1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* crypto/rsa/rsa_pk1.c */ 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com). 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to. The following conditions 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA, 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used. 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in the 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * documentation and/or other materials provided with the distribution. 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software 32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * must display the following acknowledgement: 33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes cryptographic software written by 34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Eric Young (eay@cryptsoft.com)" 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The word 'cryptographic' can be left out if the rouines from the library 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * being used are not cryptographic related :-). 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the apps directory (application code) you must include an acknowledgement: 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE. 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed. i.e. this code cannot simply be 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.] 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 59c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root#include "constant_time_locl.h" 60c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h> 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "cryptlib.h" 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/bn.h> 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rsa.h> 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rand.h> 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *from, int flen) 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int j; 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(0); 77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)to; 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=1; /* Private Key BT (Block Type) */ 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* pad out with 0xff data */ 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=tlen-3-flen; 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memset(p,0xff,j); 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=j; 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)='\0'; 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,from,(unsigned int)flen); 90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *from, int flen, int num) 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j; 97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *p; 98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=from; 100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((num != (flen+1)) || (*(p++) != 01)) 101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01); 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* scan over padding data */ 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=flen-1; /* one for type. */ 108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<j; i++) 109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*p != 0xff) /* should decrypt to 0xff */ 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*p == 0) 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { p++; break; } 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else { 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT); 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p++; 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == j) 123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING); 125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < 8) 129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT); 131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i++; /* Skip over the '\0' */ 134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j-=i; 135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (j > tlen) 136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE); 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(to,p,(unsigned int)j); 141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(j); 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *from, int flen) 147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j; 149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (flen > (tlen-11)) 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(0); 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)to; 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=2; /* Public Key BT (Block Type) */ 161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* pad out with non-zero random data */ 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=tlen-3-flen; 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (RAND_bytes(p,j) <= 0) 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(0); 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<j; i++) 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*p == '\0') 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project do { 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (RAND_bytes(p,1) <= 0) 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(0); 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } while (*p == '\0'); 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p++; 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)='\0'; 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,from,(unsigned int)flen); 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *from, int flen, int num) 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 186c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root int i; 187c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* |em| is the encoded message, zero-padded to exactly |num| bytes */ 188c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned char *em = NULL; 189c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned int good, found_zero_byte; 190c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root int zero_index = 0, msg_index, mlen = -1; 191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 192c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (tlen < 0 || flen < 0) 193c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root return -1; 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 195c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography 196c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * Standard", section 7.2.2. */ 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 198c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (flen > num) 199c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root goto err; 200c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 201c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (num < 11) 202c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root goto err; 203c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 204c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root em = OPENSSL_malloc(num); 205c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (em == NULL) 206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 207c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); 208c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root return -1; 209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 210c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root memset(em, 0, num); 211c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* 212c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * Always do this zero-padding copy (even when num == flen) to avoid 213c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * leaking that information. The copy still leaks some side-channel 214c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * information, but it's impossible to have a fixed memory access 215c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * pattern since we can't read out of the bounds of |from|. 216c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * 217c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. 218c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root */ 219c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root memcpy(em + num - flen, from, flen); 220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 221c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root good = constant_time_is_zero(em[0]); 222c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root good &= constant_time_eq(em[1], 2); 223c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 224c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root found_zero_byte = 0; 225c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root for (i = 2; i < num; i++) 226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 227c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned int equals0 = constant_time_is_zero(em[i]); 228c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); 229c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root found_zero_byte |= equals0; 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 231c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 232c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* 233c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * PS must be at least 8 bytes long, and it starts two bytes into |em|. 234c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * If we never found a 0-byte, then |zero_index| is 0 and the check 235c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * also fails. 236c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root */ 237c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root good &= constant_time_ge((unsigned int)(zero_index), 2 + 8); 238c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 239c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* Skip the zero byte. This is incorrect if we never found a zero-byte 240c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * but in this case we also do not copy the message out. */ 241c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root msg_index = zero_index + 1; 242c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root mlen = num - msg_index; 243c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 244c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* For good measure, do this check in constant time as well; it could 245c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * leak something if |tlen| was assuming valid padding. */ 246c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); 247c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 248c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* 249c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * We can't continue in constant-time because we need to copy the result 250c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * and we cannot fake its length. This unavoidably leaks timing 251c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * information at the API boundary. 252c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * TODO(emilia): this could be addressed at the call site, 253c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26. 254c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root */ 255c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (!good) 256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 257c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root mlen = -1; 258c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root goto err; 259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 261c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root memcpy(to, em + msg_index, mlen); 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 263c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Rooterr: 264c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (em != NULL) 265c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root OPENSSL_free(em); 266c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (mlen == -1) 267c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); 268c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root return mlen; 269c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root } 270