OpenCoverage

rsa_pk1.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/rsa/rsa_pk1.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10#include "internal/constant_time_locl.h"-
11-
12#include <stdio.h>-
13#include "internal/cryptlib.h"-
14#include <openssl/bn.h>-
15#include <openssl/rsa.h>-
16#include <openssl/rand.h>-
17-
18int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,-
19 const unsigned char *from, int flen)-
20{-
21 int j;-
22 unsigned char *p;-
23-
24 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
flen > (tlen - 11)Description
TRUEnever evaluated
FALSEevaluated 559 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-559
25 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,-
26 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);-
27 return 0;
never executed: return 0;
0
28 }-
29-
30 p = (unsigned char *)to;-
31-
32 *(p++) = 0;-
33 *(p++) = 1; /* Private Key BT (Block Type) */-
34-
35 /* pad out with 0xff data */-
36 j = tlen - 3 - flen;-
37 memset(p, 0xff, j);-
38 p += j;-
39 *(p++) = '\0';-
40 memcpy(p, from, (unsigned int)flen);-
41 return 1;
executed 559 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
559
42}-
43-
44int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,-
45 const unsigned char *from, int flen,-
46 int num)-
47{-
48 int i, j;-
49 const unsigned char *p;-
50-
51 p = from;-
52-
53 /*-
54 * The format is-
55 * 00 || 01 || PS || 00 || D-
56 * PS - padding string, at least 8 bytes of FF-
57 * D - data.-
58 */-
59-
60 if (num < 11)
num < 11Description
TRUEnever evaluated
FALSEevaluated 1763 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1763
61 return -1;
never executed: return -1;
0
62-
63 /* Accept inputs with and without the leading 0-byte. */-
64 if (num == flen) {
num == flenDescription
TRUEevaluated 1763 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-1763
65 if ((*p++) != 0x00) {
(*p++) != 0x00Description
TRUEevaluated 16 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1747 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
16-1747
66 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,-
67 RSA_R_INVALID_PADDING);-
68 return -1;
executed 16 times by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
16
69 }-
70 flen--;-
71 }
executed 1747 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
1747
72-
73 if ((num != (flen + 1)) || (*(p++) != 0x01)) {
(num != (flen + 1))Description
TRUEnever evaluated
FALSEevaluated 1747 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
(*(p++) != 0x01)Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1746 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1747
74 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,-
75 RSA_R_BLOCK_TYPE_IS_NOT_01);-
76 return -1;
executed 1 time by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
1
77 }-
78-
79 /* scan over padding data */-
80 j = flen - 1; /* one for type. */-
81 for (i = 0; i < j; i++) {
i < jDescription
TRUEevaluated 361120 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-361120
82 if (*p != 0xff) { /* should decrypt to 0xff */
*p != 0xffDescription
TRUEevaluated 1745 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 359375 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1745-359375
83 if (*p == 0) {
*p == 0Description
TRUEevaluated 1743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 2 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
2-1743
84 p++;-
85 break;
executed 1743 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
1743
86 } else {-
87 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,-
88 RSA_R_BAD_FIXED_HEADER_DECRYPT);-
89 return -1;
executed 2 times by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
2
90 }-
91 }-
92 p++;-
93 }
executed 359375 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
359375
94-
95 if (i == j) {
i == jDescription
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-1743
96 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,-
97 RSA_R_NULL_BEFORE_BLOCK_MISSING);-
98 return -1;
executed 1 time by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
1
99 }-
100-
101 if (i < 8) {
i < 8Description
TRUEnever evaluated
FALSEevaluated 1743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1743
102 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,-
103 RSA_R_BAD_PAD_BYTE_COUNT);-
104 return -1;
never executed: return -1;
0
105 }-
106 i++; /* Skip over the '\0' */-
107 j -= i;-
108 if (j > tlen) {
j > tlenDescription
TRUEnever evaluated
FALSEevaluated 1743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1743
109 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_DATA_TOO_LARGE);-
110 return -1;
never executed: return -1;
0
111 }-
112 memcpy(to, p, (unsigned int)j);-
113-
114 return j;
executed 1743 times by 1 test: return j;
Executed by:
  • libcrypto.so.1.1
1743
115}-
116-
117int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,-
118 const unsigned char *from, int flen)-
119{-
120 int i, j;-
121 unsigned char *p;-
122-
123 if (flen > (tlen - 11)) {
flen > (tlen - 11)Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 492 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-492
124 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,-
125 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);-
126 return 0;
executed 1 time by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1
127 }-
128-
129 p = (unsigned char *)to;-
130-
131 *(p++) = 0;-
132 *(p++) = 2; /* Public Key BT (Block Type) */-
133-
134 /* pad out with non-zero random data */-
135 j = tlen - 3 - flen;-
