
 * http://eprint.iacr.org/2000/061/>. The new proof has stronger requirements
 * for the underlying permutation: "partial-one-wayness" instead of
 * one-wayness.  For the RSA function, this is an equivalent notion.
 */

#include "internal/constant_time_locl.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"

int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
                               const unsigned char *from, int flen,
                               const unsigned char *param, int plen)
{
    return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
                                           param, plen, NULL, NULL);
}

int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
                                    const unsigned char *from, int flen,
                                    const unsigned char *param, int plen,
                                    const EVP_MD *md, const EVP_MD *mgf1md)
{
    int i, emlen = tlen - 1;
    unsigned char *db, *seed;
    unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];
    int mdlen;

    if (md == NULL)
        md = EVP_sha1();
    if (mgf1md == NULL)
        mgf1md = md;

    mdlen = EVP_MD_size(md);

    if (flen > emlen - 2 * mdlen - 1) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
        return 0;
    }

    if (emlen < 2 * mdlen + 1) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
               RSA_R_KEY_SIZE_TOO_SMALL);
        return 0;
    }

    to[0] = 0;
    seed = to + 1;
    db = to + mdlen + 1;

    if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
        return 0;
    memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
    db[emlen - flen - mdlen - 1] = 0x01;
    memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
    if (RAND_bytes(seed, mdlen) <= 0)
        return 0;

    dbmask = OPENSSL_malloc(emlen - mdlen);
    if (dbmask == NULL) {
        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
        goto err;
    for (i = 0; i < emlen - mdlen; i++)
        db[i] ^= dbmask[i];

    if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
        goto err;
    for (i = 0; i < mdlen; i++)
        seed[i] ^= seedmask[i];

    OPENSSL_free(dbmask);
    return 1;

 err:
    OPENSSL_free(dbmask);
    return 0;
}

int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
                                 const unsigned char *from, int flen, int num,
                                 const unsigned char *param, int plen)
{
    return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from, flen, num,
                                             param, plen, NULL, NULL);
}

int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
                                      const unsigned char *from, int flen,
                                      int num, const unsigned char *param,
                                      int plen, const EVP_MD *md,
                                      const EVP_MD *mgf1md)
{
    int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
    unsigned int good, found_one_byte;
    const unsigned char *maskedseed, *maskeddb;
    /*
     * |em| is the encoded message, zero-padded to exactly |num| bytes: em =
     * Y || maskedSeed || maskedDB
     */
    unsigned char *db = NULL, *em = NULL, seed[EVP_MAX_MD_SIZE],
        phash[EVP_MAX_MD_SIZE];
    int mdlen;

    if (md == NULL)
        md = EVP_sha1();
    if (mgf1md == NULL)
        mgf1md = md;

    mdlen = EVP_MD_size(md);

    if (tlen <= 0 || flen <= 0)
        return -1;
    /*
     * |num| is the length of the modulus; |flen| is the length of the
     * encoded message. Therefore, for any |from| that was obtained by
     * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
     * num < 2 * mdlen + 2 must hold for the modulus irrespective of
     * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
     * This does not leak any side-channel information.
     */
    if (num < flen || num < 2 * mdlen + 2)
        goto decoding_err;

    dblen = num - mdlen - 1;
    db = OPENSSL_malloc(dblen);
    if (db == NULL) {
        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
        goto cleanup;
    }

    if (flen != num) {
        em = OPENSSL_zalloc(num);
        if (em == NULL) {
            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
                   ERR_R_MALLOC_FAILURE);
            goto cleanup;
        }

        /*
         * Caller is encouraged to pass zero-padded message created with
         * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
         * to avoid leaking that information. The copy still leaks some
         * side-channel information, but it's impossible to have a fixed
         * memory access pattern since we can't read out of the bounds of
         * |from|.
         */
        memcpy(em + num - flen, from, flen);
        from = em;
    }

