如前面《RSA算法原理》里描述,RSA算法的加解密操作本质上来讲就是大数的模幂运算,RSA算法的安全性很大程度上取决于填充方式,因此在一个安全的RSA加密操作需要选择一个合适的填充模式,最常见的加密填充模式有RSA_PKCS_V15和RSA_PKCS_V21(OAEP),下面还是以mbedtls里的RSA加密源码为例做进一步分析。
一、RSA加密
/*
* Add the message padding, then do an RSA operation
*/
int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t ilen,
const unsigned char *input,
unsigned char *output )
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
case MBEDTLS_RSA_PKCS_V15:
return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
input, output );
#endif
#if defined(MBEDTLS_PKCS1_V21)
case MBEDTLS_RSA_PKCS_V21:
return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
ilen, input, output );
#endif
default:
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
}
}首先进行加密操作时,根据不同的padding方式选择不同的加密运算。
如果选择的是PKCS_V15填充模式,则会调用mbedtls_rsa_rsaes_pkcs1_v15_encrypt()函数进行加密运算。此模式的padding方式可以用如下公式表示EB=00||BT||PS||00||D。其中开头的00是为了防止做加密运算的padding后数据大于模指数N;BT是Block Type的缩写,代表块的的类型,如果是私钥操作的话,这里是字节0x00或者0x01,如果是公钥操作的话,这里是0x02。PS是的Padding String的缩写。它的长度至少是8字节,大小等于K(Key size in byte)-3-D,如果这里BT是0x01,这里的padding是K-3-D字节0xff,如果BT是0x02,这里的padding是K-3-D字节的随机数。做完填充之后,进行最基本的RSA模幂运算。根据mode类型,选择是公钥还是私钥运算。
/*
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
*/
int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t ilen,
const unsigned char *input,
unsigned char *output )
{
size_t nb_pad, olen;
int ret;
unsigned char *p = output;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
/* first comparison checks for overflow */
if( ilen + 11 < ilen || olen < ilen + 11 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nb_pad = olen - 3 - ilen;
*p++ = 0;
if( mode == MBEDTLS_RSA_PUBLIC )
{
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
*p++ = MBEDTLS_RSA_CRYPT;
while( nb_pad-- > 0 )
{
int rng_dl = 100;
do {
ret = f_rng( p_rng, p, 1 );
} while( *p == 0 && --rng_dl && ret == 0 );
/* Check if RNG failed to generate data */
if( rng_dl == 0 || ret != 0 )
return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
p++;
}
}
else
{
*p++ = MBEDTLS_RSA_SIGN;
while( nb_pad-- > 0 )
*p++ = 0xFF;
}
*p++ = 0;
if( ilen != 0 )
memcpy( p, input, ilen );
return( ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, output, output )
: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
}如果选择的是PKCS_V21填充模式,则会调用mbedtls_rsa_rsaes_oaep_encrypt()函数进行加密运算。此模式的padding方式可以用如下公式表示EM=00||maskedseed||maskedDB。其中开头的00是为了防止做加密运算的padding后数据大于模指数N;这里seed是hlen长度的随机数,使用MGF(Mask Generate Function)函数将seed生成olen-hlen-1长度的掩码dbmask,DB=hash(label)||(olen-2*hlen-2-ilen)0x00||0x01||M,计算maskedDB=dbmask异或DB。使用MGF函数将maskeddb生成长度为hlen的seedmask,maskseed=seed异或seedmask。由此编码得到了填充数据,然后进行加密操作。
/*
* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
*/
int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
const unsigned char *label, size_t label_len,
size_t ilen,
const unsigned char *input,
unsigned char *output )
{
size_t olen;
int ret;
unsigned char *p = output;
unsigned int hlen;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
RSA_VALIDATE_RET( label_len == 0 || label != NULL );
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
hlen = mbedtls_md_get_size( md_info );
/* first comparison checks for overflow */
if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
memset( output, 0, olen );
*p++ = 0;
/* Generate a random octet string seed */
if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
p += hlen;
/* Construct DB */
if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
return( ret );
p += hlen;
p += olen - 2 * hlen - 2 - ilen;
*p++ = 1;
if( ilen != 0 )
memcpy( p, input, ilen );
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
/* maskedDB: Apply dbMask to DB */
if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
&md_ctx ) ) != 0 )
goto exit;
/* maskedSeed: Apply seedMask to seed */
if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
&md_ctx ) ) != 0 )
goto exit;
exit:
mbedtls_md_free( &md_ctx );
if( ret != 0 )
return( ret );
return( ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, output, output )
: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
}二、RSA解密
RSA解密时加密的逆操作,根据代码来分析具体的操作。
/*
* Do an RSA operation, then remove the message padding
*/
int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
size_t output_max_len)
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
case MBEDTLS_RSA_PKCS_V15:
return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
input, output, output_max_len );
#endif
#if defined(MBEDTLS_PKCS1_V21)
case MBEDTLS_RSA_PKCS_V21:
