1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci/* 11e1051a39Sopenharmony_ci * RSA low level APIs are deprecated for public use, but still ok for 12e1051a39Sopenharmony_ci * internal use. 13e1051a39Sopenharmony_ci */ 14e1051a39Sopenharmony_ci#include "internal/deprecated.h" 15e1051a39Sopenharmony_ci 16e1051a39Sopenharmony_ci#include "internal/constant_time.h" 17e1051a39Sopenharmony_ci 18e1051a39Sopenharmony_ci#include <stdio.h> 19e1051a39Sopenharmony_ci#include <openssl/bn.h> 20e1051a39Sopenharmony_ci#include <openssl/rsa.h> 21e1051a39Sopenharmony_ci#include <openssl/rand.h> 22e1051a39Sopenharmony_ci/* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ 23e1051a39Sopenharmony_ci#include <openssl/prov_ssl.h> 24e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 25e1051a39Sopenharmony_ci#include "crypto/rsa.h" 26e1051a39Sopenharmony_ci#include "rsa_local.h" 27e1051a39Sopenharmony_ci 28e1051a39Sopenharmony_ciint RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 29e1051a39Sopenharmony_ci const unsigned char *from, int flen) 30e1051a39Sopenharmony_ci{ 31e1051a39Sopenharmony_ci int j; 32e1051a39Sopenharmony_ci unsigned char *p; 33e1051a39Sopenharmony_ci 34e1051a39Sopenharmony_ci if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { 35e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 36e1051a39Sopenharmony_ci return 0; 37e1051a39Sopenharmony_ci } 38e1051a39Sopenharmony_ci 39e1051a39Sopenharmony_ci p = (unsigned char *)to; 40e1051a39Sopenharmony_ci 41e1051a39Sopenharmony_ci *(p++) = 0; 42e1051a39Sopenharmony_ci *(p++) = 1; /* Private Key BT (Block Type) */ 43e1051a39Sopenharmony_ci 44e1051a39Sopenharmony_ci /* pad out with 0xff data */ 45e1051a39Sopenharmony_ci j = tlen - 3 - flen; 46e1051a39Sopenharmony_ci memset(p, 0xff, j); 47e1051a39Sopenharmony_ci p += j; 48e1051a39Sopenharmony_ci *(p++) = '\0'; 49e1051a39Sopenharmony_ci memcpy(p, from, (unsigned int)flen); 50e1051a39Sopenharmony_ci return 1; 51e1051a39Sopenharmony_ci} 52e1051a39Sopenharmony_ci 53e1051a39Sopenharmony_ciint RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 54e1051a39Sopenharmony_ci const unsigned char *from, int flen, 55e1051a39Sopenharmony_ci int num) 56e1051a39Sopenharmony_ci{ 57e1051a39Sopenharmony_ci int i, j; 58e1051a39Sopenharmony_ci const unsigned char *p; 59e1051a39Sopenharmony_ci 60e1051a39Sopenharmony_ci p = from; 61e1051a39Sopenharmony_ci 62e1051a39Sopenharmony_ci /* 63e1051a39Sopenharmony_ci * The format is 64e1051a39Sopenharmony_ci * 00 || 01 || PS || 00 || D 65e1051a39Sopenharmony_ci * PS - padding string, at least 8 bytes of FF 66e1051a39Sopenharmony_ci * D - data. 67e1051a39Sopenharmony_ci */ 68e1051a39Sopenharmony_ci 69e1051a39Sopenharmony_ci if (num < RSA_PKCS1_PADDING_SIZE) 70e1051a39Sopenharmony_ci return -1; 71e1051a39Sopenharmony_ci 72e1051a39Sopenharmony_ci /* Accept inputs with and without the leading 0-byte. */ 73e1051a39Sopenharmony_ci if (num == flen) { 74e1051a39Sopenharmony_ci if ((*p++) != 0x00) { 75e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING); 76e1051a39Sopenharmony_ci return -1; 77e1051a39Sopenharmony_ci } 78e1051a39Sopenharmony_ci flen--; 79e1051a39Sopenharmony_ci } 80e1051a39Sopenharmony_ci 81e1051a39Sopenharmony_ci if ((num != (flen + 1)) || (*(p++) != 0x01)) { 82e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BLOCK_TYPE_IS_NOT_01); 83e1051a39Sopenharmony_ci return -1; 84e1051a39Sopenharmony_ci } 85e1051a39Sopenharmony_ci 86e1051a39Sopenharmony_ci /* scan over padding