Commit ad7e17dd authored by Pauli's avatar Pauli
Browse files

SP 800-56B steps enumerated. 



Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8770)
parent 06add280

crypto/rsa/rsa_oaep.c

+27 −0
Original line number Diff line number Diff line
@@ -38,6 +38,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 
                                           param, plen, NULL, NULL);

}



/*

 * Perform ihe padding as per NIST 800-56B 7.2.2.3

 *      from (K) is the key material.

 *      param (A) is the additional input.

 * Step numbers are included here but not in the constant time inverse below

 * to avoid complicating an already difficult enough function.

 */

int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

                                    const unsigned char *from, int flen,

                                    const unsigned char *param, int plen,
@@ -57,6 +64,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, 


    mdlen = EVP_MD_size(md);



    /* step 2b: check KLen > nLen - 2 HLen - 2 */

    if (flen > emlen - 2 * mdlen - 1) {

        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,

               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
@@ -69,15 +77,20 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, 
        return 0;

    }



    /* step 3i: EM = 00000000 || maskedMGF || maskedDB */

    to[0] = 0;

    seed = to + 1;

    db = to + mdlen + 1;



    /* step 3a: hash the additional input */

    if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))

        goto err;

    /* step 3b: zero bytes array of length nLen - KLen - 2 HLen -2 */

    memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);

    /* step 3c: DB = HA || PS || 00000001 || K */

    db[emlen - flen - mdlen - 1] = 0x01;

    memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);

    /* step 3d: generate random byte string */

    if (RAND_bytes(seed, mdlen) <= 0)

        goto err;
@@ -88,13 +101,17 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, 
        goto err;

    }



    /* step 3e: dbMask = MGF(mgfSeed, nLen - HLen - 1) */

    if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0)

        goto err;

    /* step 3f: maskedDB = DB XOR dbMask */

    for (i = 0; i < dbmask_len; i++)

        db[i] ^= dbmask[i];



    /* step 3g: mgfSeed = MGF(maskedDB, HLen) */

    if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0)

        goto err;

    /* stepo 3h: maskedMGFSeed = mgfSeed XOR mgfSeedMask */

    for (i = 0; i < mdlen; i++)

        seed[i] ^= seedmask[i];

    rv = 1;
@@ -270,6 +287,13 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, 
    return constant_time_select_int(good, mlen, -1);

}



/*

 * Mask Generation Function corresponding to section 7.2.2.2 of NIST SP 800-56B.

 * The variables are named differently to NIST:

 *      mask (T) and len (maskLen)are the returned mask.

 *      seed (mgfSeed).

 * The range checking steps inm the process are performed outside.

 */

int PKCS1_MGF1(unsigned char *mask, long len,

               const unsigned char *seed, long seedlen, const EVP_MD *dgst)

{
@@ -285,11 +309,14 @@ int PKCS1_MGF1(unsigned char *mask, long len, 
    mdlen = EVP_MD_size(dgst);

    if (mdlen < 0)

        goto err;

    /* step 4 */

    for (i = 0; outlen < len; i++) {

        /* step 4a: D = I2BS(counter, 4) */

        cnt[0] = (unsigned char)((i >> 24) & 255);

        cnt[1] = (unsigned char)((i >> 16) & 255);

        cnt[2] = (unsigned char)((i >> 8)) & 255;

        cnt[3] = (unsigned char)(i & 255);

        /* step 4b: T =T || hash(mgfSeed || D) */

        if (!EVP_DigestInit_ex(c, dgst, NULL)

            || !EVP_DigestUpdate(c, seed, seedlen)

            || !EVP_DigestUpdate(c, cnt, 4))