Home Explore Help
Register Sign In
Apq
/
winscp
mirror of https://github.com/winscp/winscp.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: de8933c24a
Branches Tags
winscp
/
openssl
/
crypto
/
rsa
/
rsa_oaep.c

rsa_oaep.c 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233 
  1. /* crypto/rsa/rsa_oaep.c */
    2. 

  2. /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    3. 

  3.    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
    4. 

  4. 

  5. /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
    6. 

  6. 

  7. /* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
    8. 

  8.  * <URL: http://www.shoup.net/papers/oaep.ps.Z>
    9. 

  9.  * for problems with the security proof for the
    10. 

  10.  * original OAEP scheme, which EME-OAEP is based on.
    11. 

  11.  * 
    12. 

  12.  * A new proof can be found in E. Fujisaki, T. Okamoto,
    13. 

  13.  * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
    14. 

  14.  * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
    15. 

  15.  * The new proof has stronger requirements for the
    16. 

  16.  * underlying permutation: "partial-one-wayness" instead
    17. 

  17.  * of one-wayness.  For the RSA function, this is
    18. 

  18.  * an equivalent notion.
    19. 

  19.  */
    20. 

  20. 

  21. 

  22. #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
    23. 

  23. #include <stdio.h>
    24. 

  24. #include "cryptlib.h"
    25. 

  25. #include <openssl/bn.h>
    26. 

  26. #include <openssl/rsa.h>
    27. 

  27. #include <openssl/evp.h>
    28. 

  28. #include <openssl/rand.h>
    29. 

  29. #include <openssl/sha.h>
    30. 

  30. 

  31. static int MGF1(unsigned char *mask, long len,
    32. 

  32. 	const unsigned char *seed, long seedlen);
    33. 

  33. 

  34. int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
    35. 

  35. 	const unsigned char *from, int flen,
    36. 

  36. 	const unsigned char *param, int plen)
    37. 

  37. 	{
    38. 

  38. 	int i, emlen = tlen - 1;
    39. 

  39. 	unsigned char *db, *seed;
    40. 

  40. 	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
    41. 

  41. 

  42. 	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
    43. 

  43. 		{
    44. 

  44. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
    45. 

  45. 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    46. 

  46. 		return 0;
    47. 

  47. 		}
    48. 

  48. 

  49. 	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
    50. 

  50. 		{
    51. 

  51. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
    52. 

  52. 		return 0;
    53. 

  53. 		}
    54. 

  54. 

  55. 	to[0] = 0;
    56. 

  56. 	seed = to + 1;
    57. 

  57. 	db = to + SHA_DIGEST_LENGTH + 1;
    58. 

  58. 

  59. 	EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
    60. 

  60. 	memset(db + SHA_DIGEST_LENGTH, 0,
    61. 

  61. 		emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
    62. 

  62. 	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
    63. 

  63. 	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
    64. 

  64. 	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
    65. 

  65. 		return 0;
    66. 

  66. #ifdef PKCS_TESTVECT
    67. 

  67. 	memcpy(seed,
    68. 

  68. 	   "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
    69. 

  69. 	   20);
    70. 

  70. #endif
    71. 

  71. 

  72. 	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
    73. 

  73. 	if (dbmask == NULL)
    74. 

  74. 		{
    75. 

  75. 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
    76. 

  76. 		return 0;
    77. 

  77. 		}
    78. 

  78. 

  79. 	if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
    80. 

  80. 		return 0;
    81. 

  81. 	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
    82. 

  82. 		db[i] ^= dbmask[i];
    83. 

  83. 

  84. 	if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
    85. 

  85. 		return 0;
    86. 

  86. 	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
    87. 

  87. 		seed[i] ^= seedmask[i];
    88. 

  88. 

  89. 	OPENSSL_free(dbmask);
    90. 

  90. 	return 1;
    91. 

  91. 	}
    92. 

  92. 

  93. int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
    94. 

  94. 	const unsigned char *from, int flen, int num,
    95. 

  95. 	const unsigned char *param, int plen)
    96. 

  96. 	{
    97. 

  97. 	int i, dblen, mlen = -1;
    98. 

  98. 	const unsigned char *maskeddb;
    99. 

  99. 	int lzero;
    100. 

  100. 	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
    101. 

  101. 	unsigned char *padded_from;
    102. 

  102. 	int bad = 0;
    103. 

  103. 

  104. 	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
    105. 

  105. 		/* 'num' is the length of the modulus, i.e. does not depend on the
    106. 

  106. 		 * particular ciphertext. */
    107. 

  107. 		goto decoding_err;
    108. 

  108. 

  109. 	lzero = num - flen;
    110. 

  110. 	if (lzero < 0)
    111. 

  111. 		{
    112. 

  112. 		/* signalling this error immediately after detection might allow
    113. 

  113. 		 * for side-channel attacks (e.g. timing if 'plen' is huge
    114. 

  114. 		 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
    115. 

  115. 		 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
    116. 

  116. 		 * so we use a 'bad' flag */
    117. 

  117. 		bad = 1;
    118. 

  118. 		lzero = 0;
    119. 

  119. 		flen = num; /* don't overflow the memcpy to padded_from */
    120. 

  120. 		}
    121. 

  121. 

