1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* crypto/rsa/rsa_pk1.c */
2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved.
4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written
6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com).
7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL.
8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as
10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to.  The following conditions
11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA,
12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms
14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in
17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed.
18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution
19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used.
20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or
21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package.
22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without
24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions
25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met:
26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright
27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    notice, this list of conditions and the following disclaimer.
28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright
29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    notice, this list of conditions and the following disclaimer in the
30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    documentation and/or other materials provided with the distribution.
31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software
32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    must display the following acknowledgement:
33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    "This product includes cryptographic software written by
34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *     Eric Young (eay@cryptsoft.com)"
35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    The word 'cryptographic' can be left out if the rouines from the library
36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    being used are not cryptographic related :-).
37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from
38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    the apps directory (application code) you must include an acknowledgement:
39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE.
52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *
53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or
54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed.  i.e. this code cannot simply be
55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence
56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.]
57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */
58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
59c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root#include "constant_time_locl.h"
60c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h>
62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "cryptlib.h"
63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/bn.h>
64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rsa.h>
65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rand.h>
66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	     const unsigned char *from, int flen)
69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	{
70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	int j;
71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	unsigned char *p;
72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(0);
77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	p=(unsigned char *)to;
80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)=0;
82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)=1; /* Private Key BT (Block Type) */
83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	/* pad out with 0xff data */
85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	j=tlen-3-flen;
86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	memset(p,0xff,j);
87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	p+=j;
88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)='\0';
89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	memcpy(p,from,(unsigned int)flen);
90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	return(1);
91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	}
92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	     const unsigned char *from, int flen, int num)
95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	{
96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	int i,j;
97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	const unsigned char *p;
98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	p=from;
100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if ((num != (flen+1)) || (*(p++) != 01))
101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(-1);
104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	/* scan over padding data */
107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	j=flen-1; /* one for type. */
108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	for (i=0; i<j; i++)
109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		if (*p != 0xff) /* should decrypt to 0xff */
111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project			{
112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project			if (*p == 0)
113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				{ p++; break; }
114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project			else	{
115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT);
116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				return(-1);
117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				}
118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project			}
119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		p++;
120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (i == j)
123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING);
125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(-1);
126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (i < 8)
129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT);
131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(-1);
132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	i++; /* Skip over the '\0' */
134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	j-=i;
135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (j > tlen)
136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(-1);
139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	memcpy(to,p,(unsigned int)j);
141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	return(j);
143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	}
144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	     const unsigned char *from, int flen)
147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	{
148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	int i,j;
149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	unsigned char *p;
150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (flen > (tlen-11))
152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(0);
155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	p=(unsigned char *)to;
158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)=0;
160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)=2; /* Public Key BT (Block Type) */
161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	/* pad out with non-zero random data */
163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	j=tlen-3-flen;
164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	if (RAND_bytes(p,j) <= 0)
166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		return(0);
167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	for (i=0; i<j; i++)
168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		if (*p == '\0')
170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project			do	{
171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				if (RAND_bytes(p,1) <= 0)
172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project					return(0);
173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project				} while (*p == '\0');
174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		p++;
175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	*(p++)='\0';
178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	memcpy(p,from,(unsigned int)flen);
180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	return(1);
181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	}
182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	     const unsigned char *from, int flen, int num)
185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project	{
186c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	int i;
187c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/* |em| is the encoded message, zero-padded to exactly |num| bytes */
188c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	unsigned char *em = NULL;
189c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	unsigned int good, found_zero_byte;
190c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	int zero_index = 0, msg_index, mlen = -1;
191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
192c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root        if (tlen < 0 || flen < 0)
193c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		return -1;
194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
195c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
196c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * Standard", section 7.2.2. */
197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
198c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (flen > num)
199c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		goto err;
200c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
201c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (num < 11)
202c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		goto err;
203c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
204c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	em = OPENSSL_malloc(num);
205c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (em == NULL)
206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
207c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
208c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		return -1;
209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
210c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	memset(em, 0, num);
211c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/*
212c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * Always do this zero-padding copy (even when num == flen) to avoid
213c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * leaking that information. The copy still leaks some side-channel
214c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * information, but it's impossible to have a fixed  memory access
215c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * pattern since we can't read out of the bounds of |from|.
216c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 *
217c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
218c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 */
219c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	memcpy(em + num - flen, from, flen);
220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
221c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	good = constant_time_is_zero(em[0]);
222c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	good &= constant_time_eq(em[1], 2);
223c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
224c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	found_zero_byte = 0;
225c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	for (i = 2; i < num; i++)
226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
227c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		unsigned int equals0 = constant_time_is_zero(em[i]);
228c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index);
229c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		found_zero_byte |= equals0;
230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
231c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
232c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/*
233c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * PS must be at least 8 bytes long, and it starts two bytes into |em|.
234c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root         * If we never found a 0-byte, then |zero_index| is 0 and the check
235c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * also fails.
236c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 */
237c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
238c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
239c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/* Skip the zero byte. This is incorrect if we never found a zero-byte
240c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * but in this case we also do not copy the message out. */
241c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	msg_index = zero_index + 1;
242c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	mlen = num - msg_index;
243c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
244c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/* For good measure, do this check in constant time as well; it could
245c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * leak something if |tlen| was assuming valid padding. */
246c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
247c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root
248c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	/*
249c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * We can't continue in constant-time because we need to copy the result
250c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * and we cannot fake its length. This unavoidably leaks timing
251c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * information at the API boundary.
252c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * TODO(emilia): this could be addressed at the call site,
253c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26.
254c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	 */
255c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (!good)
256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		{
257c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		mlen = -1;
258c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		goto err;
259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project		}
260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
261c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	memcpy(to, em + msg_index, mlen);
262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project
263c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Rooterr:
264c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (em != NULL)
265c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		OPENSSL_free(em);
266c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	if (mlen == -1)
267c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
268c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	return mlen;
269c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root	}
270