1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include "internal/constant_time.h" 17 18 #include <stdio.h> 19 #include <openssl/bn.h> 20 #include <openssl/rsa.h> 21 #include <openssl/rand.h> 22 /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ 23 #include <openssl/prov_ssl.h> 24 #include "internal/cryptlib.h" 25 #include "crypto/rsa.h" 26 #include "rsa_local.h" 27 28 int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 29 const unsigned char *from, int flen) 30 { 31 int j; 32 unsigned char *p; 33 34 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { 35 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 36 return 0; 37 } 38 39 p = (unsigned char *)to; 40 41 *(p++) = 0; 42 *(p++) = 1; /* Private Key BT (Block Type) */ 43 44 /* pad out with 0xff data */ 45 j = tlen - 3 - flen; 46 memset(p, 0xff, j); 47 p += j; 48 *(p++) = '\0'; 49 memcpy(p, from, (unsigned int)flen); 50 return 1; 51 } 52 53 int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 54 const unsigned char *from, int flen, 55 int num) 56 { 57 int i, j; 58 const unsigned char *p; 59 60 p = from; 61 62 /* 63 * The format is 64 * 00 || 01 || PS || 00 || D 65 * PS - padding string, at least 8 bytes of FF 66 * D - data. 67 */ 68 69 if (num < RSA_PKCS1_PADDING_SIZE) 70 return -1; 71 72 /* Accept inputs with and without the leading 0-byte. */ 73 if (num == flen) { 74 if ((*p++) != 0x00) { 75 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING); 76 return -1; 77 } 78 flen--; 79 } 80 81 if ((num != (flen + 1)) || (*(p++) != 0x01)) { 82 ERR_raise(ERR_LIB_RSA, RSA_R_BLOCK_TYPE_IS_NOT_01); 83 return -1; 84 } 85 86 /* scan over padding data */ 87 j = flen - 1; /* one for type. */ 88 for (i = 0; i < j; i++) { 89 if (*p != 0xff) { /* should decrypt to 0xff */ 90 if (*p == 0) { 91 p++; 92 break; 93 } else { 94 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT); 95 return -1; 96 } 97 } 98 p++; 99 } 100 101 if (i == j) { 102 ERR_raise(ERR_LIB_RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING); 103 return -1; 104 } 105 106 if (i < 8) { 107 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_PAD_BYTE_COUNT); 108 return -1; 109 } 110 i++; /* Skip over the '\0' */ 111 j -= i; 112 if (j > tlen) { 113 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); 114 return -1; 115 } 116 memcpy(to, p, (unsigned int)j); 117 118 return j; 119 } 120 121 int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to, 122 int tlen, const unsigned char *from, 123 int flen) 124 { 125 int i, j; 126 unsigned char *p; 127 128 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { 129 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 130 return 0; 131 } else if (flen < 0) { 132 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); 133 return 0; 134 } 135 136 p = (unsigned char *)to; 137 138 *(p++) = 0; 139 *(p++) = 2; /* Public Key BT (Block Type) */ 140 141 /* pad out with non-zero random data */ 142 j = tlen - 3 - flen; 143 144 if (RAND_bytes_ex(libctx, p, j, 0) <= 0) 145 return 0; 146 for (i = 0; i < j; i++) { 147 if (*p == '\0') 148 do { 149 if (RAND_bytes_ex(libctx, p, 1, 0) <= 0) 150 return 0; 151 } while (*p == '\0'); 152 p++; 153 } 154 155 *(p++) = '\0'; 156 157 memcpy(p, from, (unsigned int)flen); 158 return 1; 159 } 160 161 int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 162 const unsigned char *from, int flen) 163 { 164 return ossl_rsa_padding_add_PKCS1_type_2_ex(NULL, to, tlen, from, flen); 165 } 166 167 int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 168 const unsigned char *from, int flen, 169 int num) 170 { 171 int i; 172 /* |em| is the encoded message, zero-padded to exactly |num| bytes */ 173 unsigned char *em = NULL; 174 unsigned int good, found_zero_byte, mask; 175 int zero_index = 0, msg_index, mlen = -1; 176 177 if (tlen <= 0 || flen <= 0) 178 return -1; 179 180 /* 181 * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", 182 * section 7.2.2. 