xref: /freebsd/contrib/bearssl/src/rsa/rsa_ssl_decrypt.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /* see bearssl_rsa.h */
28 uint32_t
29 br_rsa_ssl_decrypt(br_rsa_private core, const br_rsa_private_key *sk,
30 	unsigned char *data, size_t len)
31 {
32 	uint32_t x;
33 	size_t u;
34 
35 	/*
36 	 * A first check on length. Since this test works only on the
37 	 * buffer length, it needs not (and cannot) be constant-time.
38 	 */
39 	if (len < 59 || len != (sk->n_bitlen + 7) >> 3) {
40 		return 0;
41 	}
42 	x = core(data, sk);
43 
44 	x &= EQ(data[0], 0x00);
45 	x &= EQ(data[1], 0x02);
46 	for (u = 2; u < (len - 49); u ++) {
47 		x &= NEQ(data[u], 0);
48 	}
49 	x &= EQ(data[len - 49], 0x00);
50 	memmove(data, data + len - 48, 48);
51 	return x;
52 }
53