    /*
     * The first byte must be zero, however we must not leak if this is
     * true. See James H. Manger, "A Chosen Ciphertext  Attack on RSA
     * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
     */
    good = constant_time_is_zero(from[0]);

    maskedseed = from + 1;
    maskeddb = from + 1 + mdlen;

    if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
        goto cleanup;
    for (i = 0; i < mdlen; i++)
        seed[i] ^= maskedseed[i];

    if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))
        goto cleanup;
    for (i = 0; i < dblen; i++)
        db[i] ^= maskeddb[i];

    if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))
        goto cleanup;

    good &= constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));

    found_one_byte = 0;
    for (i = mdlen; i < dblen; i++) {
        /*
         * Padding consists of a number of 0-bytes, followed by a 1.
         */
        unsigned int equals1 = constant_time_eq(db[i], 1);
        unsigned int equals0 = constant_time_is_zero(db[i]);
        one_index = constant_time_select_int(~found_one_byte & equals1,
                                             i, one_index);
        found_one_byte |= equals1;
        good &= (found_one_byte | equals0);
    }

    good &= found_one_byte;

    /*
     * At this point |good| is zero unless the plaintext was valid,
     * so plaintext-awareness ensures timing side-channels are no longer a
     * concern.
     */
    if (!good)
        goto decoding_err;

    msg_index = one_index + 1;
    mlen = dblen - msg_index;

    if (tlen < mlen) {
        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
        mlen = -1;
    } else {
        memcpy(to, db + msg_index, mlen);
        goto cleanup;
    }

 decoding_err:
    /*
     * To avoid chosen ciphertext attacks, the error message should not
     * reveal which kind of decoding error happened.
     */
    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
           RSA_R_OAEP_DECODING_ERROR);
 cleanup:
    OPENSSL_clear_free(db, dblen);
    OPENSSL_clear_free(em, num);
    return mlen;
}

int PKCS1_MGF1(unsigned char *mask, long len,
               const unsigned char *seed, long seedlen, const EVP_MD *dgst)
{
    long i, outlen = 0;
    unsigned char cnt[4];
    EVP_MD_CTX *c = EVP_MD_CTX_new();
    unsigned char md[EVP_MAX_MD_SIZE];
    int mdlen;
    int rv = -1;

    if (c == NULL)
        goto err;
    mdlen = EVP_MD_size(dgst);
    if (mdlen < 0)
        goto err;
    for (i = 0; outlen < len; i++) {
        cnt[0] = (unsigned char)((i >> 24) & 255);
        cnt[1] = (unsigned char)((i >> 16) & 255);
        cnt[2] = (unsigned char)((i >> 8)) & 255;
        cnt[3] = (unsigned char)(i & 255);
        if (!EVP_DigestInit_ex(c, dgst, NULL)
            || !EVP_DigestUpdate(c, seed, seedlen)
            || !EVP_DigestUpdate(c, cnt, 4))
            goto err;
        if (outlen + mdlen <= len) {
            if (!EVP_DigestFinal_ex(c, mask + outlen, NULL))
                goto err;
            outlen += mdlen;
        } else {
            if (!EVP_DigestFinal_ex(c, md, NULL))
                goto err;
            memcpy(mask + outlen, md, len - outlen);
            outlen = len;
        }
    }
    rv = 0;
 err:
    EVP_MD_CTX_free(c);
    return rv;
}

