xref: /third_party/mbedtls/library/rsa.c

426  *                       encryption padding, called the "encoded message EM"
440  *              The input doesn't contain properly formatted padding.
455      * side-channel-based variants of the Bleichenbacher padding oracle
470     /* Check and get padding length in constant time and constant
475     /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
480      * the 0x00 byte and remember the padding length in pad_count. */
488     /* If pad_done is still zero, there's no data, only unfinished padding. */
491     /* There must be at least 8 bytes of padding. */
494     /* If the padding is valid, set plaintext_size to the number of
495      * remaining bytes after stripping the padding. If the padding
498      * buffer. Do it without branches to avoid leaking the padding
511      * - INVALID_PADDING if the padding is bad (bad != 0).
512      * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
514      * - 0 if the padding is correct. */
521     /* If the padding is bad or the plaintext is too large, zero the
524      * from the same buffer whether the padding is good or not to
525      * avoid leaking the padding validity through overall timing or
531      * revealing the length is as bad as revealing the padding validity
552      * length, validity of padding, success of the decryption, and other
559      * of errors (bad padding or output too large), the value of *olen
561      * to the good case limits the risks of leaking the padding validity. */
956     ctx->padding = MBEDTLS_RSA_PKCS_V15;
968  * Set padding for an existing RSA context
970 int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
973     switch (padding) {
988     if ((padding == MBEDTLS_RSA_PKCS_V21) &&
997     ctx->padding = padding;
1004  * Get padding mode of initialized RSA context
1008     return ctx->padding;
1884  * Add the message padding, then do an RSA operation
1893     switch (ctx->padding) {
1935     if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1996     /* Get zero-padding len, but always read till end of buffer
2009      * The only information "leaked" is whether the padding was correct or not
2056     if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
2081  * Do an RSA operation, then remove the message padding
2091     switch (ctx->padding) {
2232     if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
2363     /* Need space for signature header and padding delimiter (3 bytes),
2364      * and 8 bytes for the minimal padding */
2371      * with padding, and at least 8 bytes long. */
2373     /* Write signature header and padding */
2442     if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
2447      * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
2508     switch (ctx->padding) {
2752     switch (ctx->padding) {
2799     dst->padding = src->padding;

Indexes created Thu Nov 07 10:32:03 CST 2024