return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
olen, input, output,
output_max_len );
#endif
default:
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
}
}首先进行解密操作时,根据不同的padding方式选择不同的解密运算。
如果选择的是PKCS_V15填充模式,这里会调用mbedtls_rsa_rsaes_pkcs1_v15_decrypt函数,函数首先会调用RSA解密函数解密数据。然后根据编码的逆运算来解码数据。首先检查第一个字节是否是0x00,然后获取padding len,判断padding len是否小于8,小于8则报错,然后找到对应的数据位置,解码得到相应的明文数据的二进制编码。
/*
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
*/
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
size_t output_max_len )
{
int ret;
size_t ilen, i, plaintext_max_size;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
/* The following variables take sensitive values: their value must
* not leak into the observable behavior of the function other than
* the designated outputs (output, olen, return value). Otherwise
* this would open the execution of the function to
* side-channel-based variants of the Bleichenbacher padding oracle
* attack. Potential side channels include overall timing, memory
* access patterns (especially visible to an adversary who has access
* to a shared memory cache), and branches (especially visible to
* an adversary who has access to a shared code cache or to a shared
* branch predictor). */
size_t pad_count = 0;
unsigned bad = 0;
unsigned char pad_done = 0;
size_t plaintext_size = 0;
unsigned output_too_large;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
ilen = ctx->len;
plaintext_max_size = ( output_max_len > ilen - 11 ?
ilen - 11 :
output_max_len );
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( ilen < 16 || ilen > sizeof( buf ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, input, buf )
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
goto cleanup;
/* Check and get padding length in constant time and constant
* memory trace. The first byte must be 0. */
bad |= buf[0];
if( mode == MBEDTLS_RSA_PRIVATE )
{
/* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
* where PS must be at least 8 nonzero bytes. */
bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
/* Read the whole buffer. Set pad_done to nonzero if we find
* the 0x00 byte and remember the padding length in pad_count. */
for( i = 2; i < ilen; i++ )
{
pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
}
}
else
{
/* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
* where PS must be at least 8 bytes with the value 0xFF. */
bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
/* Read the whole buffer. Set pad_done to nonzero if we find
* the 0x00 byte and remember the padding length in pad_count.
* If there's a non-0xff byte in the padding, the padding is bad. */
for( i = 2; i < ilen; i++ )
{
pad_done |= if_int( buf[i], 0, 1 );
pad_count += if_int( pad_done, 0, 1 );
bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
}
}
/* If pad_done is still zero, there's no data, only unfinished padding. */
bad |= if_int( pad_done, 0, 1 );
/* There must be at least 8 bytes of padding. */
bad |= size_greater_than( 8, pad_count );
/* If the padding is valid, set plaintext_size to the number of
* remaining bytes after stripping the padding. If the padding
* is invalid, avoid leaking this fact through the size of the
* output: use the maximum message size that fits in the output
* buffer. Do it without branches to avoid leaking the padding
* validity through timing. RSA keys are small enough that all the
* size_t values involved fit in unsigned int. */
plaintext_size = if_int( bad,
(unsigned) plaintext_max_size,
(unsigned) ( ilen - pad_count - 3 ) );
/* Set output_too_large to 0 if the plaintext fits in the output
* buffer and to 1 otherwise. */
output_too_large = size_greater_than( plaintext_size,
plaintext_max_size );
/* Set ret without branches to avoid timing attacks. Return:
* - INVALID_PADDING if the padding is bad (bad != 0).
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted
* plaintext does not fit in the output buffer.
* - 0 if the padding is correct. */
ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
0 ) );
/* If the padding is bad or the plaintext is too large, zero the
* data that we're about to copy to the output buffer.
* We need to copy the same amount of data
* from the same buffer whether the padding is good or not to
* avoid leaking the padding validity through overall timing or
* through memory or cache access patterns. */
bad = all_or_nothing_int( bad | output_too_large );
for( i = 11; i < ilen; i++ )
buf[i] &= ~bad;
/* If the plaintext is too large, truncate it to the buffer size.