data */ 87e1051a39Sopenharmony_ci j = flen - 1; /* one for type. */ 88e1051a39Sopenharmony_ci for (i = 0; i < j; i++) { 89e1051a39Sopenharmony_ci if (*p != 0xff) { /* should decrypt to 0xff */ 90e1051a39Sopenharmony_ci if (*p == 0) { 91e1051a39Sopenharmony_ci p++; 92e1051a39Sopenharmony_ci break; 93e1051a39Sopenharmony_ci } else { 94e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT); 95e1051a39Sopenharmony_ci return -1; 96e1051a39Sopenharmony_ci } 97e1051a39Sopenharmony_ci } 98e1051a39Sopenharmony_ci p++; 99e1051a39Sopenharmony_ci } 100e1051a39Sopenharmony_ci 101e1051a39Sopenharmony_ci if (i == j) { 102e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING); 103e1051a39Sopenharmony_ci return -1; 104e1051a39Sopenharmony_ci } 105e1051a39Sopenharmony_ci 106e1051a39Sopenharmony_ci if (i < 8) { 107e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_BAD_PAD_BYTE_COUNT); 108e1051a39Sopenharmony_ci return -1; 109e1051a39Sopenharmony_ci } 110e1051a39Sopenharmony_ci i++; /* Skip over the '\0' */ 111e1051a39Sopenharmony_ci j -= i; 112e1051a39Sopenharmony_ci if (j > tlen) { 113e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE); 114e1051a39Sopenharmony_ci return -1; 115e1051a39Sopenharmony_ci } 116e1051a39Sopenharmony_ci memcpy(to, p, (unsigned int)j); 117e1051a39Sopenharmony_ci 118e1051a39Sopenharmony_ci return j; 119e1051a39Sopenharmony_ci} 120e1051a39Sopenharmony_ci 121e1051a39Sopenharmony_ciint ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to, 122e1051a39Sopenharmony_ci int tlen, const unsigned char *from, 123e1051a39Sopenharmony_ci int flen) 124e1051a39Sopenharmony_ci{ 125e1051a39Sopenharmony_ci int i, j; 126e1051a39Sopenharmony_ci unsigned char *p; 127e1051a39Sopenharmony_ci 128e1051a39Sopenharmony_ci if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { 129e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 130e1051a39Sopenharmony_ci return 0; 131e1051a39Sopenharmony_ci } else if (flen < 0) { 132e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); 133e1051a39Sopenharmony_ci return 0; 134e1051a39Sopenharmony_ci } 135e1051a39Sopenharmony_ci 136e1051a39Sopenharmony_ci p = (unsigned char *)to; 137e1051a39Sopenharmony_ci 138e1051a39Sopenharmony_ci *(p++) = 0; 139e1051a39Sopenharmony_ci *(p++) = 2; /* Public Key BT (Block Type) */ 140e1051a39Sopenharmony_ci 141e1051a39Sopenharmony_ci /* pad out with non-zero random data */ 142e1051a39Sopenharmony_ci j = tlen - 3 - flen; 143e1051a39Sopenharmony_ci 144e1051a39Sopenharmony_ci if (RAND_bytes_ex(libctx, p, j, 0) <= 0) 145e1051a39Sopenharmony_ci return 0; 146e1051a39Sopenharmony_ci for (i = 0; i < j; i++) { 147e1051a39Sopenharmony_ci if (*p == '\0') 148e1051a39Sopenharmony_ci do { 149e1051a39Sopenharmony_ci if (RAND_bytes_ex(libctx, p, 1, 0) <= 0) 150e1051a39Sopenharmony_ci return 0; 151e1051a39Sopenharmony_ci } while (*p == '\0'); 152e1051a39Sopenharmony_ci p++; 153e1051a39Sopenharmony_ci } 154e1051a39Sopenharmony_ci 155e1051a39Sopenharmony_ci *(p++) = '\0'; 156e1051a39Sopenharmony_ci 157e1051a39Sopenharmony_ci memcpy(p, from, (unsigned int)flen); 158e1051a39Sopenharmony_ci return 1; 159e1051a39Sopenharmony_ci} 160e1051a39Sopenharmony_ci 161e1051a39Sopenharmony_ciint RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 162e1051a39Sopenharmony_ci const unsigned char *from, int flen) 163e1051a39Sopenharmony_ci{ 164e1051a39Sopenharmony_ci return ossl_rsa_padding_add_PKCS1_type_2_ex(NULL, to, tlen, from, flen); 165e1051a39Sopenharmony_ci} 