mirror of
https://github.com/Atmosphere-NX/Atmosphere
synced 2024-11-14 00:56:35 +00:00
crypto/spl: implement rsa-oaep
This commit is contained in:
parent
ad1158b30a
commit
a429c61f33
6 changed files with 373 additions and 75 deletions
|
@ -21,3 +21,5 @@
|
||||||
#include <vapours/crypto/crypto_memory_clear.hpp>
|
#include <vapours/crypto/crypto_memory_clear.hpp>
|
||||||
#include <vapours/crypto/crypto_sha256_generator.hpp>
|
#include <vapours/crypto/crypto_sha256_generator.hpp>
|
||||||
#include <vapours/crypto/crypto_rsa_pss_sha256_verifier.hpp>
|
#include <vapours/crypto/crypto_rsa_pss_sha256_verifier.hpp>
|
||||||
|
#include <vapours/crypto/crypto_rsa_oaep_sha256_decoder.hpp>
|
||||||
|
#include <vapours/crypto/crypto_rsa_oaep_sha256_decryptor.hpp>
|
||||||
|
|
|
@ -0,0 +1,139 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018-2020 Atmosphère-NX
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms and conditions of the GNU General Public License,
|
||||||
|
* version 2, as published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||||
|
* more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
#include <vapours/common.hpp>
|
||||||
|
#include <vapours/assert.hpp>
|
||||||
|
#include <vapours/util.hpp>
|
||||||
|
#include <vapours/crypto/crypto_rsa_calculator.hpp>
|
||||||
|
#include <vapours/crypto/impl/crypto_rsa_oaep_impl.hpp>
|
||||||
|
|
||||||
|
namespace ams::crypto {
|
||||||
|
|
||||||
|
template<size_t ModulusSize, typename Hash> /* requires HashFunction<Hash> */
|
||||||
|
class RsaOaepDecryptor {
|
||||||
|
NON_COPYABLE(RsaOaepDecryptor);
|
||||||
|
NON_MOVEABLE(RsaOaepDecryptor);
|
||||||
|
public:
|
||||||
|
static constexpr size_t HashSize = Hash::HashSize;
|
||||||
|
static constexpr size_t BlockSize = ModulusSize;
|
||||||
|
static constexpr size_t MaximumExponentSize = ModulusSize;
|
||||||
|
static constexpr size_t RequiredWorkBufferSize = RsaCalculator<ModulusSize, MaximumExponentSize>::RequiredWorkBufferSize;
|
||||||
|
private:
|
||||||
|
enum class State {
|
||||||
|
None,
|
||||||
|
Initialized,
|
||||||
|
Done,
|
||||||
|
};
|
||||||
|
private:
|
||||||
|
RsaCalculator<ModulusSize, MaximumExponentSize> calculator;
|
||||||
|
Hash hash;
|
||||||
|
bool set_label_digest;
|
||||||
|
u8 label_digest[HashSize];
|
||||||
|
State state;
|
||||||
|
public:
|
||||||
|
RsaOaepDecryptor() : set_label_digest(false), state(State::None) { /* ... */ }
|
||||||
|
|
||||||
|
~RsaOaepDecryptor() {
|
||||||
|
ClearMemory(this->label_digest, sizeof(this->label_digest));
|
||||||
|
}
|
||||||
|
|
||||||
|
bool Initialize(const void *mod, size_t mod_size, const void *exp, size_t exp_size) {
|
||||||
|
this->hash.Initialize();
|
||||||
|
this->set_label_digest = false;
|
||||||
|
if (this->calculator.Initialize(mod, mod_size, exp, exp_size)) {
|
||||||
|
this->state = State::Initialized;
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void UpdateLabel(const void *data, size_t size) {
|
||||||
|
AMS_ASSERT(this->state == State::Initialized);
|
||||||
|
|
||||||
|
this->hash.Update(data, size);
|
||||||
|
}
|
||||||
|
|
||||||
|
void SetLabelDigest(const void *digest, size_t digest_size) {
|
||||||
|
AMS_ASSERT(this->state == State::Initialized);
|
||||||
|
