10Sstevel@tonic-gate /* crypto/rsa/rsa_oaep.c */
20Sstevel@tonic-gate /* Written by Ulf Moeller. This software is distributed on an "AS IS"
30Sstevel@tonic-gate basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
40Sstevel@tonic-gate
50Sstevel@tonic-gate /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
60Sstevel@tonic-gate
70Sstevel@tonic-gate /* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
80Sstevel@tonic-gate * <URL: http://www.shoup.net/papers/oaep.ps.Z>
90Sstevel@tonic-gate * for problems with the security proof for the
100Sstevel@tonic-gate * original OAEP scheme, which EME-OAEP is based on.
110Sstevel@tonic-gate *
120Sstevel@tonic-gate * A new proof can be found in E. Fujisaki, T. Okamoto,
130Sstevel@tonic-gate * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
140Sstevel@tonic-gate * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
150Sstevel@tonic-gate * The new proof has stronger requirements for the
160Sstevel@tonic-gate * underlying permutation: "partial-one-wayness" instead
170Sstevel@tonic-gate * of one-wayness. For the RSA function, this is
180Sstevel@tonic-gate * an equivalent notion.
190Sstevel@tonic-gate */
200Sstevel@tonic-gate
210Sstevel@tonic-gate
220Sstevel@tonic-gate #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
230Sstevel@tonic-gate #include <stdio.h>
240Sstevel@tonic-gate #include "cryptlib.h"
250Sstevel@tonic-gate #include <openssl/bn.h>
260Sstevel@tonic-gate #include <openssl/rsa.h>
270Sstevel@tonic-gate #include <openssl/evp.h>
280Sstevel@tonic-gate #include <openssl/rand.h>
290Sstevel@tonic-gate #include <openssl/sha.h>
300Sstevel@tonic-gate
310Sstevel@tonic-gate int MGF1(unsigned char *mask, long len,
320Sstevel@tonic-gate const unsigned char *seed, long seedlen);
330Sstevel@tonic-gate
RSA_padding_add_PKCS1_OAEP(unsigned char * to,int tlen,const unsigned char * from,int flen,const unsigned char * param,int plen)340Sstevel@tonic-gate int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
350Sstevel@tonic-gate const unsigned char *from, int flen,
360Sstevel@tonic-gate const unsigned char *param, int plen)
370Sstevel@tonic-gate {
380Sstevel@tonic-gate int i, emlen = tlen - 1;
390Sstevel@tonic-gate unsigned char *db, *seed;
400Sstevel@tonic-gate unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
410Sstevel@tonic-gate
420Sstevel@tonic-gate if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
430Sstevel@tonic-gate {
440Sstevel@tonic-gate RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
450Sstevel@tonic-gate RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
460Sstevel@tonic-gate return 0;
470Sstevel@tonic-gate }
480Sstevel@tonic-gate
490Sstevel@tonic-gate if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
500Sstevel@tonic-gate {
510Sstevel@tonic-gate RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
520Sstevel@tonic-gate return 0;
530Sstevel@tonic-gate }
540Sstevel@tonic-gate
550Sstevel@tonic-gate dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
560Sstevel@tonic-gate if (dbmask == NULL)
570Sstevel@tonic-gate {
580Sstevel@tonic-gate RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
590Sstevel@tonic-gate return 0;
600Sstevel@tonic-gate }
610Sstevel@tonic-gate
620Sstevel@tonic-gate to[0] = 0;
630Sstevel@tonic-gate seed = to + 1;
640Sstevel@tonic-gate db = to + SHA_DIGEST_LENGTH + 1;
650Sstevel@tonic-gate
660Sstevel@tonic-gate EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
670Sstevel@tonic-gate memset(db + SHA_DIGEST_LENGTH, 0,