166e1051a39Sopenharmony_ci 167e1051a39Sopenharmony_ciint RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 168e1051a39Sopenharmony_ci const unsigned char *from, int flen, 169e1051a39Sopenharmony_ci int num) 170e1051a39Sopenharmony_ci{ 171e1051a39Sopenharmony_ci int i; 172e1051a39Sopenharmony_ci /* |em| is the encoded message, zero-padded to exactly |num| bytes */ 173e1051a39Sopenharmony_ci unsigned char *em = NULL; 174e1051a39Sopenharmony_ci unsigned int good, found_zero_byte, mask; 175e1051a39Sopenharmony_ci int zero_index = 0, msg_index, mlen = -1; 176e1051a39Sopenharmony_ci 177e1051a39Sopenharmony_ci if (tlen <= 0 || flen <= 0) 178e1051a39Sopenharmony_ci return -1; 179e1051a39Sopenharmony_ci 180e1051a39Sopenharmony_ci /* 181e1051a39Sopenharmony_ci * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard", 182e1051a39Sopenharmony_ci * section 7.2.2. 183e1051a39Sopenharmony_ci */ 184e1051a39Sopenharmony_ci 185e1051a39Sopenharmony_ci if (flen > num || num < RSA_PKCS1_PADDING_SIZE) { 186e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 187e1051a39Sopenharmony_ci return -1; 188e1051a39Sopenharmony_ci } 189e1051a39Sopenharmony_ci 190e1051a39Sopenharmony_ci em = OPENSSL_malloc(num); 191e1051a39Sopenharmony_ci if (em == NULL) { 192e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 193e1051a39Sopenharmony_ci return -1; 194e1051a39Sopenharmony_ci } 195e1051a39Sopenharmony_ci /* 196e1051a39Sopenharmony_ci * Caller is encouraged to pass zero-padded message created with 197e1051a39Sopenharmony_ci * BN_bn2binpad. Trouble is that since we can't read out of |from|'s 198e1051a39Sopenharmony_ci * bounds, it's impossible to have an invariant memory access pattern 199e1051a39Sopenharmony_ci * in case |from| was not zero-padded in advance. 200e1051a39Sopenharmony_ci */ 201e1051a39Sopenharmony_ci for (from += flen, em += num, i = 0; i < num; i++) { 202e1051a39Sopenharmony_ci mask = ~constant_time_is_zero(flen); 203e1051a39Sopenharmony_ci flen -= 1 & mask; 204e1051a39Sopenharmony_ci from -= 1 & mask; 205e1051a39Sopenharmony_ci *--em = *from & mask; 206e1051a39Sopenharmony_ci } 207e1051a39Sopenharmony_ci 208e1051a39Sopenharmony_ci good = constant_time_is_zero(em[0]); 209e1051a39Sopenharmony_ci good &= constant_time_eq(em[1], 2); 210e1051a39Sopenharmony_ci 211e1051a39Sopenharmony_ci /* scan over padding data */ 212e1051a39Sopenharmony_ci found_zero_byte = 0; 213e1051a39Sopenharmony_ci for (i = 2; i < num; i++) { 214e1051a39Sopenharmony_ci unsigned int equals0 = constant_time_is_zero(em[i]); 215e1051a39Sopenharmony_ci 216e1051a39Sopenharmony_ci zero_index = constant_time_select_int(~found_zero_byte & equals0, 217e1051a39Sopenharmony_ci i, zero_index); 218e1051a39Sopenharmony_ci found_zero_byte |= equals0; 219e1051a39Sopenharmony_ci } 220e1051a39Sopenharmony_ci 221e1051a39Sopenharmony_ci /* 222e1051a39Sopenharmony_ci * PS must be at least 8 bytes long, and it starts two bytes into |em|. 223e1051a39Sopenharmony_ci * If we never found a 0-byte, then |zero_index| is 0 and the check 224e1051a39Sopenharmony_ci * also fails. 