/* * Copyright (c) 2018 Thomas Pornin * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #include "inner.h" /* * Hash some data and XOR the result into the provided buffer. This is put * as a separate function so that stack allocation of the hash function * context is done only for the duration of the hash. */ static void xor_hash_data(const br_hash_class *dig, void *dst, const void *src, size_t len) { br_hash_compat_context hc; unsigned char tmp[64]; unsigned char *buf; size_t u, hlen; hc.vtable = dig; dig->init(&hc.vtable); dig->update(&hc.vtable, src, len); dig->out(&hc.vtable, tmp); buf = dst; hlen = br_digest_size(dig); for (u = 0; u < hlen; u ++) { buf[u] ^= tmp[u]; } } /* see inner.h */ uint32_t br_rsa_oaep_unpad(const br_hash_class *dig, const void *label, size_t label_len, void *data, size_t *len) { size_t u, k, hlen; unsigned char *buf; uint32_t r, s, zlen; hlen = br_digest_size(dig); k = *len; buf = data; /* * There must be room for the padding. */ if (k < ((hlen << 1) + 2)) { return 0; } /* * Unmask the seed, then the DB value. */ br_mgf1_xor(buf + 1, hlen, dig, buf + 1 + hlen, k - hlen - 1); br_mgf1_xor(buf + 1 + hlen, k - hlen - 1, dig, buf + 1, hlen); /* * Hash the label and XOR it with the value in the array; if * they are equal then these should yield only zeros. */ xor_hash_data(dig, buf + 1 + hlen, label, label_len); /* * At that point, if the padding was correct, when we should * have: 0x00 || seed || 0x00 ... 0x00 0x01 || M * Padding is valid as long as: * - There is at least hlen+1 leading bytes of value 0x00. * - There is at least one non-zero byte. * - The first (leftmost) non-zero byte has value 0x01. * * Ultimately, we may leak the resulting message length, i.e. * the position of the byte of value 0x01, but we must take care * to do so only if the number of zero bytes has been verified * to be at least hlen+1. * * The loop below counts the number of bytes of value 0x00, and * checks that the next byte has value 0x01, in constant-time. * * - If the initial byte (before the seed) is not 0x00, then * r and s are set to 0, and stay there. * - Value r is 1 until the first non-zero byte is reached * (after the seed); it switches to 0 at that point. * - Value s is set to 1 if and only if the data encountered * at the time of the transition of r from 1 to 0 has value * exactly 0x01. * - Value zlen counts the number of leading bytes of value zero * (after the seed). */ r = 1 - ((buf[0] + 0xFF) >> 8); s = 0; zlen = 0; for (u = hlen + 1; u < k; u ++) { uint32_t w, nz; w = buf[u]; /* * nz == 1 only for the first non-zero byte. */ nz = r & ((w + 0xFF) >> 8); s |= nz & EQ(w, 0x01); r &= NOT(nz); zlen += r; } /* * Padding is correct only if s == 1, _and_ zlen >= hlen. */ s &= GE(zlen, (uint32_t)hlen); /* * At that point, padding was verified, and we are now allowed * to make conditional jumps. */ if (s) { size_t plen; plen = 2 + hlen + zlen; k -= plen; memmove(buf, buf + plen, k); *len = k; } return s; }