680Sstevel@tonic-gate emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
690Sstevel@tonic-gate db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
700Sstevel@tonic-gate memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
710Sstevel@tonic-gate if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
720Sstevel@tonic-gate return 0;
730Sstevel@tonic-gate #ifdef PKCS_TESTVECT
740Sstevel@tonic-gate memcpy(seed,
750Sstevel@tonic-gate "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
760Sstevel@tonic-gate 20);
770Sstevel@tonic-gate #endif
780Sstevel@tonic-gate
790Sstevel@tonic-gate MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
800Sstevel@tonic-gate for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
810Sstevel@tonic-gate db[i] ^= dbmask[i];
820Sstevel@tonic-gate
830Sstevel@tonic-gate MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
840Sstevel@tonic-gate for (i = 0; i < SHA_DIGEST_LENGTH; i++)
850Sstevel@tonic-gate seed[i] ^= seedmask[i];
860Sstevel@tonic-gate
870Sstevel@tonic-gate OPENSSL_free(dbmask);
880Sstevel@tonic-gate return 1;
890Sstevel@tonic-gate }
900Sstevel@tonic-gate
RSA_padding_check_PKCS1_OAEP(unsigned char * to,int tlen,const unsigned char * from,int flen,int num,const unsigned char * param,int plen)910Sstevel@tonic-gate int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
920Sstevel@tonic-gate const unsigned char *from, int flen, int num,
930Sstevel@tonic-gate const unsigned char *param, int plen)
940Sstevel@tonic-gate {
950Sstevel@tonic-gate int i, dblen, mlen = -1;
960Sstevel@tonic-gate const unsigned char *maskeddb;
970Sstevel@tonic-gate int lzero;
980Sstevel@tonic-gate unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
990Sstevel@tonic-gate int bad = 0;
1000Sstevel@tonic-gate
1010Sstevel@tonic-gate if (--num < 2 * SHA_DIGEST_LENGTH + 1)
1020Sstevel@tonic-gate /* 'num' is the length of the modulus, i.e. does not depend on the
1030Sstevel@tonic-gate * particular ciphertext. */
1040Sstevel@tonic-gate goto decoding_err;
1050Sstevel@tonic-gate
1060Sstevel@tonic-gate lzero = num - flen;
1070Sstevel@tonic-gate if (lzero < 0)
1080Sstevel@tonic-gate {
1090Sstevel@tonic-gate /* lzero == -1 */
1100Sstevel@tonic-gate
1110Sstevel@tonic-gate /* signalling this error immediately after detection might allow
1120Sstevel@tonic-gate * for side-channel attacks (e.g. timing if 'plen' is huge
1130Sstevel@tonic-gate * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
1140Sstevel@tonic-gate * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
1150Sstevel@tonic-gate * so we use a 'bad' flag */
1160Sstevel@tonic-gate bad = 1;
1170Sstevel@tonic-gate lzero = 0;
1180Sstevel@tonic-gate }
1190Sstevel@tonic-gate maskeddb = from - lzero + SHA_DIGEST_LENGTH;
1200Sstevel@tonic-gate
1210Sstevel@tonic-gate dblen = num - SHA_DIGEST_LENGTH;
1220Sstevel@tonic-gate db = OPENSSL_malloc(dblen);
1230Sstevel@tonic-gate if (db == NULL)
1240Sstevel@tonic-gate {
125*2139Sjp161948 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
1260Sstevel@tonic-gate return -1;
1270Sstevel@tonic-gate }
1280Sstevel@tonic-gate
1290Sstevel@tonic-gate MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
1300Sstevel@tonic-gate for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
1310Sstevel@tonic-gate seed[i] ^= from[i - lzero];
1320Sstevel@tonic-gate
1330Sstevel@tonic-gate MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
1340Sstevel@tonic-gate for (i = 0; i < dblen; i++)
1350Sstevel@tonic-gate db[i] ^= maskeddb[i];
1360Sstevel@tonic-gate