AMS_ABORT_UNLESS(digest_size == sizeof(this->label_digest));
|
||||||
|
|
||||||
|
std::memcpy(this->label_digest, digest, digest_size);
|
||||||
|
this->set_label_digest = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t Decrypt(void *dst, size_t dst_size, const void *src, size_t src_size) {
|
||||||
|
AMS_ASSERT(this->state == State::Initialized);
|
||||||
|
ON_SCOPE_EXIT { this->state = State::Done; };
|
||||||
|
|
||||||
|
impl::RsaOaepImpl<Hash> impl;
|
||||||
|
u8 message[BlockSize];
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(message, sizeof(message)); };
|
||||||
|
|
||||||
|
if (!this->calculator.ExpMod(message, src, src_size)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!this->set_label_digest) {
|
||||||
|
this->hash.GetHash(this->label_digest, sizeof(this->label_digest));
|
||||||
|
this->set_label_digest = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return impl.Decode(dst, dst_size, this->label_digest, sizeof(this->label_digest), message, sizeof(message));
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t Decrypt(void *dst, size_t dst_size, const void *src, size_t src_size, void *work_buf, size_t work_buf_size) {
|
||||||
|
AMS_ASSERT(this->state == State::Initialized);
|
||||||
|
ON_SCOPE_EXIT { this->state = State::Done; };
|
||||||
|
|
||||||
|
impl::RsaOaepImpl<Hash> impl;
|
||||||
|
u8 message[BlockSize];
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(message, sizeof(message)); };
|
||||||
|
|
||||||
|
if (!this->calculator.ExpMod(message, src, src_size, work_buf, work_buf_size)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!this->set_label_digest) {
|
||||||
|
this->hash.GetHash(this->label_digest, sizeof(this->label_digest));
|
||||||
|
this->set_label_digest = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return impl.Decode(dst, dst_size, this->label_digest, sizeof(this->label_digest), message, sizeof(message));
|
||||||
|
}
|
||||||
|
|
||||||
|
static size_t Decrypt(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size) {
|
||||||
|
RsaOaepDecryptor<ModulusSize, Hash> crypt;
|
||||||
|
if (!crypt.Initialize(mod, mod_size, exp, exp_size)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
crypt.UpdateLabel(lab, lab_size);
|
||||||
|
return crypt.Decrypt(dst, dst_size, msg, msg_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
static size_t Decrypt(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size, void *work_buf, size_t work_buf_size) {
|
||||||
|
RsaOaepDecryptor<ModulusSize, Hash> crypt;
|
||||||
|
if (!crypt.Initialize(mod, mod_size, exp, exp_size)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
crypt.UpdateLabel(lab, lab_size);
|
||||||
|
return crypt.Decrypt(dst, dst_size, msg, msg_size, work_buf, work_buf_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018-2020 Atmosphère-NX
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms and conditions of the GNU General Public License,
|
||||||
|
* version 2, as published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||||
|
* more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
#include <vapours/common.hpp>
|
||||||
|
#include <vapours/assert.hpp>
|
||||||
|
#include <vapours/util.hpp>
|
||||||
|
#include <vapours/crypto/impl/crypto_rsa_oaep_impl.hpp>
