1 /* $OpenBSD: rsa_oaep.c,v 1.26 2017/01/29 17:49:23 beck Exp $ */
2 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
5 /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
7 /* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
25 #include <openssl/opensslconf.h>
27 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
29 #include <openssl/bn.h>
30 #include <openssl/err.h>
31 #include <openssl/evp.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
35 static int MGF1(unsigned char *mask
, long len
, const unsigned char *seed
,
39 RSA_padding_add_PKCS1_OAEP(unsigned char *to
, int tlen
,
40 const unsigned char *from
, int flen
, const unsigned char *param
, int plen
)
42 int i
, emlen
= tlen
- 1;
43 unsigned char *db
, *seed
;
44 unsigned char *dbmask
, seedmask
[SHA_DIGEST_LENGTH
];
46 if (flen
> emlen
- 2 * SHA_DIGEST_LENGTH
- 1) {
47 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
);
51 if (emlen
< 2 * SHA_DIGEST_LENGTH
+ 1) {
52 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL
);
58 db
= to
+ SHA_DIGEST_LENGTH
+ 1;
60 if (!EVP_Digest((void *)param
, plen
, db
, NULL
, EVP_sha1(), NULL
))
62 memset(db
+ SHA_DIGEST_LENGTH
, 0,
63 emlen
- flen
- 2 * SHA_DIGEST_LENGTH
- 1);
64 db
[emlen
- flen
- SHA_DIGEST_LENGTH
- 1] = 0x01;
65 memcpy(db
+ emlen
- flen
- SHA_DIGEST_LENGTH
, from
, flen
);
66 arc4random_buf(seed
, SHA_DIGEST_LENGTH
);
68 dbmask
= malloc(emlen
- SHA_DIGEST_LENGTH
);
70 RSAerror(ERR_R_MALLOC_FAILURE
);
74 if (MGF1(dbmask
, emlen
- SHA_DIGEST_LENGTH
, seed
,
75 SHA_DIGEST_LENGTH
) < 0)
77 for (i
= 0; i
< emlen
- SHA_DIGEST_LENGTH
; i
++)
80 if (MGF1(seedmask
, SHA_DIGEST_LENGTH
, db
,
81 emlen
- SHA_DIGEST_LENGTH
) < 0)
83 for (i
= 0; i
< SHA_DIGEST_LENGTH
; i
++)
84 seed
[i
] ^= seedmask
[i
];
91 RSA_padding_check_PKCS1_OAEP(unsigned char *to
, int tlen
,
92 const unsigned char *from
, int flen
, int num
, const unsigned char *param
,
95 int i
, dblen
, mlen
= -1;
96 const unsigned char *maskeddb
;
98 unsigned char *db
= NULL
;
99 unsigned char seed
[SHA_DIGEST_LENGTH
], phash
[SHA_DIGEST_LENGTH
];
100 unsigned char *padded_from
;
103 if (--num
< 2 * SHA_DIGEST_LENGTH
+ 1)
105 * 'num' is the length of the modulus, i.e. does not depend
106 * on the particular ciphertext.
113 * signalling this error immediately after detection might allow
114 * for side-channel attacks (e.g. timing if 'plen' is huge
115 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA
116 * Optimal Asymmetric Encryption Padding (OAEP) [...]",
117 * CRYPTO 2001), so we use a 'bad' flag
121 flen
= num
; /* don't overflow the memcpy to padded_from */
124 dblen
= num
- SHA_DIGEST_LENGTH
;
125 db
= malloc(dblen
+ num
);
127 RSAerror(ERR_R_MALLOC_FAILURE
);
132 * Always do this zero-padding copy (even when lzero == 0)
133 * to avoid leaking timing info about the value of lzero.
135 padded_from
= db
+ dblen
;
136 memset(padded_from
, 0, lzero
);
137 memcpy(padded_from
+ lzero
, from
, flen
);
139 maskeddb
= padded_from
+ SHA_DIGEST_LENGTH
;
141 if (MGF1(seed
, SHA_DIGEST_LENGTH
, maskeddb
, dblen
))
143 for (i
= 0; i
< SHA_DIGEST_LENGTH
; i
++)
144 seed
[i
] ^= padded_from
[i
];
146 if (MGF1(db
, dblen
, seed
, SHA_DIGEST_LENGTH
))
148 for (i
= 0; i
< dblen
; i
++)
149 db
[i
] ^= maskeddb
[i
];
151 if (!EVP_Digest((void *)param
, plen
, phash
, NULL
, EVP_sha1(), NULL
))
154 if (timingsafe_memcmp(db
, phash
, SHA_DIGEST_LENGTH
) != 0 || bad
)
157 for (i
= SHA_DIGEST_LENGTH
; i
< dblen
; i
++)
160 if (i
== dblen
|| db
[i
] != 0x01)
163 /* everything looks OK */
167 RSAerror(RSA_R_DATA_TOO_LARGE
);
170 memcpy(to
, db
+ i
, mlen
);
178 * To avoid chosen ciphertext attacks, the error message should not
179 * reveal which kind of decoding error happened
181 RSAerror(RSA_R_OAEP_DECODING_ERROR
);
187 PKCS1_MGF1(unsigned char *mask
, long len
, const unsigned char *seed
,
188 long seedlen
, const EVP_MD
*dgst
)
191 unsigned char cnt
[4];
193 unsigned char md
[EVP_MAX_MD_SIZE
];
198 mdlen
= EVP_MD_size(dgst
);
201 for (i
= 0; outlen
< len
; i
++) {
202 cnt
[0] = (unsigned char)((i
>> 24) & 255);
203 cnt
[1] = (unsigned char)((i
>> 16) & 255);
204 cnt
[2] = (unsigned char)((i
>> 8)) & 255;
205 cnt
[3] = (unsigned char)(i
& 255);
206 if (!EVP_DigestInit_ex(&c
, dgst
, NULL
) ||
207 !EVP_DigestUpdate(&c
, seed
, seedlen
) ||
208 !EVP_DigestUpdate(&c
, cnt
, 4))
210 if (outlen
+ mdlen
<= len
) {
211 if (!EVP_DigestFinal_ex(&c
, mask
+ outlen
, NULL
))
215 if (!EVP_DigestFinal_ex(&c
, md
, NULL
))
217 memcpy(mask
+ outlen
, md
, len
- outlen
);
223 EVP_MD_CTX_cleanup(&c
);
228 MGF1(unsigned char *mask
, long len
, const unsigned char *seed
, long seedlen
)
230 return PKCS1_MGF1(mask
, len
, seed
, seedlen
, EVP_sha1());