OLD | NEW |
1 /* crypto/rsa/rsa_oaep.c */ | 1 /* crypto/rsa/rsa_oaep.c */ |
2 /* Written by Ulf Moeller. This software is distributed on an "AS IS" | 2 /* Written by Ulf Moeller. This software is distributed on an "AS IS" |
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ | 3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ |
4 | 4 |
5 /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ | 5 /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ |
6 | 6 |
7 /* See Victor Shoup, "OAEP reconsidered," Nov. 2000, | 7 /* See Victor Shoup, "OAEP reconsidered," Nov. 2000, |
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z> | 8 * <URL: http://www.shoup.net/papers/oaep.ps.Z> |
9 * for problems with the security proof for the | 9 * for problems with the security proof for the |
10 * original OAEP scheme, which EME-OAEP is based on. | 10 * original OAEP scheme, which EME-OAEP is based on. |
(...skipping 10 matching lines...) Expand all Loading... |
21 | 21 |
22 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) | 22 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) |
23 #include <stdio.h> | 23 #include <stdio.h> |
24 #include "cryptlib.h" | 24 #include "cryptlib.h" |
25 #include <openssl/bn.h> | 25 #include <openssl/bn.h> |
26 #include <openssl/rsa.h> | 26 #include <openssl/rsa.h> |
27 #include <openssl/evp.h> | 27 #include <openssl/evp.h> |
28 #include <openssl/rand.h> | 28 #include <openssl/rand.h> |
29 #include <openssl/sha.h> | 29 #include <openssl/sha.h> |
30 | 30 |
31 int MGF1(unsigned char *mask, long len, | 31 static int MGF1(unsigned char *mask, long len, |
32 const unsigned char *seed, long seedlen); | 32 const unsigned char *seed, long seedlen); |
33 | 33 |
34 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, | 34 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, |
35 const unsigned char *from, int flen, | 35 const unsigned char *from, int flen, |
36 const unsigned char *param, int plen) | 36 const unsigned char *param, int plen) |
37 { | 37 { |
38 int i, emlen = tlen - 1; | 38 int i, emlen = tlen - 1; |
39 unsigned char *db, *seed; | 39 unsigned char *db, *seed; |
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; | 40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; |
41 | 41 |
(...skipping 27 matching lines...) Expand all Loading... |
69 20); | 69 20); |
70 #endif | 70 #endif |
71 | 71 |
72 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH); | 72 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH); |
73 if (dbmask == NULL) | 73 if (dbmask == NULL) |
74 { | 74 { |
75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); | 75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); |
76 return 0; | 76 return 0; |
77 } | 77 } |
78 | 78 |
79 » MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); | 79 » if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0
) |
| 80 » » return 0; |
80 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) | 81 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) |
81 db[i] ^= dbmask[i]; | 82 db[i] ^= dbmask[i]; |
82 | 83 |
83 » MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); | 84 » if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0
) |
| 85 » » return 0; |
84 for (i = 0; i < SHA_DIGEST_LENGTH; i++) | 86 for (i = 0; i < SHA_DIGEST_LENGTH; i++) |
85 seed[i] ^= seedmask[i]; | 87 seed[i] ^= seedmask[i]; |
86 | 88 |
87 OPENSSL_free(dbmask); | 89 OPENSSL_free(dbmask); |
88 return 1; | 90 return 1; |
89 } | 91 } |
90 | 92 |
91 int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | 93 int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, |
92 const unsigned char *from, int flen, int num, | 94 const unsigned char *from, int flen, int num, |
93 const unsigned char *param, int plen) | 95 const unsigned char *param, int plen) |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
126 } | 128 } |
127 | 129 |
128 /* Always do this zero-padding copy (even when lzero == 0) | 130 /* Always do this zero-padding copy (even when lzero == 0) |
129 * to avoid leaking timing info about the value of lzero. */ | 131 * to avoid leaking timing info about the value of lzero. */ |