136-
137 if (RAND_bytes(p, j) <= 0)
RAND_bytes(p, j) <= 0Description
TRUEnever evaluated
FALSEevaluated 492 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-492
138 return 0;
never executed: return 0;
0
139 for (i = 0; i < j; i++) {
i < jDescription
TRUEevaluated 62886 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 492 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
492-62886
140 if (*p == '\0')
*p == '\0'Description
TRUEevaluated 118 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 62768 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
118-62768
141 do {-
142 if (RAND_bytes(p, 1) <= 0)
RAND_bytes(p, 1) <= 0Description
TRUEnever evaluated
FALSEevaluated 119 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-119
143 return 0;
never executed: return 0;
0
144 } while (*p == '\0');
executed 119 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
*p == '\0'Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 118 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-119
145 p++;-
146 }
executed 62886 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
62886
147-
148 *(p++) = '\0';-
149-
150 memcpy(p, from, (unsigned int)flen);-
151 return 1;
executed 492 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
492
152}-
153-
154int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,-
155 const unsigned char *from, int flen,-
156 int num)-
157{-
158 int i;-
159 /* |em| is the encoded message, zero-padded to exactly |num| bytes */-
160 unsigned char *em = NULL;-
161 unsigned int good, found_zero_byte;-
162 int zero_index = 0, msg_index, mlen = -1;-
163-
164 if (tlen < 0 || flen < 0)
tlen < 0Description
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
flen < 0Description
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
165 return -1;
never executed: return -1;
0
166-
167 /*-
168 * PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard",-
169 * section 7.2.2.-
170 */-
171-
172 if (flen > num)
flen > numDescription
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
173 goto err;
never executed: goto err;
0
174-
175 if (num < 11)
num < 11Description
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
176 goto err;
never executed: goto err;
0
177-
178 if (flen != num) {
flen != numDescription
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
179 em = OPENSSL_zalloc(num);-
180 if (em == NULL) {
em == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
181 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);-
182 return -1;
never executed: return -1;
0
183 }-
184 /*-
185 * Caller is encouraged to pass zero-padded message created with-
186 * BN_bn2binpad, but if it doesn't, we do this zero-padding copy-
187 * to avoid leaking that information. The copy still leaks some-
188 * side-channel information, but it's impossible to have a fixed-
189 * memory access pattern since we can't read out of the bounds of-
190 * |from|.-
191 */-
192 memcpy(em + num - flen, from, flen);-
193 from = em;-
194 }
never executed: end of block
0
195-
196 good = constant_time_is_zero(from[0]);-
197 good &= constant_time_eq(from[1], 2);-
198-
199 found_zero_byte = 0;-
200 for (i = 2; i < num; i++) {
i < numDescription
TRUEevaluated 9268 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
31-9268
201 unsigned int equals0 = constant_time_is_zero(from[i]);-
202 zero_index =-
203 constant_time_select_int(~found_zero_byte & equals0, i,-
204 zero_index);-
205 found_zero_byte |= equals0;-
206 }
executed 9268 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
9268
207-
208 /*-
209 * PS must be at least 8 bytes long, and it starts two bytes into |from|.-
210 * If we never found a 0-byte, then |zero_index| is 0 and the check-
211 * also fails.-
212 */-
213 good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);-
214-
215 /*-
216 * Skip the zero byte. This is incorrect if we never found a zero-byte-
217 * but in this case we also do not copy the message out.-
218 */-
219 msg_index = zero_index + 1;-
220 mlen = num - msg_index;-
221-
222 /*-
223 * For good measure, do this check in constant time as well; it could-
224 * leak something if |tlen| was assuming valid padding.-
225 */-
226 good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));-
227-
228 /*-
229 * We can't continue in constant-time because we need to copy the result-
230 * and we cannot fake its length. This unavoidably leaks timing-
231 * information at the API boundary.-
232 */-
233 if (!good) {
!goodDescription
TRUEevaluated 5 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 26 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
5-26
234 mlen = -1;-
235 goto err;
executed 5 times by 1 test: goto err;
Executed by:
  • libcrypto.so.1.1
5
236 }-
237-
238 memcpy(to, from + msg_index, mlen);-
239-
240 err:
code before this statement executed 26 times by 1 test: err:
Executed by:
  • libcrypto.so.1.1
26
241 OPENSSL_clear_free(em, num);-
242 if (mlen == -1)
mlen == -1Description
TRUEevaluated 5 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 26 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
5-26
243 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
executed 5 times by 1 test: ERR_put_error(4,(113),(159),__FILE__,244) ;
Executed by:
  • libcrypto.so.1.1
5
244 RSA_R_PKCS_DECODING_ERROR);
executed 5 times by 1 test: ERR_put_error(4,(113),(159),__FILE__,244) ;
Executed by:
  • libcrypto.so.1.1
5
245 return mlen;
executed 31 times by 1 test: return mlen;
Executed by:
  • libcrypto.so.1.1
31
246}-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2