1 files changed, 220 insertions, 0 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000000..4d30c9d2d3
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,220 @@
+/* crypto/rsa/rsa_oaep.c */
+/* Written by Ulf Moeller. This software is distributed on an "AS IS"
+   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
+/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
+ * <URL: http://www.shoup.net/papers/oaep.ps.Z>
+ * for problems with the security proof for the
+ * original OAEP scheme, which EME-OAEP is based on.
+ * 
+ * A new proof can be found in E. Fujisaki, T. Okamoto,
+ * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
+ * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
+ * The new proof has stronger requirements for the
+ * underlying permutation: "partial-one-wayness" instead
+ * of one-wayness.  For the RSA function, this is
+ * an equivalent notion.
+ */
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+int MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen);
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+        const unsigned char *from, int flen,
+        const unsigned char *param, int plen)
+        {
+        int i, emlen = tlen - 1;
+        unsigned char *db, *seed;
+        unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+        if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+                   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+                return 0;
+                }
+        if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+                return 0;
+                }
+        dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
+        if (dbmask == NULL)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        to[0] = 0;
+        seed = to + 1;
+        db = to + SHA_DIGEST_LENGTH + 1;
+        EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
+        memset(db + SHA_DIGEST_LENGTH, 0,
+                emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+        db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+        memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+        if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+                return 0;
+#ifdef PKCS_TESTVECT
+        memcpy(seed,
+           "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
+           20);
+#endif
+        MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+        for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+                db[i] ^= dbmask[i];
+        MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+        for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+                seed[i] ^= seedmask[i];
+        OPENSSL_free(dbmask);
+        return 1;
+        }
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+        const unsigned char *from, int flen, int num,
+        const unsigned char *param, int plen)
+        {
+        int i, dblen, mlen = -1;
+        const unsigned char *maskeddb;
+        int lzero;
+        unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+        unsigned char *padded_from;
+        int bad = 0;
+        if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+                /* 'num' is the length of the modulus, i.e. does not depend on the
+                 * particular ciphertext. */
+                goto decoding_err;
+        lzero = num - flen;
+        if (lzero < 0)
+                {
+                /* signalling this error immediately after detection might allow
+                 * for side-channel attacks (e.g. timing if 'plen' is huge
+                 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
+                 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
+                 * so we use a 'bad' flag */
+                bad = 1;
+                lzero = 0;
+                flen = num; /* don't overflow the memcpy to padded_from */
+                }
+        dblen = num - SHA_DIGEST_LENGTH;
+        db = OPENSSL_malloc(dblen + num);
+        if (db == NULL)
+                {
+                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+                return -1;
+                }
+        /* Always do this zero-padding copy (even when lzero == 0)
+         * to avoid leaking timing info about the value of lzero. */
+        padded_from = db + dblen;
+        memset(padded_from, 0, lzero);
+        memcpy(padded_from + lzero, from, flen);
+        maskeddb = padded_from + SHA_DIGEST_LENGTH;
+        MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+        for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+                seed[i] ^= padded_from[i];
+  
+        MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+        for (i = 0; i < dblen; i++)