225e1051a39Sopenharmony_ci */ 226e1051a39Sopenharmony_ci good &= constant_time_ge(zero_index, 2 + 8); 227e1051a39Sopenharmony_ci 228e1051a39Sopenharmony_ci /* 229e1051a39Sopenharmony_ci * Skip the zero byte. This is incorrect if we never found a zero-byte 230e1051a39Sopenharmony_ci * but in this case we also do not copy the message out. 231e1051a39Sopenharmony_ci */ 232e1051a39Sopenharmony_ci msg_index = zero_index + 1; 233e1051a39Sopenharmony_ci mlen = num - msg_index; 234e1051a39Sopenharmony_ci 235e1051a39Sopenharmony_ci /* 236e1051a39Sopenharmony_ci * For good measure, do this check in constant time as well. 237e1051a39Sopenharmony_ci */ 238e1051a39Sopenharmony_ci good &= constant_time_ge(tlen, mlen); 239e1051a39Sopenharmony_ci 240e1051a39Sopenharmony_ci /* 241e1051a39Sopenharmony_ci * Move the result in-place by |num|-RSA_PKCS1_PADDING_SIZE-|mlen| bytes to the left. 242e1051a39Sopenharmony_ci * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to |to|. 243e1051a39Sopenharmony_ci * Otherwise leave |to| unchanged. 244e1051a39Sopenharmony_ci * Copy the memory back in a way that does not reveal the size of 245e1051a39Sopenharmony_ci * the data being copied via a timing side channel. This requires copying 246e1051a39Sopenharmony_ci * parts of the buffer multiple times based on the bits set in the real 247e1051a39Sopenharmony_ci * length. Clear bits do a non-copy with identical access pattern. 248e1051a39Sopenharmony_ci * The loop below has overall complexity of O(N*log(N)). 249e1051a39Sopenharmony_ci */ 250e1051a39Sopenharmony_ci tlen = constant_time_select_int(constant_time_lt(num - RSA_PKCS1_PADDING_SIZE, tlen), 251e1051a39Sopenharmony_ci num - RSA_PKCS1_PADDING_SIZE, tlen); 252e1051a39Sopenharmony_ci for (msg_index = 1; msg_index < num - RSA_PKCS1_PADDING_SIZE; msg_index <<= 1) { 253e1051a39Sopenharmony_ci mask = ~constant_time_eq(msg_index & (num - RSA_PKCS1_PADDING_SIZE - mlen), 0); 254e1051a39Sopenharmony_ci for (i = RSA_PKCS1_PADDING_SIZE; i < num - msg_index; i++) 255e1051a39Sopenharmony_ci em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); 256e1051a39Sopenharmony_ci } 257e1051a39Sopenharmony_ci for (i = 0; i < tlen; i++) { 258e1051a39Sopenharmony_ci mask = good & constant_time_lt(i, mlen); 259e1051a39Sopenharmony_ci to[i] = constant_time_select_8(mask, em[i + RSA_PKCS1_PADDING_SIZE], to[i]); 260e1051a39Sopenharmony_ci } 261e1051a39Sopenharmony_ci 262e1051a39Sopenharmony_ci OPENSSL_clear_free(em, num); 263e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 264e1051a39Sopenharmony_ci /* 265e1051a39Sopenharmony_ci * This trick doesn't work in the FIPS provider because libcrypto manages 266e1051a39Sopenharmony_ci * the error stack. Instead we opt not to put an error on the stack at all 267e1051a39Sopenharmony_ci * in case of padding failure in the FIPS provider. 268e1051a39Sopenharmony_ci */ 269e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 270e1051a39Sopenharmony_ci err_clear_last_constant_time(1 & good); 271e1051a39Sopenharmony_ci#endif 272e1051a39Sopenharmony_ci 273e1051a39Sopenharmony_ci return constant_time_select_int(good, mlen, -1); 274e1051a39Sopenharmony_ci} 275e1051a39Sopenharmony_ci 276e1051a39Sopenharmony_ci/* 277e1051a39Sopenharmony_ci * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 278e1051a39Sopenharmony_ci * padding from a decrypted RSA message in a TLS signature. The result is stored 279e1051a39Sopenharmony_ci * in the buffer pointed to by |to| which should be |tlen| bytes long. |tlen| 280e1051a39Sopenharmony_ci * must be at least SSL_MAX_MASTER_KEY_LENGTH. The original decrypted message 281e1051a39Sopenharmony_ci * should be stored in |from| which must be |flen| bytes in length and padded 282e1051a39Sopenharmony_ci * such that |flen == RSA_size()|. The TLS protocol version that the client 283e1051a39Sopenharmony_ci * originally requested should be passed in |client_version|. Some buggy clients 284e1051a39Sopenharmony_ci * can exist which use the negotiated version instead of the originally 285e1051a39Sopenharmony_ci * requested protocol version. If it is necessary to work around this bug then 286e1051a39Sopenharmony_ci * the negotiated protocol version can be passed in |alt_version|, otherwise 0 287e1051a39Sopenharmony_ci * should be passed. 