* Copy anyway to avoid revealing the length through timing, because
* revealing the length is as bad as revealing the padding validity
* for a Bleichenbacher attack. */
plaintext_size = if_int( output_too_large,
(unsigned) plaintext_max_size,
(unsigned) plaintext_size );
/* Move the plaintext to the leftmost position where it can start in
* the working buffer, i.e. make it start plaintext_max_size from
* the end of the buffer. Do this with a memory access trace that
* does not depend on the plaintext size. After this move, the
* starting location of the plaintext is no longer sensitive
* information. */
mem_move_to_left( buf + ilen - plaintext_max_size,
plaintext_max_size,
plaintext_max_size - plaintext_size );
/* Finally copy the decrypted plaintext plus trailing zeros into the output
* buffer. If output_max_len is 0, then output may be an invalid pointer
* and the result of memcpy() would be undefined; prevent undefined
* behavior making sure to depend only on output_max_len (the size of the
* user-provided output buffer), which is independent from plaintext
* length, validity of padding, success of the decryption, and other
* secrets. */
if( output_max_len != 0 )
memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
/* Report the amount of data we copied to the output buffer. In case
* of errors (bad padding or output too large), the value of *olen
* when this function returns is not specified. Making it equivalent
* to the good case limits the risks of leaking the padding validity. */
*olen = plaintext_size;
cleanup:
mbedtls_platform_zeroize( buf, sizeof( buf ) );
return( ret );
}如果选择的是PKCS_V21填充模式,这里会调用mbedtls_rsa_rsaes_oaep_decrypt函数,函数首先会进行基本的参数检查,然后调用RSA解密函数解密数据。
然后根据编码的逆运算来解码数据。解码操作首先对maskeddb使用mgf函数得到seedmask,然后将seedmask和maskedseed异或得到seed。再者对seed使用mgf函数得到dbmask,然后将maskeddb和dbmask异或,得到db。
解码完成之后,首先检查第一个字节是否是0x00,然后检查label hash lhash。然后获取0x00的padding长度,判断紧跟着的字节是否是0x01。后面数据即为明文数据的二进制编码。
/*
* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
*/
int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
const unsigned char *label, size_t label_len,
size_t *olen,
const unsigned char *input,
unsigned char *output,
size_t output_max_len )
{
int ret;
size_t ilen, i, pad_len;
unsigned char *p, bad, pad_done;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( label_len == 0 || label != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
/*
* Parameters sanity checks
*/
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
ilen = ctx->len;
if( ilen < 16 || ilen > sizeof( buf ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hlen = mbedtls_md_get_size( md_info );
// checking for integer underflow
if( 2 * hlen + 2 > ilen )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
/*
* RSA operation
*/
ret = ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, input, buf )
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
goto cleanup;
/*
* Unmask data and generate lHash
*/
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
goto cleanup;
}
/* seed: Apply seedMask to maskedSeed */
if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
&md_ctx ) ) != 0 ||
/* DB: Apply dbMask to maskedDB */
( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
&md_ctx ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
goto cleanup;
}
mbedtls_md_free( &md_ctx );
/* Generate lHash */
if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
goto cleanup;
/*
* Check contents, in "constant-time"
*/
p = buf;
bad = 0;
bad |= *p++; /* First byte must be 0 */
p += hlen; /* Skip seed */
/* Check lHash */
for( i = 0; i < hlen; i++ )
bad |= lhash[i] ^ *p++;
/* Get zero-padding len, but always read till end of buffer
* (minus one, for the 01 byte) */
pad_len = 0;
pad_done = 0;
for( i = 0; i < ilen - 2 * hlen - 2; i++ )
{
pad_done |= p[i];
pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
}
p += pad_len;
bad |= *p++ ^ 0x01;
/*
* The only information "leaked" is whether the padding was correct or not
* (eg, no data is copied if it was not correct). This meets the
* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
* the different error conditions.
*/
if( bad != 0 )
{
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup;
}
if( ilen - ( p - buf ) > output_max_len )
{
ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
goto cleanup;
}
*olen = ilen - (p - buf);
if( *olen != 0 )
memcpy( output, p, *olen );
ret = 0;
cleanup:
mbedtls_platform_zeroize( buf, sizeof( buf ) );
mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
return( ret );
}
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