1370Sstevel@tonic-gate EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
1380Sstevel@tonic-gate
1390Sstevel@tonic-gate if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
1400Sstevel@tonic-gate goto decoding_err;
1410Sstevel@tonic-gate else
1420Sstevel@tonic-gate {
1430Sstevel@tonic-gate for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
1440Sstevel@tonic-gate if (db[i] != 0x00)
1450Sstevel@tonic-gate break;
1460Sstevel@tonic-gate if (db[i] != 0x01 || i++ >= dblen)
1470Sstevel@tonic-gate goto decoding_err;
1480Sstevel@tonic-gate else
1490Sstevel@tonic-gate {
1500Sstevel@tonic-gate /* everything looks OK */
1510Sstevel@tonic-gate
1520Sstevel@tonic-gate mlen = dblen - i;
1530Sstevel@tonic-gate if (tlen < mlen)
1540Sstevel@tonic-gate {
1550Sstevel@tonic-gate RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
1560Sstevel@tonic-gate mlen = -1;
1570Sstevel@tonic-gate }
1580Sstevel@tonic-gate else
1590Sstevel@tonic-gate memcpy(to, db + i, mlen);
1600Sstevel@tonic-gate }
1610Sstevel@tonic-gate }
1620Sstevel@tonic-gate OPENSSL_free(db);
1630Sstevel@tonic-gate return mlen;
1640Sstevel@tonic-gate
1650Sstevel@tonic-gate decoding_err:
1660Sstevel@tonic-gate /* to avoid chosen ciphertext attacks, the error message should not reveal
1670Sstevel@tonic-gate * which kind of decoding error happened */
1680Sstevel@tonic-gate RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
1690Sstevel@tonic-gate if (db != NULL) OPENSSL_free(db);
1700Sstevel@tonic-gate return -1;
1710Sstevel@tonic-gate }
1720Sstevel@tonic-gate
PKCS1_MGF1(unsigned char * mask,long len,const unsigned char * seed,long seedlen,const EVP_MD * dgst)173*2139Sjp161948 int PKCS1_MGF1(unsigned char *mask, long len,
174*2139Sjp161948 const unsigned char *seed, long seedlen, const EVP_MD *dgst)
1750Sstevel@tonic-gate {
1760Sstevel@tonic-gate long i, outlen = 0;
1770Sstevel@tonic-gate unsigned char cnt[4];
1780Sstevel@tonic-gate EVP_MD_CTX c;
179*2139Sjp161948 unsigned char md[EVP_MAX_MD_SIZE];
180*2139Sjp161948 int mdlen;
1810Sstevel@tonic-gate
1820Sstevel@tonic-gate EVP_MD_CTX_init(&c);
183*2139Sjp161948 mdlen = EVP_MD_size(dgst);
1840Sstevel@tonic-gate for (i = 0; outlen < len; i++)
1850Sstevel@tonic-gate {
1860Sstevel@tonic-gate cnt[0] = (unsigned char)((i >> 24) & 255);
1870Sstevel@tonic-gate cnt[1] = (unsigned char)((i >> 16) & 255);
1880Sstevel@tonic-gate cnt[2] = (unsigned char)((i >> 8)) & 255;
1890Sstevel@tonic-gate cnt[3] = (unsigned char)(i & 255);
190*2139Sjp161948 EVP_DigestInit_ex(&c,dgst, NULL);
1910Sstevel@tonic-gate EVP_DigestUpdate(&c, seed, seedlen);
1920Sstevel@tonic-gate EVP_DigestUpdate(&c, cnt, 4);
193*2139Sjp161948 if (outlen + mdlen <= len)
1940Sstevel@tonic-gate {
1950Sstevel@tonic-gate EVP_DigestFinal_ex(&c, mask + outlen, NULL);
196*2139Sjp161948 outlen += mdlen;
1970Sstevel@tonic-gate }
1980Sstevel@tonic-gate else
1990Sstevel@tonic-gate {
2000Sstevel@tonic-gate EVP_DigestFinal_ex(&c, md, NULL);
2010Sstevel@tonic-gate memcpy(mask + outlen, md, len - outlen);
2020Sstevel@tonic-gate outlen = len;
2030Sstevel@tonic-gate }
2040Sstevel@tonic-gate }
2050Sstevel@tonic-gate EVP_MD_CTX_cleanup(&c);
2060Sstevel@tonic-gate return 0;
2070Sstevel@tonic-gate }
208*2139Sjp161948
MGF1(unsigned char * mask,long len,const unsigned char * seed,long seedlen)209*2139Sjp161948 int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
210*2139Sjp161948 {
211*2139Sjp161948 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
212*2139Sjp161948 }
2130Sstevel@tonic-gate #endif
214