53
53
if err := checkPub(&priv.PublicKey); err != nil {
56
valid, out, err := decryptPKCS1v15(rand, priv, ciphertext)
57
if err == nil && valid == 0 {
56
valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)
61
return nil, ErrDecryption
81
84
k := (priv.N.BitLen() + 7) / 8
82
85
if k-(len(key)+3+8) < 0 {
87
valid, msg, err := decryptPKCS1v15(rand, priv, ciphertext)
89
valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)
92
valid &= subtle.ConstantTimeEq(int32(len(msg)), int32(len(key)))
93
subtle.ConstantTimeCopy(valid, key, msg)
95
// This should be impossible because decryptPKCS1v15 always
96
// returns the full slice.
100
valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key)))
101
subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):])
97
func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, msg []byte, err error) {
105
// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if
106
// rand is not nil. It returns one or zero in valid that indicates whether the
107
// plaintext was correctly structured. In either case, the plaintext is
108
// returned in em so that it may be read independently of whether it was valid
109
// in order to maintain constant memory access patterns. If the plaintext was
110
// valid then index contains the index of the original message in em.
111
func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
98
112
k := (priv.N.BitLen() + 7) / 8
100
114
err = ErrDecryption
110
em := leftPad(m.Bytes(), k)
124
em = leftPad(m.Bytes(), k)
111
125
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
112
126
secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
115
129
// octets, followed by a 0, followed by the message.
116
130
// lookingForIndex: 1 iff we are still looking for the zero.
117
131
// index: the offset of the first zero byte.
118
var lookingForIndex, index int
121
134
for i := 2; i < len(em); i++ {
122
135
equals0 := subtle.ConstantTimeByteEq(em[i], 0)
129
142
validPS := subtle.ConstantTimeLessOrEq(2+8, index)
131
144
valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1) & validPS
145
index = subtle.ConstantTimeSelect(valid, index+1, 0)
146
return valid, em, index, nil
136
149
// nonZeroRandomBytes fills the given slice with non-zero random octets.
177
190
// SignPKCS1v15 calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5.
178
191
// Note that hashed must be the result of hashing the input message using the
179
// given hash function.
192
// given hash function. If hash is zero, hashed is signed directly. This isn't
193
// advisable except for interoperability.
180
194
func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte) (s []byte, err error) {
181
195
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
212
226
// VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
213
227
// hashed is the result of hashing the input message using the given hash
214
228
// function and sig is the signature. A valid signature is indicated by
215
// returning a nil error.
229
// returning a nil error. If hash is zero then hashed is used directly. This
230
// isn't advisable except for interoperability.
216
231
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) (err error) {
217
232
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
251
266
func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte, err error) {
267
// Special case: crypto.Hash(0) is used to indicate that the data is
270
return inLen, nil, nil
252
273
hashLen = hash.Size()
253
274
if inLen != hashLen {
254
275
return 0, nil, errors.New("crypto/rsa: input must be hashed message")