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
11
12		/*
13		* See Victor Shoup, "OAEP reconsidered," Nov. 2000, <URL:
14		* http://www.shoup.net/papers/oaep.ps.Z> for problems with the security
15		* proof for the original OAEP scheme, which EME-OAEP is based on. A new
16		* proof can be found in E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern,
17		* "RSA-OEAP is Still Alive!", Dec. 2000, <URL:
18		* http://eprint.iacr.org/2000/061/>. The new proof has stronger requirements
19		* for the underlying permutation: "partial-one-wayness" instead of
20		* one-wayness. For the RSA function, this is an equivalent notion.
21		*/
22
23		#include "internal/constant_time_locl.h"
24
25		#include <stdio.h>
26		#include "internal/cryptlib.h"
27		#include <openssl/bn.h>
28		#include <openssl/evp.h>
29		#include <openssl/rand.h>
30		#include <openssl/sha.h>
31		#include "rsa_locl.h"
32
33		int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
34		const unsigned char *from, int flen,
35		const unsigned char *param, int plen)
36	0	{
37	0	return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
38	0	param, plen, NULL, NULL);
39	0	}
40
41		int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
42		const unsigned char *from, int flen,
43		const unsigned char *param, int plen,
44		const EVP_MD md, const EVP_MD mgf1md)
45	0	{
46	0	int i, emlen = tlen - 1;
47	0	unsigned char db, seed;
48	0	unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];
49	0	int mdlen;
50	0
51	0	if (md == NULL)
52	0	md = EVP_sha1();
53	0	if (mgf1md == NULL)
54	0	mgf1md = md;
55	0
56	0	mdlen = EVP_MD_size(md);
57	0
58	0	if (flen > emlen - 2 * mdlen - 1) {
59	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
60	0	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
61	0	return 0;
62	0	}
63	0
64	0	if (emlen < 2 * mdlen + 1) {
65	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
66	0	RSA_R_KEY_SIZE_TOO_SMALL);
67	0	return 0;
68	0	}
69	0
70	0	to[0] = 0;
71	0	seed = to + 1;
72	0	db = to + mdlen + 1;
73	0
74	0	if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
75	0	return 0;
76	0	memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
77	0	db[emlen - flen - mdlen - 1] = 0x01;
78	0	memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
79	0	if (RAND_bytes(seed, mdlen) <= 0)
80	0	return 0;
81	0
82	0	dbmask = OPENSSL_malloc(emlen - mdlen);
83	0	if (dbmask == NULL) {
84	0	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
85	0	return 0;
86	0	}
87	0
88	0	if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
89	0	goto err;
90	0	for (i = 0; i < emlen - mdlen; i++)
91	0	db[i] ^= dbmask[i];
92	0
93	0	if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
94	0	goto err;
95	0	for (i = 0; i < mdlen; i++)
96	0	seed[i] ^= seedmask[i];
97	0
98	0	OPENSSL_free(dbmask);
99	0	return 1;
100	0
101	0	err:
102	0	OPENSSL_free(dbmask);
103	0	return 0;
104	0	}
105
106		int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
107		const unsigned char *from, int flen, int num,
108		const unsigned char *param, int plen)
109	0	{
110	0	return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from, flen, num,
111	0	param, plen, NULL, NULL);
112	0	}
113
114		int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
115		const unsigned char *from, int flen,
116		int num, const unsigned char *param,
117		int plen, const EVP_MD *md,
118		const EVP_MD *mgf1md)
119	0	{
120	0	int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
121	0	unsigned int good, found_one_byte;
122	0	const unsigned char maskedseed, maskeddb;
123	0	/*
124	0	* \|em\| is the encoded message, zero-padded to exactly \|num\| bytes: em =
125	0	* Y \|\| maskedSeed \|\| maskedDB
126	0	*/
127	0	unsigned char db = NULL, em = NULL, seed[EVP_MAX_MD_SIZE],
128	0	phash[EVP_MAX_MD_SIZE];
129	0	int mdlen;
130	0
131	0	if (md == NULL)
132	0	md = EVP_sha1();
133	0	if (mgf1md == NULL)
134	0	mgf1md = md;
135	0
136	0	mdlen = EVP_MD_size(md);
137	0
138	0	if (tlen <= 0 \|\| flen <= 0)
139	0	return -1;
140	0	/*
141	0	* \|num\| is the length of the modulus; \|flen\| is the length of the
142	0	* encoded message. Therefore, for any \|from\| that was obtained by
143	0	* decrypting a ciphertext, we must have \|flen\| <= \|num\|. Similarly,
144	0	* num < 2 * mdlen + 2 must hold for the modulus irrespective of