|
||||||
|
#include <vapours/crypto/crypto_sha256_generator.hpp>
|
||||||
|
|
||||||
|
namespace ams::crypto {
|
||||||
|
|
||||||
|
inline size_t DecodeRsa2048OaepSha256(void *dst, size_t dst_size, const void *label_digest, size_t label_digest_size, const void *src, size_t src_size) {
|
||||||
|
constexpr size_t BlockSize = 2048 / BITSIZEOF(u8);
|
||||||
|
AMS_ABORT_UNLESS(src_size == BlockSize);
|
||||||
|
|
||||||
|
impl::RsaOaepImpl<Sha256Generator> oaep;
|
||||||
|
u8 enc[BlockSize];
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(enc, sizeof(enc)); };
|
||||||
|
|
||||||
|
std::memcpy(enc, src, src_size);
|
||||||
|
return oaep.Decode(dst, dst_size, label_digest, label_digest_size, enc, sizeof(enc));
|
||||||
|
}
|
||||||
|
|
||||||
|
inline size_t DecodeRsa4096OaepSha256(void *dst, size_t dst_size, const void *label_digest, size_t label_digest_size, const void *src, size_t src_size) {
|
||||||
|
constexpr size_t BlockSize = 4096 / BITSIZEOF(u8);
|
||||||
|
AMS_ABORT_UNLESS(src_size == BlockSize);
|
||||||
|
|
||||||
|
impl::RsaOaepImpl<Sha256Generator> oaep;
|
||||||
|
u8 enc[BlockSize];
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(enc, sizeof(enc)); };
|
||||||
|
|
||||||
|
std::memcpy(enc, src, src_size);
|
||||||
|
return oaep.Decode(dst, dst_size, label_digest, label_digest_size, enc, sizeof(enc));
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,53 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018-2020 Atmosphère-NX
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms and conditions of the GNU General Public License,
|
||||||
|
* version 2, as published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||||
|
* more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
#include <vapours/common.hpp>
|
||||||
|
#include <vapours/assert.hpp>
|
||||||
|
#include <vapours/util.hpp>
|
||||||
|
#include <vapours/crypto/crypto_rsa_calculator.hpp>
|
||||||
|
#include <vapours/crypto/crypto_rsa_oaep_decryptor.hpp>
|
||||||
|
#include <vapours/crypto/crypto_sha256_generator.hpp>
|
||||||
|
|
||||||
|
namespace ams::crypto {
|
||||||
|
|
||||||
|
namespace impl {
|
||||||
|
|
||||||
|
template<size_t Bits>
|
||||||
|
using RsaNOaepSha256Decryptor = ::ams::crypto::RsaOaepDecryptor<Bits / BITSIZEOF(u8), ::ams::crypto::Sha256Generator>;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
using Rsa2048OaepSha256Decryptor = ::ams::crypto::impl::RsaNOaepSha256Decryptor<2048>;
|
||||||
|
using Rsa4096OaepSha256Decryptor = ::ams::crypto::impl::RsaNOaepSha256Decryptor<4096>;
|
||||||
|
|
||||||
|
inline size_t DecryptRsa2048OaepSha256(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size) {
|
||||||
|
return Rsa2048OaepSha256Decryptor::Decrypt(dst, dst_size, mod, mod_size, exp, exp_size, msg, msg_size, lab, lab_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
inline size_t DecryptRsa2048OaepSha256(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size, void *work_buf, size_t work_buf_size) {
|
||||||
|
return Rsa2048OaepSha256Decryptor::Decrypt(dst, dst_size, mod, mod_size, exp, exp_size, msg, msg_size, lab, lab_size, work_buf, work_buf_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
