2 * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Hash some data and XOR the result into the provided buffer. This is put
29 * as a separate function so that stack allocation of the hash function
30 * context is done only for the duration of the hash.
33 xor_hash_data(const br_hash_class
*dig
, void *dst
, const void *src
, size_t len
)
35 br_hash_compat_context hc
;
36 unsigned char tmp
[64];
41 dig
->init(&hc
.vtable
);
42 dig
->update(&hc
.vtable
, src
, len
);
43 dig
->out(&hc
.vtable
, tmp
);
45 hlen
= br_digest_size(dig
);
46 for (u
= 0; u
< hlen
; u
++) {
53 br_rsa_oaep_unpad(const br_hash_class
*dig
,
54 const void *label
, size_t label_len
,
55 void *data
, size_t *len
)
61 hlen
= br_digest_size(dig
);
66 * There must be room for the padding.
68 if (k
< ((hlen
<< 1) + 2)) {
73 * Unmask the seed, then the DB value.
75 br_mgf1_xor(buf
+ 1, hlen
, dig
, buf
+ 1 + hlen
, k
- hlen
- 1);
76 br_mgf1_xor(buf
+ 1 + hlen
, k
- hlen
- 1, dig
, buf
+ 1, hlen
);
79 * Hash the label and XOR it with the value in the array; if
80 * they are equal then these should yield only zeros.
82 xor_hash_data(dig
, buf
+ 1 + hlen
, label
, label_len
);
85 * At that point, if the padding was correct, when we should
86 * have: 0x00 || seed || 0x00 ... 0x00 0x01 || M
87 * Padding is valid as long as:
88 * - There is at least hlen+1 leading bytes of value 0x00.
89 * - There is at least one non-zero byte.
90 * - The first (leftmost) non-zero byte has value 0x01.
92 * Ultimately, we may leak the resulting message length, i.e.
93 * the position of the byte of value 0x01, but we must take care
94 * to do so only if the number of zero bytes has been verified
95 * to be at least hlen+1.
97 * The loop below counts the number of bytes of value 0x00, and
98 * checks that the next byte has value 0x01, in constant-time.
100 * - If the initial byte (before the seed) is not 0x00, then
101 * r and s are set to 0, and stay there.
102 * - Value r is 1 until the first non-zero byte is reached
103 * (after the seed); it switches to 0 at that point.
104 * - Value s is set to 1 if and only if the data encountered
105 * at the time of the transition of r from 1 to 0 has value
107 * - Value zlen counts the number of leading bytes of value zero
110 r
= 1 - ((buf
[0] + 0xFF) >> 8);
113 for (u
= hlen
+ 1; u
< k
; u
++) {
119 * nz == 1 only for the first non-zero byte.
121 nz
= r
& ((w
+ 0xFF) >> 8);
122 s
|= nz
& EQ(w
, 0x01);
128 * Padding is correct only if s == 1, _and_ zlen >= hlen.
130 s
&= GE(zlen
, (uint32_t)hlen
);
133 * At that point, padding was verified, and we are now allowed
134 * to make conditional jumps.
139 plen
= 2 + hlen
+ zlen
;
141 memmove(buf
, buf
+ plen
, k
);