183 */ 184 185 if (flen > num || num < RSA_PKCS1_PADDING_SIZE) { 186 ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 187 return -1; 188 } 189 190 em = OPENSSL_malloc(num); 191 if (em == NULL) { 192 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 193 return -1; 194 } 195 /* 196 * Caller is encouraged to pass zero-padded message created with 197 * BN_bn2binpad. Trouble is that since we can't read out of |from|'s 198 * bounds, it's impossible to have an invariant memory access pattern 199 * in case |from| was not zero-padded in advance. 200 */ 201 for (from += flen, em += num, i = 0; i < num; i++) { 202 mask = ~constant_time_is_zero(flen); 203 flen -= 1 & mask; 204 from -= 1 & mask; 205 *--em = *from & mask; 206 } 207 208 good = constant_time_is_zero(em[0]); 209 good &= constant_time_eq(em[1], 2); 210 211 /* scan over padding data */ 212 found_zero_byte = 0; 213 for (i = 2; i < num; i++) { 214 unsigned int equals0 = constant_time_is_zero(em[i]); 215 216 zero_index = constant_time_select_int(~found_zero_byte & equals0, 217 i, zero_index); 218 found_zero_byte |= equals0; 219 } 220 221 /* 222 * PS must be at least 8 bytes long, and it starts two bytes into |em|. 223 * If we never found a 0-byte, then |zero_index| is 0 and the check 224 * also fails. 225 */ 226 good &= constant_time_ge(zero_index, 2 + 8); 227 228 /* 229 * Skip the zero byte. This is incorrect if we never found a zero-byte 230 * but in this case we also do not copy the message out. 231 */ 232 msg_index = zero_index + 1; 233 mlen = num - msg_index; 234 235 /* 236 * For good measure, do this check in constant time as well. 237 */ 238 good &= constant_time_ge(tlen, mlen); 239 240 /* 241 * Move the result in-place by |num|-RSA_PKCS1_PADDING_SIZE-|mlen| bytes to the left. 242 * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to |to|. 243 * Otherwise leave |to| unchanged. 244 * Copy the memory back in a way that does not reveal the size of 245 * the data being copied via a timing side channel. This requires copying 246 * parts of the buffer multiple times based on the bits set in the real 247 * length. Clear bits do a non-copy with identical access pattern. 248 * The loop below has overall complexity of O(N*log(N)). 249 */ 250 tlen = constant_time_select_int(constant_time_lt(num - RSA_PKCS1_PADDING_SIZE, tlen), 251 num - RSA_PKCS1_PADDING_SIZE, tlen); 252 for (msg_index = 1; msg_index < num - RSA_PKCS1_PADDING_SIZE; msg_index <<= 1) { 253 mask = ~constant_time_eq(msg_index & (num - RSA_PKCS1_PADDING_SIZE - mlen), 0); 254 for (i = RSA_PKCS1_PADDING_SIZE; i < num - msg_index; i++) 255 em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); 256 } 257 for (i = 0; i < tlen; i++) { 258 mask = good & constant_time_lt(i, mlen); 259 to[i] = constant_time_select_8(mask, em[i + RSA_PKCS1_PADDING_SIZE], to[i]); 260 } 261 262 OPENSSL_clear_free(em, num); 263 #ifndef FIPS_MODULE 264 /* 265 * This trick doesn't work in the FIPS provider because libcrypto manages 266 * the error stack. Instead we opt not to put an error on the stack at all 267 * in case of padding failure in the FIPS provider. 268 */ 269 ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 270 err_clear_last_constant_time(1 & good); 271 #endif 272 273 return constant_time_select_int(good, mlen, -1); 274 } 275 276 /* 277 * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 278 * padding from a decrypted RSA message in a TLS signature. The result is stored 279 * in the buffer pointed to by |to| which should be |tlen| bytes long. |tlen| 280 * must be at least SSL_MAX_MASTER_KEY_LENGTH. The original decrypted message 281 * should be stored in |from| which must be |flen| bytes in length and padded 282 * such that |flen == RSA_size()|. The TLS protocol version that the client 283 * originally requested should be passed in |client_version|. Some buggy clients 284 * can exist which use the negotiated version instead of the originally 285 * requested protocol version. If it is necessary to work around this bug then 286 * the negotiated protocol version can be passed in |alt_version|, otherwise 0 287 * should be passed. 