130 padded_from = db + dblen; | 132 padded_from = db + dblen; |
131 memset(padded_from, 0, lzero); | 133 memset(padded_from, 0, lzero); |
132 memcpy(padded_from + lzero, from, flen); | 134 memcpy(padded_from + lzero, from, flen); |
133 | 135 |
134 maskeddb = padded_from + SHA_DIGEST_LENGTH; | 136 maskeddb = padded_from + SHA_DIGEST_LENGTH; |
135 | 137 |
136 » MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); | 138 » if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen)) |
| 139 » » return -1; |
137 for (i = 0; i < SHA_DIGEST_LENGTH; i++) | 140 for (i = 0; i < SHA_DIGEST_LENGTH; i++) |
138 seed[i] ^= padded_from[i]; | 141 seed[i] ^= padded_from[i]; |
139 | 142 |
140 » MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); | 143 » if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH)) |
| 144 » » return -1; |
141 for (i = 0; i < dblen; i++) | 145 for (i = 0; i < dblen; i++) |
142 db[i] ^= maskeddb[i]; | 146 db[i] ^= maskeddb[i]; |
143 | 147 |
144 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); | 148 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); |
145 | 149 |
146 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) | 150 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) |
147 goto decoding_err; | 151 goto decoding_err; |
148 else | 152 else |
149 { | 153 { |
150 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) | 154 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) |
(...skipping 27 matching lines...) Expand all Loading... |
178 } | 182 } |
179 | 183 |
180 int PKCS1_MGF1(unsigned char *mask, long len, | 184 int PKCS1_MGF1(unsigned char *mask, long len, |
181 const unsigned char *seed, long seedlen, const EVP_MD *dgst) | 185 const unsigned char *seed, long seedlen, const EVP_MD *dgst) |
182 { | 186 { |
183 long i, outlen = 0; | 187 long i, outlen = 0; |
184 unsigned char cnt[4]; | 188 unsigned char cnt[4]; |
185 EVP_MD_CTX c; | 189 EVP_MD_CTX c; |
186 unsigned char md[EVP_MAX_MD_SIZE]; | 190 unsigned char md[EVP_MAX_MD_SIZE]; |
187 int mdlen; | 191 int mdlen; |
| 192 int rv = -1; |
188 | 193 |
189 EVP_MD_CTX_init(&c); | 194 EVP_MD_CTX_init(&c); |
190 » mdlen = M_EVP_MD_size(dgst); | 195 » mdlen = EVP_MD_size(dgst); |
| 196 » if (mdlen < 0) |
| 197 » » goto err; |
191 for (i = 0; outlen < len; i++) | 198 for (i = 0; outlen < len; i++) |
192 { | 199 { |
193 cnt[0] = (unsigned char)((i >> 24) & 255); | 200 cnt[0] = (unsigned char)((i >> 24) & 255); |
194 cnt[1] = (unsigned char)((i >> 16) & 255); | 201 cnt[1] = (unsigned char)((i >> 16) & 255); |
195 cnt[2] = (unsigned char)((i >> 8)) & 255; | 202 cnt[2] = (unsigned char)((i >> 8)) & 255; |
196 cnt[3] = (unsigned char)(i & 255); | 203 cnt[3] = (unsigned char)(i & 255); |
197 » » EVP_DigestInit_ex(&c,dgst, NULL); | 204 » » if (!EVP_DigestInit_ex(&c,dgst, NULL) |
198 » » EVP_DigestUpdate(&c, seed, seedlen); | 205 » » » || !EVP_DigestUpdate(&c, seed, seedlen) |
199 » » EVP_DigestUpdate(&c, cnt, 4); | 206 » » » || !EVP_DigestUpdate(&c, cnt, 4)) |
| 207 » » » goto err; |
200 if (outlen + mdlen <= len) | 208 if (outlen + mdlen <= len) |
201 { | 209 { |
202 » » » EVP_DigestFinal_ex(&c, mask + outlen, NULL); | 210 » » » if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) |
| 211 » » » » goto err; |
203 outlen += mdlen; | 212 outlen += mdlen; |
204 } | 213 } |
205 else | 214 else |
206 { | 215 { |
207 » » » EVP_DigestFinal_ex(&c, md, NULL); | 216 » » » if (!EVP_DigestFinal_ex(&c, md, NULL)) |
| 217 » » » » goto err; |
208 memcpy(mask + outlen, md, len - outlen); | 218 memcpy(mask + outlen, md, len - outlen); |
209 outlen = len; | 219 outlen = len; |
210 } | 220 } |
211 } | 221 } |
| 222 rv = 0; |
| 223 err: |
212 EVP_MD_CTX_cleanup(&c); | 224 EVP_MD_CTX_cleanup(&c); |
213 » return 0; | 225 » return rv; |
214 } | 226 } |
215 | 227 |
216 int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen) | 228 static int MGF1(unsigned char *mask, long len, const unsigned char *seed, |
| 229 » » long seedlen) |
217 { | 230 { |
218 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); | 231 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); |
219 } | 232 } |
220 #endif | 233 #endif |
OLD | NEW |