+                db[i] ^= maskeddb[i];
+        EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
+        if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+                goto decoding_err;
+        else
+                {
+                for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+                        if (db[i] != 0x00)
+                                break;
+                if (i == dblen || db[i] != 0x01)
+                        goto decoding_err;
+                else
+                        {
+                        /* everything looks OK */
+                        mlen = dblen - ++i;
+                        if (tlen < mlen)
+                                {
+                                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+                                mlen = -1;
+                                }
+                        else
+                                memcpy(to, db + i, mlen);
+                        }
+                }
+        OPENSSL_free(db);
+        return mlen;
+decoding_err:
+        /* to avoid chosen ciphertext attacks, the error message should not reveal
+         * which kind of decoding error happened */
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+        if (db != NULL) OPENSSL_free(db);
+        return -1;
+        }
+int PKCS1_MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen, const EVP_MD *dgst)
+        {
+        long i, outlen = 0;
+        unsigned char cnt[4];
+        EVP_MD_CTX c;
+        unsigned char md[EVP_MAX_MD_SIZE];
+        int mdlen;
+        EVP_MD_CTX_init(&c);
+        mdlen = M_EVP_MD_size(dgst);
+        for (i = 0; outlen < len; i++)
+                {
+                cnt[0] = (unsigned char)((i >> 24) & 255);
+                cnt[1] = (unsigned char)((i >> 16) & 255);
+                cnt[2] = (unsigned char)((i >> 8)) & 255;
+                cnt[3] = (unsigned char)(i & 255);
+                EVP_DigestInit_ex(&c,dgst, NULL);
+                EVP_DigestUpdate(&c, seed, seedlen);
+                EVP_DigestUpdate(&c, cnt, 4);
+                if (outlen + mdlen <= len)
+                        {
+                        EVP_DigestFinal_ex(&c, mask + outlen, NULL);
+                        outlen += mdlen;
+                        }
+                else
+                        {
+                        EVP_DigestFinal_ex(&c, md, NULL);
+                        memcpy(mask + outlen, md, len - outlen);
+                        outlen = len;
+                        }
+                }
+        EVP_MD_CTX_cleanup(&c);
+        return 0;
+        }
+int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
+        {
+        return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
+        }
+#endif

diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c new file mode 100644 index 0000000000..4d30c9d2d3 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,220 @@
	1	/* crypto/rsa/rsa_oaep.c */
	2	/* Written by Ulf Moeller. This software is distributed on an "AS IS"
	3	basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
	4
	5	/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
	6
	7	/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
	8	* <URL: http://www.shoup.net/papers/oaep.ps.Z>
	9	* for problems with the security proof for the
	10	* original OAEP scheme, which EME-OAEP is based on.
	11	*
	12	* A new proof can be found in E. Fujisaki, T. Okamoto,
	13	* D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
	14	* Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
	15	* The new proof has stronger requirements for the
	16	* underlying permutation: "partial-one-wayness" instead
	17	* of one-wayness. For the RSA function, this is
	18	* an equivalent notion.
	19	*/
	20
	21
	22	#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
	23	#include <stdio.h>
	24	#include "cryptlib.h"
	25	#include <openssl/bn.h>
	26	#include <openssl/rsa.h>
	27	#include <openssl/evp.h>
	28	#include <openssl/rand.h>
	29	#include <openssl/sha.h>
	30
	31	int MGF1(unsigned char *mask, long len,
	32	const unsigned char *seed, long seedlen);
	33
	34	int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
	35	const unsigned char *from, int flen,
	36	const unsigned char *param, int plen)
	37	{
	38	int i, emlen = tlen - 1;
	39	unsigned char db, seed;
	40	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
	41
	42	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
	43	{
	44	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
	45	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
	46	return 0;
	47	}
	48
	49	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
	50	{
	51	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
	52	return 0;
	53	}
	54
	55	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