288 * 289 * If the passed message is publicly invalid or some other error that can be 290 * treated in non-constant time occurs then -1 is returned. On success the 291 * length of the decrypted data is returned. This will always be 292 * SSL_MAX_MASTER_KEY_LENGTH. If an error occurs that should be treated in 293 * constant time then this function will appear to return successfully, but the 294 * decrypted data will be randomly generated (as per 295 * https://tools.ietf.org/html/rfc5246#section-7.4.7.1). 296 */ 297 int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *libctx, 298 unsigned char *to, size_t tlen, 299 const unsigned char *from, 300 size_t flen, int client_version, 301 int alt_version) 302 { 303 unsigned int i, good, version_good; 304 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 305 306 /* 307 * If these checks fail then either the message in publicly invalid, or 308 * we've been called incorrectly. We can fail immediately. 309 */ 310 if (flen < RSA_PKCS1_PADDING_SIZE + SSL_MAX_MASTER_KEY_LENGTH 311 || tlen < SSL_MAX_MASTER_KEY_LENGTH) { 312 ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 313 return -1; 314 } 315 316 /* 317 * Generate a random premaster secret to use in the event that we fail 318 * to decrypt. 319 */ 320 if (RAND_priv_bytes_ex(libctx, rand_premaster_secret, 321 sizeof(rand_premaster_secret), 0) <= 0) { 322 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); 323 return -1; 324 } 325 326 good = constant_time_is_zero(from[0]); 327 good &= constant_time_eq(from[1], 2); 328 329 /* Check we have the expected padding data */ 330 for (i = 2; i < flen - SSL_MAX_MASTER_KEY_LENGTH - 1; i++) 331 good &= ~constant_time_is_zero_8(from[i]); 332 good &= constant_time_is_zero_8(from[flen - SSL_MAX_MASTER_KEY_LENGTH - 1]); 333 334 335 /* 336 * If the version in the decrypted pre-master secret is correct then 337 * version_good will be 0xff, otherwise it'll be zero. The 338 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack 339 * (http://eprint.iacr.org/2003/052/) exploits the version number 340 * check as a "bad version oracle". Thus version checks are done in 341 * constant time and are treated like any other decryption error. 342 */ 343 version_good = 344 constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], 345 (client_version >> 8) & 0xff); 346 version_good &= 347 constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], 348 client_version & 0xff); 349 350 /* 351 * The premaster secret must contain the same version number as the 352 * ClientHello to detect version rollback attacks (strangely, the 353 * protocol does not offer such protection for DH ciphersuites). 354 * However, buggy clients exist that send the negotiated protocol 355 * version instead if the server does not support the requested 356 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set then we tolerate 357 * such clients. In that case alt_version will be non-zero and set to 358 * the negotiated version. 359 */ 360 if (alt_version > 0) { 361 unsigned int workaround_good; 362 363 workaround_good = 364 constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], 365 (alt_version >> 8) & 0xff); 366 workaround_good &= 367 constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], 368 alt_version & 0xff); 369 version_good |= workaround_good; 370 } 371 372 good &= version_good; 373 374 375 /* 376 * Now copy the result over to the to buffer if good, or random data if 377 * not good. 378 */ 379 for (i = 0; i < SSL_MAX_MASTER_KEY_LENGTH; i++) { 380 to[i] = 381 constant_time_select_8(good, 382 from[flen - SSL_MAX_MASTER_KEY_LENGTH + i], 383 rand_premaster_secret[i]); 384 } 385 386 /* 387 * We must not leak whether a decryption failure occurs because of 388 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 389 * section 7.4.7.1). The code follows that advice of the TLS RFC and 390 * generates a random premaster secret for the case that the decrypt 391 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 392 * So, whether we actually succeeded or not, return success. 393 */ 394 395 return SSL_MAX_MASTER_KEY_LENGTH; 396 } 397