  122. 	dblen = num - SHA_DIGEST_LENGTH;
    123. 

  123. 	db = OPENSSL_malloc(dblen + num);
    124. 

  124. 	if (db == NULL)
    125. 

  125. 		{
    126. 

  126. 		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
    127. 

  127. 		return -1;
    128. 

  128. 		}
    129. 

  129. 

  130. 	/* Always do this zero-padding copy (even when lzero == 0)
    131. 

  131. 	 * to avoid leaking timing info about the value of lzero. */
    132. 

  132. 	padded_from = db + dblen;
    133. 

  133. 	memset(padded_from, 0, lzero);
    134. 

  134. 	memcpy(padded_from + lzero, from, flen);
    135. 

  135. 

  136. 	maskeddb = padded_from + SHA_DIGEST_LENGTH;
    137. 

  137. 

  138. 	if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
    139. 

  139. 		return -1;
    140. 

  140. 	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
    141. 

  141. 		seed[i] ^= padded_from[i];
    142. 

  142.   
    143. 

  143. 	if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
    144. 

  144. 		return -1;
    145. 

  145. 	for (i = 0; i < dblen; i++)
    146. 

  146. 		db[i] ^= maskeddb[i];
    147. 

  147. 

  148. 	EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
    149. 

  149. 

  150. 	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
    151. 

  151. 		goto decoding_err;
    152. 

  152. 	else
    153. 

  153. 		{
    154. 

  154. 		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
    155. 

  155. 			if (db[i] != 0x00)
    156. 

  156. 				break;
    157. 

  157. 		if (i == dblen || db[i] != 0x01)
    158. 

  158. 			goto decoding_err;
    159. 

  159. 		else
    160. 

  160. 			{
    161. 

  161. 			/* everything looks OK */
    162. 

  162. 

  163. 			mlen = dblen - ++i;
    164. 

  164. 			if (tlen < mlen)
    165. 

  165. 				{
    166. 

  166. 				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
    167. 

  167. 				mlen = -1;
    168. 

  168. 				}
    169. 

  169. 			else
    170. 

  170. 				memcpy(to, db + i, mlen);
    171. 

  171. 			}
    172. 

  172. 		}
    173. 

  173. 	OPENSSL_free(db);
    174. 

  174. 	return mlen;
    175. 

  175. 

  176. decoding_err:
    177. 

  177. 	/* to avoid chosen ciphertext attacks, the error message should not reveal
    178. 

  178. 	 * which kind of decoding error happened */
    179. 

  179. 	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
    180. 

  180. 	if (db != NULL) OPENSSL_free(db);
    181. 

  181. 	return -1;
    182. 

  182. 	}
    183. 

  183. 

  184. int PKCS1_MGF1(unsigned char *mask, long len,
    185. 

  185. 	const unsigned char *seed, long seedlen, const EVP_MD *dgst)
    186. 

  186. 	{
    187. 

  187. 	long i, outlen = 0;
    188. 

  188. 	unsigned char cnt[4];
    189. 

  189. 	EVP_MD_CTX c;
    190. 

  190. 	unsigned char md[EVP_MAX_MD_SIZE];
    191. 

  191. 	int mdlen;
    192. 

  192. 	int rv = -1;
    193. 

  193. 

  194. 	EVP_MD_CTX_init(&c);
    195. 

  195. 	mdlen = EVP_MD_size(dgst);
    196. 

  196. 	if (mdlen < 0)
    197. 

  197. 		goto err;
    198. 

  198. 	for (i = 0; outlen < len; i++)
    199. 

  199. 		{
    200. 

  200. 		cnt[0] = (unsigned char)((i >> 24) & 255);
    201. 

  201. 		cnt[1] = (unsigned char)((i >> 16) & 255);
    202. 

  202. 		cnt[2] = (unsigned char)((i >> 8)) & 255;
    203. 

  203. 		cnt[3] = (unsigned char)(i & 255);
    204. 

  204. 		if (!EVP_DigestInit_ex(&c,dgst, NULL)
    205. 

  205. 			|| !EVP_DigestUpdate(&c, seed, seedlen)
    206. 

  206. 			|| !EVP_DigestUpdate(&c, cnt, 4))
    207. 

  207. 			goto err;
    208. 

  208. 		if (outlen + mdlen <= len)
    209. 

  209. 			{
    210. 

  210. 			if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
    211. 

  211. 				goto err;
    212. 

  212. 			outlen += mdlen;
    213. 

  213. 			}
    214. 

  214. 		else
    215. 

  215. 			{
    216. 

  216. 			if (!EVP_DigestFinal_ex(&c, md, NULL))
    217. 

  217. 				goto err;
    218. 

  218. 			memcpy(mask + outlen, md, len - outlen);
    219. 

  219. 			outlen = len;
    220. 

  220. 			}
    221. 

  221. 		}
    222. 

  222. 	rv = 0;
    223. 

  223. 	err:
    224. 

  224. 	EVP_MD_CTX_cleanup(&c);
    225. 

  225. 	return rv;
    226. 

  226. 	}
    227. 

  227. 

  228. static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
    229. 

  229. 		 long seedlen)
    230. 

  230. 	{
    231. 

  231. 	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
    232. 

  232. 	}
    233. 

  233. #endif
    234.