inline size_t DecryptRsa4096OaepSha256(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size) {
|
||||||
|
return Rsa4096OaepSha256Decryptor::Decrypt(dst, dst_size, mod, mod_size, exp, exp_size, msg, msg_size, lab, lab_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
inline size_t DecryptRsa4096OaepSha256(void *dst, size_t dst_size, const void *mod, size_t mod_size, const void *exp, size_t exp_size, const void *msg, size_t msg_size, const void *lab, size_t lab_size, void *work_buf, size_t work_buf_size) {
|
||||||
|
return Rsa4096OaepSha256Decryptor::Decrypt(dst, dst_size, mod, mod_size, exp, exp_size, msg, msg_size, lab, lab_size, work_buf, work_buf_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,128 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018-2020 Atmosphère-NX
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms and conditions of the GNU General Public License,
|
||||||
|
* version 2, as published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||||
|
* more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
#include <vapours/common.hpp>
|
||||||
|
#include <vapours/assert.hpp>
|
||||||
|
#include <vapours/util.hpp>
|
||||||
|
#include <vapours/crypto/impl/crypto_hash_function.hpp>
|
||||||
|
|
||||||
|
namespace ams::crypto::impl {
|
||||||
|
|
||||||
|
template<typename Hash> /* requires HashFunction<Hash> */
|
||||||
|
class RsaOaepImpl {
|
||||||
|
NON_COPYABLE(RsaOaepImpl);
|
||||||
|
NON_MOVEABLE(RsaOaepImpl);
|
||||||
|
public:
|
||||||
|
static constexpr size_t HashSize = Hash::HashSize;
|
||||||
|
private:
|
||||||
|
static constexpr u8 HeadMagic = 0x00;
|
||||||
|
private:
|
||||||
|
static void ComputeHashWithPadding(void *dst, Hash *hash, const void *salt, size_t salt_size) {
|
||||||
|
/* Initialize our buffer. */
|
||||||
|
u8 buf[8 + HashSize];
|
||||||
|
std::memset(buf, 0, 8);
|
||||||
|
hash->GetHash(buf + 8, HashSize);
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(buf, sizeof(buf)); };
|
||||||
|
|
||||||
|
|
||||||
|
/* Calculate our hash. */
|
||||||
|
hash->Initialize();
|
||||||
|
hash->Update(buf, sizeof(buf));
|
||||||
|
hash->Update(salt, salt_size);
|
||||||
|
hash->GetHash(dst, HashSize);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void ApplyMGF1(u8 *dst, size_t dst_size, const void *src, size_t src_size) {
|
||||||
|
u8 buf[HashSize];
|
||||||
|
ON_SCOPE_EXIT { ClearMemory(buf, sizeof(buf)); };
|
||||||
|
|
||||||
|
const size_t required_iters = (dst_size + HashSize - 1) / HashSize;
|
||||||
|
for (size_t i = 0; i < required_iters; i++) {
|
||||||
|
Hash hash;
|
||||||
|
hash.Initialize();
|
||||||
|
hash.Update(src, src_size);
|
||||||
|
|
||||||
|
const u32 tmp = util::ConvertToBigEndian(static_cast<u32>(i));
|
||||||
|
hash.Update(std::addressof(tmp), sizeof(tmp));
|
||||||
|
|
||||||
|
hash.GetHash(buf, HashSize);
|
||||||
|
|
||||||
|
const size_t start = HashSize * i;
|
||||||
|
const size_t end = std::min(dst_size, start + HashSize);
|
||||||
|
for (size_t j = start; j < end; j++) {
|
||||||
|
dst[j] ^= buf[j - start];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
public:
|
||||||
|
RsaOaepImpl() { /* ... */ }
|
||||||
|
|
||||||
|
size_t Decode(void *dst, size_t dst_size, const void *label_digest, size_t label_digest_size, u8 *buf, size_t buf_size) {