288e1051a39Sopenharmony_ci * 289e1051a39Sopenharmony_ci * If the passed message is publicly invalid or some other error that can be 290e1051a39Sopenharmony_ci * treated in non-constant time occurs then -1 is returned. On success the 291e1051a39Sopenharmony_ci * length of the decrypted data is returned. This will always be 292e1051a39Sopenharmony_ci * SSL_MAX_MASTER_KEY_LENGTH. If an error occurs that should be treated in 293e1051a39Sopenharmony_ci * constant time then this function will appear to return successfully, but the 294e1051a39Sopenharmony_ci * decrypted data will be randomly generated (as per 295e1051a39Sopenharmony_ci * https://tools.ietf.org/html/rfc5246#section-7.4.7.1). 296e1051a39Sopenharmony_ci */ 297e1051a39Sopenharmony_ciint ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *libctx, 298e1051a39Sopenharmony_ci unsigned char *to, size_t tlen, 299e1051a39Sopenharmony_ci const unsigned char *from, 300e1051a39Sopenharmony_ci size_t flen, int client_version, 301e1051a39Sopenharmony_ci int alt_version) 302e1051a39Sopenharmony_ci{ 303e1051a39Sopenharmony_ci unsigned int i, good, version_good; 304e1051a39Sopenharmony_ci unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 305e1051a39Sopenharmony_ci 306e1051a39Sopenharmony_ci /* 307e1051a39Sopenharmony_ci * If these checks fail then either the message in publicly invalid, or 308e1051a39Sopenharmony_ci * we've been called incorrectly. We can fail immediately. 309e1051a39Sopenharmony_ci */ 310e1051a39Sopenharmony_ci if (flen < RSA_PKCS1_PADDING_SIZE + SSL_MAX_MASTER_KEY_LENGTH 311e1051a39Sopenharmony_ci || tlen < SSL_MAX_MASTER_KEY_LENGTH) { 312e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); 313e1051a39Sopenharmony_ci return -1; 314e1051a39Sopenharmony_ci } 315e1051a39Sopenharmony_ci 316e1051a39Sopenharmony_ci /* 317e1051a39Sopenharmony_ci * Generate a random premaster secret to use in the event that we fail 318e1051a39Sopenharmony_ci * to decrypt. 319e1051a39Sopenharmony_ci */ 320e1051a39Sopenharmony_ci if (RAND_priv_bytes_ex(libctx, rand_premaster_secret, 321e1051a39Sopenharmony_ci sizeof(rand_premaster_secret), 0) <= 0) { 322e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); 323e1051a39Sopenharmony_ci return -1; 324e1051a39Sopenharmony_ci } 325e1051a39Sopenharmony_ci 326e1051a39Sopenharmony_ci good = constant_time_is_zero(from[0]); 327e1051a39Sopenharmony_ci good &= constant_time_eq(from[1], 2); 328e1051a39Sopenharmony_ci 329e1051a39Sopenharmony_ci /* Check we have the expected padding data */ 330e1051a39Sopenharmony_ci for (i = 2; i < flen - SSL_MAX_MASTER_KEY_LENGTH - 1; i++) 331e1051a39Sopenharmony_ci good &= ~constant_time_is_zero_8(from[i]); 332e1051a39Sopenharmony_ci good &= constant_time_is_zero_8(from[flen - SSL_MAX_MASTER_KEY_LENGTH - 1]); 333e1051a39Sopenharmony_ci 334e1051a39Sopenharmony_ci 335e1051a39Sopenharmony_ci /* 336e1051a39Sopenharmony_ci * If the version in the decrypted pre-master secret is correct then 337e1051a39Sopenharmony_ci * version_good will be 0xff, otherwise it'll be zero. The 338e1051a39Sopenharmony_ci * Klima-Pokorny-Rosa extension of Bleichenbacher's attack 339e1051a39Sopenharmony_ci * (http://eprint.iacr.org/2003/052/) exploits the version number 340e1051a39Sopenharmony_ci * check as a "bad version oracle". Thus version checks are done in 341e1051a39Sopenharmony_ci * constant time and are treated like any other decryption error. 