	56	if (dbmask == NULL)
	57	{
	58	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
	59	return 0;
	60	}
	61
	62	to[0] = 0;
	63	seed = to + 1;
	64	db = to + SHA_DIGEST_LENGTH + 1;
	65
	66	EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
	67	memset(db + SHA_DIGEST_LENGTH, 0,
	68	emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
	69	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
	70	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
	71	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
	72	return 0;
	73	#ifdef PKCS_TESTVECT
	74	memcpy(seed,
	75	"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
	76	20);
	77	#endif
	78
	79	MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
	80	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
	81	db[i] ^= dbmask[i];
	82
	83	MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
	84	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
	85	seed[i] ^= seedmask[i];
	86
	87	OPENSSL_free(dbmask);
	88	return 1;
	89	}
	90
	91	int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
	92	const unsigned char *from, int flen, int num,
	93	const unsigned char *param, int plen)
	94	{
	95	int i, dblen, mlen = -1;
	96	const unsigned char *maskeddb;
	97	int lzero;
	98	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
	99	unsigned char *padded_from;
	100	int bad = 0;
	101
	102	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
	103	/* 'num' is the length of the modulus, i.e. does not depend on the
	104	* particular ciphertext. */
	105	goto decoding_err;
	106
	107	lzero = num - flen;
	108	if (lzero < 0)
	109	{
	110	/* signalling this error immediately after detection might allow
	111	* for side-channel attacks (e.g. timing if 'plen' is huge
	112	* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
	113	* Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
	114	* so we use a 'bad' flag */
	115	bad = 1;
	116	lzero = 0;
	117	flen = num; /* don't overflow the memcpy to padded_from */
	118	}
	119
	120	dblen = num - SHA_DIGEST_LENGTH;
	121	db = OPENSSL_malloc(dblen + num);
	122	if (db == NULL)
	123	{
	124	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
	125	return -1;
	126	}
	127
	128	/* Always do this zero-padding copy (even when lzero == 0)
	129	* to avoid leaking timing info about the value of lzero. */
	130	padded_from = db + dblen;
	131	memset(padded_from, 0, lzero);
	132	memcpy(padded_from + lzero, from, flen);
	133
	134	maskeddb = padded_from + SHA_DIGEST_LENGTH;
	135
	136	MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
	137	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
	138	seed[i] ^= padded_from[i];
	139
	140	MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
	141	for (i = 0; i < dblen; i++)
	142	db[i] ^= maskeddb[i];
	143
	144	EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
	145
	146	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 \|\| bad)
	147	goto decoding_err;
	148	else
	149	{
	150	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
	151	if (db[i] != 0x00)
	152	break;
	153	if (i == dblen \|\| db[i] != 0x01)
	154	goto decoding_err;
	155	else
	156	{
	157	/* everything looks OK */
	158
	159	mlen = dblen - ++i;
	160	if (tlen < mlen)
	161	{
	162	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
	163	mlen = -1;
	164	}
	165	else
	166	memcpy(to, db + i, mlen);
	167	}
	168	}
	169	OPENSSL_free(db);
	170	return mlen;
	171
	172	decoding_err:
	173	/* to avoid chosen ciphertext attacks, the error message should not reveal
	174	* which kind of decoding error happened */
	175	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
	176	if (db != NULL) OPENSSL_free(db);
	177	return -1;
	178	}
	179
	180	int PKCS1_MGF1(unsigned char *mask, long len,
	181	const unsigned char seed, long seedlen, const EVP_MD dgst)
	182	{
	183	long i, outlen = 0;
	184	unsigned char cnt[4];
	185	EVP_MD_CTX c;
	186	unsigned char md[EVP_MAX_MD_SIZE];
	187	int mdlen;
	188
	189	EVP_MD_CTX_init(&c);
	190	mdlen = M_EVP_MD_size(dgst);
	191	for (i = 0; outlen < len; i++)
	192	{
	193	cnt[0] = (unsigned char)((i >> 24) & 255);
	194	cnt[1] = (unsigned char)((i >> 16) & 255);
	195	cnt[2] = (unsigned char)((i >> 8)) & 255;
	196	cnt[3] = (unsigned char)(i & 255);
	197	EVP_DigestInit_ex(&c,dgst, NULL);
	198	EVP_DigestUpdate(&c, seed, seedlen);
	199	EVP_DigestUpdate(&c, cnt, 4);
	200	if (outlen + mdlen <= len)
	201	{
	202	EVP_DigestFinal_ex(&c, mask + outlen, NULL);
	203	outlen += mdlen;
	204	}
	205	else
	206	{
	207	EVP_DigestFinal_ex(&c, md, NULL);
	208	memcpy(mask + outlen, md, len - outlen);
	209	outlen = len;
	210	}
	211	}
	212	EVP_MD_CTX_cleanup(&c);
	213	return 0;
	214	}
	215
	216	int MGF1(unsigned char mask, long len, const unsigned char seed, long seedlen)
	217	{
	218	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
	219	}
	220	#endif