rsa_pk1.c (337982) | rsa_pk1.c (344604) |
---|---|
1/* crypto/rsa/rsa_pk1.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 193 unchanged lines hidden (view full) --- 202 203int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 204 const unsigned char *from, int flen, 205 int num) 206{ 207 int i; 208 /* |em| is the encoded message, zero-padded to exactly |num| bytes */ 209 unsigned char *em = NULL; | 1/* crypto/rsa/rsa_pk1.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 193 unchanged lines hidden (view full) --- 202 203int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 204 const unsigned char *from, int flen, 205 int num) 206{ 207 int i; 208 /* |em| is the encoded message, zero-padded to exactly |num| bytes */ 209 unsigned char *em = NULL; |
210 unsigned int good, found_zero_byte; | 210 unsigned int good, found_zero_byte, mask; |
211 int zero_index = 0, msg_index, mlen = -1; 212 213 if (tlen < 0 || flen < 0) 214 return -1; 215 216 /* 217 * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", 218 * section 7.2.2. 219 */ 220 | 211 int zero_index = 0, msg_index, mlen = -1; 212 213 if (tlen < 0 || flen < 0) 214 return -1; 215 216 /* 217 * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", 218 * section 7.2.2. 219 */ 220 |
221 if (flen > num) 222 goto err; | 221 if (flen > num || num < 11) { 222 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, 223 RSA_R_PKCS_DECODING_ERROR); 224 return -1; 225 } |
223 | 226 |
224 if (num < 11) 225 goto err; 226 227 if (flen != num) { 228 em = OPENSSL_malloc(num); 229 if (em == NULL) { 230 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); 231 return -1; 232 } 233 /* 234 * Caller is encouraged to pass zero-padded message created with 235 * BN_bn2binpad, but if it doesn't, we do this zero-padding copy 236 * to avoid leaking that information. The copy still leaks some 237 * side-channel information, but it's impossible to have a fixed 238 * memory access pattern since we can't read out of the bounds of 239 * |from|. 240 */ 241 memset(em, 0, num); 242 memcpy(em + num - flen, from, flen); 243 from = em; | 227 em = OPENSSL_malloc(num); 228 if (em == NULL) { 229 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); 230 return -1; |
244 } | 231 } |
232 /* 233 * Caller is encouraged to pass zero-padded message created with 234 * BN_bn2binpad. Trouble is that since we can't read out of |from|'s 235 * bounds, it's impossible to have an invariant memory access pattern 236 * in case |from| was not zero-padded in advance. 237 */ 238 for (from += flen, em += num, i = 0; i < num; i++) { 239 mask = ~constant_time_is_zero(flen); 240 flen -= 1 & mask; 241 from -= 1 & mask; 242 *--em = *from & mask; 243 } 244 from = em; |
|
245 246 good = constant_time_is_zero(from[0]); 247 good &= constant_time_eq(from[1], 2); 248 | 245 246 good = constant_time_is_zero(from[0]); 247 good &= constant_time_eq(from[1], 2); 248 |
249 /* scan over padding data */ |
|
249 found_zero_byte = 0; 250 for (i = 2; i < num; i++) { 251 unsigned int equals0 = constant_time_is_zero(from[i]); | 250 found_zero_byte = 0; 251 for (i = 2; i < num; i++) { 252 unsigned int equals0 = constant_time_is_zero(from[i]); |
252 zero_index = 253 constant_time_select_int(~found_zero_byte & equals0, i, 254 zero_index); | 253 254 zero_index = constant_time_select_int(~found_zero_byte & equals0, 255 i, zero_index); |
255 found_zero_byte |= equals0; 256 } 257 258 /* 259 * PS must be at least 8 bytes long, and it starts two bytes into |from|. 260 * If we never found a 0-byte, then |zero_index| is 0 and the check 261 * also fails. 262 */ | 256 found_zero_byte |= equals0; 257 } 258 259 /* 260 * PS must be at least 8 bytes long, and it starts two bytes into |from|. 261 * If we never found a 0-byte, then |zero_index| is 0 and the check 262 * also fails. 263 */ |
263 good &= constant_time_ge((unsigned int)(zero_index), 2 + 8); | 264 good &= constant_time_ge(zero_index, 2 + 8); |
264 265 /* 266 * Skip the zero byte. This is incorrect if we never found a zero-byte 267 * but in this case we also do not copy the message out. 268 */ 269 msg_index = zero_index + 1; 270 mlen = num - msg_index; 271 272 /* | 265 266 /* 267 * Skip the zero byte. This is incorrect if we never found a zero-byte 268 * but in this case we also do not copy the message out. 269 */ 270 msg_index = zero_index + 1; 271 mlen = num - msg_index; 272 273 /* |
273 * For good measure, do this check in constant time as well; it could 274 * leak something if |tlen| was assuming valid padding. | 274 * For good measure, do this check in constant time as well. |
275 */ | 275 */ |
276 good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); | 276 good &= constant_time_ge(tlen, mlen); |
277 278 /* | 277 278 /* |
279 * We can't continue in constant-time because we need to copy the result 280 * and we cannot fake its length. This unavoidably leaks timing 281 * information at the API boundary. | 279 * Even though we can't fake result's length, we can pretend copying 280 * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| 281 * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, 282 * where |mlen'| is "saturated" |mlen| value. Deducing information 283 * about failure or |mlen| would take attacker's ability to observe 284 * memory access pattern with byte granularity *as it occurs*. It 285 * should be noted that failure is indistinguishable from normal 286 * operation if |tlen| is fixed by protocol. |
282 */ | 287 */ |
283 if (!good) { 284 mlen = -1; 285 goto err; | 288 tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); 289 msg_index = constant_time_select_int(good, msg_index, num - tlen); 290 mlen = num - msg_index; 291 for (from += msg_index, mask = good, i = 0; i < tlen; i++) { 292 unsigned int equals = constant_time_eq(i, mlen); 293 294 from -= tlen & equals; /* if (i == mlen) rewind */ 295 mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ 296 to[i] = constant_time_select_8(mask, from[i], to[i]); |
286 } 287 | 297 } 298 |
288 memcpy(to, from + msg_index, mlen); | 299 OPENSSL_cleanse(em, num); 300 OPENSSL_free(em); 301 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); 302 err_clear_last_constant_time(1 & good); |
289 | 303 |
290 err: 291 if (em != NULL) { 292 OPENSSL_cleanse(em, num); 293 OPENSSL_free(em); 294 } 295 if (mlen == -1) 296 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, 297 RSA_R_PKCS_DECODING_ERROR); 298 return mlen; | 304 return constant_time_select_int(good, mlen, -1); |
299} | 305} |