342e1051a39Sopenharmony_ci */ 343e1051a39Sopenharmony_ci version_good = 344e1051a39Sopenharmony_ci constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], 345e1051a39Sopenharmony_ci (client_version >> 8) & 0xff); 346e1051a39Sopenharmony_ci version_good &= 347e1051a39Sopenharmony_ci constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], 348e1051a39Sopenharmony_ci client_version & 0xff); 349e1051a39Sopenharmony_ci 350e1051a39Sopenharmony_ci /* 351e1051a39Sopenharmony_ci * The premaster secret must contain the same version number as the 352e1051a39Sopenharmony_ci * ClientHello to detect version rollback attacks (strangely, the 353e1051a39Sopenharmony_ci * protocol does not offer such protection for DH ciphersuites). 354e1051a39Sopenharmony_ci * However, buggy clients exist that send the negotiated protocol 355e1051a39Sopenharmony_ci * version instead if the server does not support the requested 356e1051a39Sopenharmony_ci * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set then we tolerate 357e1051a39Sopenharmony_ci * such clients. In that case alt_version will be non-zero and set to 358e1051a39Sopenharmony_ci * the negotiated version. 359e1051a39Sopenharmony_ci */ 360e1051a39Sopenharmony_ci if (alt_version > 0) { 361e1051a39Sopenharmony_ci unsigned int workaround_good; 362e1051a39Sopenharmony_ci 363e1051a39Sopenharmony_ci workaround_good = 364e1051a39Sopenharmony_ci constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], 365e1051a39Sopenharmony_ci (alt_version >> 8) & 0xff); 366e1051a39Sopenharmony_ci workaround_good &= 367e1051a39Sopenharmony_ci constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], 368e1051a39Sopenharmony_ci alt_version & 0xff); 369e1051a39Sopenharmony_ci version_good |= workaround_good; 370e1051a39Sopenharmony_ci } 371e1051a39Sopenharmony_ci 372e1051a39Sopenharmony_ci good &= version_good; 373e1051a39Sopenharmony_ci 374e1051a39Sopenharmony_ci 375e1051a39Sopenharmony_ci /* 376e1051a39Sopenharmony_ci * Now copy the result over to the to buffer if good, or random data if 377e1051a39Sopenharmony_ci * not good. 378e1051a39Sopenharmony_ci */ 379e1051a39Sopenharmony_ci for (i = 0; i < SSL_MAX_MASTER_KEY_LENGTH; i++) { 380e1051a39Sopenharmony_ci to[i] = 381e1051a39Sopenharmony_ci constant_time_select_8(good, 382e1051a39Sopenharmony_ci from[flen - SSL_MAX_MASTER_KEY_LENGTH + i], 383e1051a39Sopenharmony_ci rand_premaster_secret[i]); 384e1051a39Sopenharmony_ci } 385e1051a39Sopenharmony_ci 386e1051a39Sopenharmony_ci /* 387e1051a39Sopenharmony_ci * We must not leak whether a decryption failure occurs because of 388e1051a39Sopenharmony_ci * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 389e1051a39Sopenharmony_ci * section 7.4.7.1). The code follows that advice of the TLS RFC and 390e1051a39Sopenharmony_ci * generates a random premaster secret for the case that the decrypt 391e1051a39Sopenharmony_ci * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 392e1051a39Sopenharmony_ci * So, whether we actually succeeded or not, return success. 393e1051a39Sopenharmony_ci */ 394e1051a39Sopenharmony_ci 395e1051a39Sopenharmony_ci return SSL_MAX_MASTER_KEY_LENGTH; 396e1051a39Sopenharmony_ci} 397