145	0	* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
146	0	* This does not leak any side-channel information.
147	0	*/
148	0	if (num < flen \|\| num < 2 * mdlen + 2)
149	0	goto decoding_err;
150	0
151	0	dblen = num - mdlen - 1;
152	0	db = OPENSSL_malloc(dblen);
153	0	if (db == NULL) {
154	0	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
155	0	goto cleanup;
156	0	}
157	0
158	0	if (flen != num) {
159	0	em = OPENSSL_zalloc(num);
160	0	if (em == NULL) {
161	0	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
162	0	ERR_R_MALLOC_FAILURE);
163	0	goto cleanup;
164	0	}
165	0
166	0	/*
167	0	* Caller is encouraged to pass zero-padded message created with
168	0	* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
169	0	* to avoid leaking that information. The copy still leaks some
170	0	* side-channel information, but it's impossible to have a fixed
171	0	* memory access pattern since we can't read out of the bounds of
172	0	* \|from\|.
173	0	*/
174	0	memcpy(em + num - flen, from, flen);
175	0	from = em;
176	0	}
177	0
178	0	/*
179	0	* The first byte must be zero, however we must not leak if this is
180	0	* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
181	0	* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
182	0	*/
183	0	good = constant_time_is_zero(from[0]);
184	0
185	0	maskedseed = from + 1;
186	0	maskeddb = from + 1 + mdlen;
187	0
188	0	if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
189	0	goto cleanup;
190	0	for (i = 0; i < mdlen; i++)
191	0	seed[i] ^= maskedseed[i];
192	0
193	0	if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))
194	0	goto cleanup;
195	0	for (i = 0; i < dblen; i++)
196	0	db[i] ^= maskeddb[i];
197	0
198	0	if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))
199	0	goto cleanup;
200	0
201	0	good &= constant_time_is_zero(CRYPTO_memcmp(db, phash, mdlen));
202	0
203	0	found_one_byte = 0;
204	0	for (i = mdlen; i < dblen; i++) {
205	0	/*
206	0	* Padding consists of a number of 0-bytes, followed by a 1.
207	0	*/
208	0	unsigned int equals1 = constant_time_eq(db[i], 1);
209	0	unsigned int equals0 = constant_time_is_zero(db[i]);
210	0	one_index = constant_time_select_int(~found_one_byte & equals1,
211	0	i, one_index);
212	0	found_one_byte \|= equals1;
213	0	good &= (found_one_byte \| equals0);
214	0	}
215	0
216	0	good &= found_one_byte;
217	0
218	0	/*
219	0	* At this point \|good\| is zero unless the plaintext was valid,
220	0	* so plaintext-awareness ensures timing side-channels are no longer a
221	0	* concern.
222	0	*/
223	0	if (!good)
224	0	goto decoding_err;
225	0
226	0	msg_index = one_index + 1;
227	0	mlen = dblen - msg_index;
228	0
229	0	if (tlen < mlen) {
230	0	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
231	0	mlen = -1;
232	0	} else {
233	0	memcpy(to, db + msg_index, mlen);
234	0	goto cleanup;
235	0	}
236	0
237	0	decoding_err:
238	0	/*
239	0	* To avoid chosen ciphertext attacks, the error message should not
240	0	* reveal which kind of decoding error happened.
241	0	*/
242	0	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
243	0	RSA_R_OAEP_DECODING_ERROR);
244	0	cleanup:
245	0	OPENSSL_clear_free(db, dblen);
246	0	OPENSSL_clear_free(em, num);
247	0	return mlen;
248	0	}
249
250		int PKCS1_MGF1(unsigned char *mask, long len,
251		const unsigned char seed, long seedlen, const EVP_MD dgst)
252	0	{
253	0	long i, outlen = 0;
254	0	unsigned char cnt[4];
255	0	EVP_MD_CTX *c = EVP_MD_CTX_new();
256	0	unsigned char md[EVP_MAX_MD_SIZE];
257	0	int mdlen;
258	0	int rv = -1;
259	0
260	0	if (c == NULL)
261	0	goto err;
262	0	mdlen = EVP_MD_size(dgst);
263	0	if (mdlen < 0)
264	0	goto err;
265	0	for (i = 0; outlen < len; i++) {
266	0	cnt[0] = (unsigned char)((i >> 24) & 255);
267	0	cnt[1] = (unsigned char)((i >> 16) & 255);
268	0	cnt[2] = (unsigned char)((i >> 8)) & 255;
269	0	cnt[3] = (unsigned char)(i & 255);
270	0	if (!EVP_DigestInit_ex(c, dgst, NULL)
271	0	\|\| !EVP_DigestUpdate(c, seed, seedlen)
272	0	\|\| !EVP_DigestUpdate(c, cnt, 4))
273	0	goto err;
274	0	if (outlen + mdlen <= len) {
275	0	if (!EVP_DigestFinal_ex(c, mask + outlen, NULL))
276	0	goto err;
277	0	outlen += mdlen;
278	0	} else {
279	0	if (!EVP_DigestFinal_ex(c, md, NULL))
280	0	goto err;
281	0	memcpy(mask + outlen, md, len - outlen);
282	0	outlen = len;
283	0	}
284	0	}
285	0	rv = 0;
286	0	err:
287	0	EVP_MD_CTX_free(c);
288	0	return rv;
289	0	}