|
||||||
|
/* Check our preconditions. */
|
||||||
|
AMS_ABORT_UNLESS(dst_size > 0);
|
||||||
|
AMS_ABORT_UNLESS(buf_size >= 2 * HashSize + 3);
|
||||||
|
AMS_ABORT_UNLESS(label_digest_size == HashSize);
|
||||||
|
|
||||||
|
/* Validate sanity byte. */
|
||||||
|
bool is_valid = buf[0] == HeadMagic;
|
||||||
|
|
||||||
|
/* Decrypt seed and masked db. */
|
||||||
|
size_t db_len = buf_size - HashSize - 1;
|
||||||
|
u8 *seed = buf + 1;
|
||||||
|
u8 *db = seed + HashSize;
|
||||||
|
ApplyMGF1(seed, HashSize, db, db_len);
|
||||||
|
ApplyMGF1(db, db_len, seed, HashSize);
|
||||||
|
|
||||||
|
/* Check the label digest. */
|
||||||
|
is_valid &= IsSameBytes(label_digest, db, HashSize);
|
||||||
|
|
||||||
|
/* Skip past the label digest. */
|
||||||
|
db += HashSize;
|
||||||
|
db_len -= HashSize;
|
||||||
|
|
||||||
|
/* Verify that DB is of the form 0000...0001 < message > */
|
||||||
|
s32 msg_ofs = 0;
|
||||||
|
{
|
||||||
|
int looking_for_one = 1;
|
||||||
|
int invalid_db_padding = 0;
|
||||||
|
int is_zero;
|
||||||
|
int is_one;
|
||||||
|
for (size_t i = 0; i < db_len; /* ... */) {
|
||||||
|
is_zero = (db[i] == 0);
|
||||||
|
is_one = (db[i] == 1);
|
||||||
|
msg_ofs += (looking_for_one & is_one) * (static_cast<s32>(++i));
|
||||||
|
looking_for_one &= ~is_one;
|
||||||
|
invalid_db_padding |= (looking_for_one & ~is_zero);
|
||||||
|
}
|
||||||
|
|
||||||
|
is_valid &= (invalid_db_padding == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If we're invalid, return zero size. */
|
||||||
|
const size_t valid_msg_size = db_len - msg_ofs;
|
||||||
|
const size_t msg_size = std::min(dst_size, static_cast<size_t>(is_valid) * valid_msg_size);
|
||||||
|
|
||||||
|
/* Copy to output. */
|
||||||
|
std::memcpy(dst, db + msg_ofs, msg_size);
|
||||||
|
|
||||||
|
/* Return copied size. */
|
||||||
|
return msg_size;
|
||||||
|
}
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -151,80 +151,6 @@ namespace ams::spl::impl {
|
||||||
R_ABORT_UNLESS(svcMapDeviceAddressSpaceAligned(g_se_das_hnd, dd::GetCurrentProcessHandle(), work_buffer_addr, sizeof(g_work_buffer), g_se_mapped_work_buffer_addr, 3));
|
R_ABORT_UNLESS(svcMapDeviceAddressSpaceAligned(g_se_das_hnd, dd::GetCurrentProcessHandle(), work_buffer_addr, sizeof(g_work_buffer), g_se_mapped_work_buffer_addr, 3));
|
||||||
}
|
}
|
||||||
|
|
||||||
/* RSA OAEP implementation helpers. */
|
|
||||||
void CalcMgf1AndXor(void *dst, size_t dst_size, const void *src, size_t src_size) {
|
|
||||||
uint8_t *dst_u8 = reinterpret_cast<u8 *>(dst);
|
|
||||||
|
|
||||||
u32 ctr = 0;
|
|
||||||
while (dst_size > 0) {
|
|
||||||
const size_t cur_size = std::min(size_t(SHA256_HASH_SIZE), dst_size);
|
|
||||||
dst_size -= cur_size;
|
|
||||||
|
|
||||||
u32 ctr_be = __builtin_bswap32(ctr++);
|
|
||||||
u8 hash[SHA256_HASH_SIZE];
|
|
||||||
{
|
|
||||||
Sha256Context ctx;
|
|
||||||
sha256ContextCreate(&ctx);
|
|
||||||
sha256ContextUpdate(&ctx, src, src_size);
|
|
||||||
sha256ContextUpdate(&ctx, &ctr_be, sizeof(ctr_be));
|
|
||||||
sha256ContextGetHash(&ctx, hash);
|
|
||||||
}
|
|
||||||
|
|
||||||
for (size_t i = 0; i < cur_size; i++) {
|
|
||||||
*(dst_u8++) ^= hash[i];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
