1 files changed, 145 insertions, 0 deletions

diff --git a/test/monniaux/BearSSL/src/rsa/rsa_oaep_unpad.c b/test/monniaux/BearSSL/src/rsa/rsa_oaep_unpad.c
new file mode 100644
index 00000000..7c4be6a8
--- /dev/null
+++ b/test/monniaux/BearSSL/src/rsa/rsa_oaep_unpad.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining 
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be 
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "inner.h"
+
+/*
+ * Hash some data and XOR the result into the provided buffer. This is put
+ * as a separate function so that stack allocation of the hash function
+ * context is done only for the duration of the hash.
+ */
+static void
+xor_hash_data(const br_hash_class *dig, void *dst, const void *src, size_t len)
+{
+	br_hash_compat_context hc;
+	unsigned char tmp[64];
+	unsigned char *buf;
+	size_t u, hlen;
+
+	hc.vtable = dig;
+	dig->init(&hc.vtable);
+	dig->update(&hc.vtable, src, len);
+	dig->out(&hc.vtable, tmp);
+	buf = dst;
+	hlen = br_digest_size(dig);
+	for (u = 0; u < hlen; u ++) {
+		buf[u] ^= tmp[u];
+	}
+}
+
+/* see inner.h */
+uint32_t
+br_rsa_oaep_unpad(const br_hash_class *dig,
+	const void *label, size_t label_len,
+	void *data, size_t *len)
+{
+	size_t u, k, hlen;
+	unsigned char *buf;
+	uint32_t r, s, zlen;
+
+	hlen = br_digest_size(dig);
+	k = *len;
+	buf = data;
+
+	/*
+	 * There must be room for the padding.
+	 */
+	if (k < ((hlen << 1) + 2)) {
+		return 0;
+	}
+
+	/*
+	 * Unmask the seed, then the DB value.
+	 */
+	br_mgf1_xor(buf + 1, hlen, dig, buf + 1 + hlen, k - hlen - 1);
+	br_mgf1_xor(buf + 1 + hlen, k - hlen - 1, dig, buf + 1, hlen);
+
+	/*
+	 * Hash the label and XOR it with the value in the array; if
+	 * they are equal then these should yield only zeros.
+	 */
+	xor_hash_data(dig, buf + 1 + hlen, label, label_len);
+
+	/*
+	 * At that point, if the padding was correct, when we should
+	 * have: 0x00 || seed || 0x00 ... 0x00 0x01 || M
+	 * Padding is valid as long as:
+	 *  - There is at least hlen+1 leading bytes of value 0x00.
+	 *  - There is at least one non-zero byte.
+	 *  - The first (leftmost) non-zero byte has value 0x01.
+	 *
+	 * Ultimately, we may leak the resulting message length, i.e.
+	 * the position of the byte of value 0x01, but we must take care
+	 * to do so only if the number of zero bytes has been verified
+	 * to be at least hlen+1.
+	 *
+	 * The loop below counts the number of bytes of value 0x00, and
+	 * checks that the next byte has value 0x01, in constant-time.
+	 *
+	 *  - If the initial byte (before the seed) is not 0x00, then
+	 *    r and s are set to 0, and stay there.
+	 *  - Value r is 1 until the first non-zero byte is reached
+	 *    (after the seed); it switches to 0 at that point.
+	 *  - Value s is set to 1 if and only if the data encountered
+	 *    at the time of the transition of r from 1 to 0 has value
+	 *    exactly 0x01.
+	 *  - Value zlen counts the number of leading bytes of value zero
+	 *    (after the seed).
+	 */
+	r = 1 - ((buf[0] + 0xFF) >> 8);
+	s = 0;
+	zlen = 0;
+	for (u = hlen + 1; u < k; u ++) {
+		uint32_t w, nz;
+
+		w = buf[u];
+
+		/*
+		 * nz == 1 only for the first non-zero byte.
+		 */
+		nz = r & ((w + 0xFF) >> 8);
+		s |= nz & EQ(w, 0x01);
+		r &= NOT(nz);
+		zlen += r;
+	}
+
+	/*
+	 * Padding is correct only if s == 1, _and_ zlen >= hlen.
+	 */
+	s &= GE(zlen, (uint32_t)hlen);
+
+	/*
+	 * At that point, padding was verified, and we are now allowed
+	 * to make conditional jumps.
+	 */
+	if (s) {
+		size_t plen;
+
+		plen = 2 + hlen + zlen;
+		k -= plen;
+		memmove(buf, buf + plen, k);
+		*len = k;
+	}
+	return s;
+}