size_t DecodeRsaOaep(void *dst, size_t dst_size, const void *label_digest, size_t label_digest_size, const void *src, size_t src_size) {
|
|
||||||
/* Very basic validation. */
|
|
||||||
if (dst_size == 0 || src_size != 0x100 || label_digest_size != SHA256_HASH_SIZE) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
u8 block[0x100];
|
|
||||||
std::memcpy(block, src, sizeof(block));
|
|
||||||
|
|
||||||
/* First, validate byte 0 == 0, and unmask DB. */
|
|
||||||
int invalid = block[0];
|
|
||||||
u8 *salt = block + 1;
|
|
||||||
u8 *db = salt + SHA256_HASH_SIZE;
|
|
||||||
CalcMgf1AndXor(salt, SHA256_HASH_SIZE, db, src_size - (1 + SHA256_HASH_SIZE));
|
|
||||||
CalcMgf1AndXor(db, src_size - (1 + SHA256_HASH_SIZE), salt, SHA256_HASH_SIZE);
|
|
||||||
|
|
||||||
/* Validate label digest. */
|
|
||||||
for (size_t i = 0; i < SHA256_HASH_SIZE; i++) {
|
|
||||||
invalid |= db[i] ^ reinterpret_cast<const u8 *>(label_digest)[i];
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Locate message after 00...0001 padding. */
|
|
||||||
const u8 *padded_msg = db + SHA256_HASH_SIZE;
|
|
||||||
size_t padded_msg_size = src_size - (1 + 2 * SHA256_HASH_SIZE);
|
|
||||||
size_t msg_ind = 0;
|
|
||||||
int not_found = 1;
|
|
||||||
int wrong_padding = 0;
|
|
||||||
size_t i = 0;
|
|
||||||
while (i < padded_msg_size) {
|
|
||||||
int zero = (padded_msg[i] == 0);
|
|
||||||
int one = (padded_msg[i] == 1);
|
|
||||||
msg_ind += static_cast<size_t>(not_found & one) * (++i);
|
|
||||||
not_found &= ~one;
|
|
||||||
wrong_padding |= (not_found & ~zero);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (invalid | not_found | wrong_padding) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Copy message out. */
|
|
||||||
size_t msg_size = padded_msg_size - msg_ind;
|
|
||||||
if (msg_size > dst_size) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
std::memcpy(dst, padded_msg + msg_ind, msg_size);
|
|
||||||
return msg_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Internal RNG functionality. */
|
/* Internal RNG functionality. */
|
||||||
Result GenerateRandomBytesInternal(void *out, size_t size) {
|
Result GenerateRandomBytesInternal(void *out, size_t size) {
|
||||||
if (!g_drbg.GenerateRandomBytes(out, size)) {
|
if (!g_drbg.GenerateRandomBytes(out, size)) {
|
||||||
|
@ -793,7 +719,7 @@ namespace ams::spl::impl {
|
||||||
/* Nintendo doesn't check this result code, but we will. */
|
/* Nintendo doesn't check this result code, but we will. */
|
||||||
R_TRY(SecureExpMod(g_work_buffer, 0x100, base, base_size, mod, mod_size, smc::SecureExpModMode::Lotus));
|
R_TRY(SecureExpMod(g_work_buffer, 0x100, base, base_size, mod, mod_size, smc::SecureExpModMode::Lotus));
|
||||||
|
|
||||||
size_t data_size = DecodeRsaOaep(dst, dst_size, label_digest, label_digest_size, g_work_buffer, 0x100);
|
size_t data_size = crypto::DecodeRsa2048OaepSha256(dst, dst_size, label_digest, label_digest_size, g_work_buffer, 0x100);
|
||||||
R_UNLESS(data_size > 0, spl::ResultDecryptionFailed());
|
R_UNLESS(data_size > 0, spl::ResultDecryptionFailed());
|
||||||
|
|
||||||
*out_size = static_cast<u32>(data_size);
|
*out_size = static_cast<u32>(data_size);
|
||||||
|
|
Loading…
Reference in a new issue