common: Add support for implicit rejection for RSA PKCS#1 v1.5 de-pad…

…ding

Implicit rejection returns a pseudo random message in case the RSA PKCS#1 v1.5
padding is incorrect, but returns no error. The pseudo random message is based
on static secret data (the private exponent) and the provided ciphertext, so
that the attacker cannot determine that the returned value is randomly generated
instead of the result of decryption and de-padding.

The implicit rejection algorithm is the same as used by OpenSSL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

COPYRIGHTS

@@ -12,19 +12,29 @@ For code originating from OpenSSL:
  *   Note that in OpenSSL the file crypto/bn/rsa_sup_mul.c does no longer
  *   exist, it was removed with commit https://github.com/openssl/openssl/commit/4209ce68d8fe8b1506494efa03d378d05baf9ff8
  * - usr/lib/common/constant_time.h: Copied unchanged from OpenSSL from
-     include/internal/constant_time.h
+ *   include/internal/constant_time.h
  * - The implementation of function rsa_parse_block_type_2() in 
  *   usr/lib/common/mech_rsa.c is copied from OpenSSL's function
  *   ossl_rsa_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
  *   and is slightly modified to fit to the OpenCryptoki environment.
  *   See comment in function rsa_parse_block_type_2() for a list of changes.
+ * - The implementation of function openssl_specific_rsa_derive_kdk() in
+ *   usr/lib/common/mech_openssl.c is copiled from OpenSSL's function
+ *   derive_kdk() in crypto/rsa/rsa_ossl.c and is slightly modified to fit to 
+ *   the OpenCryptoki environment. See comment in function 
+ *   openssl_specific_rsa_derive_kdk() for a list of changes.
+ * - The implementation of function openssl_specific_rsa_prf() in
+ *   usr/lib/common/mech_openssl.c is copiled from OpenSSL's function
+ *   ossl_rsa_prf() in crypto/rsa/rsapk1.c and is slightly modified to fit to 
+ *   the OpenCryptoki environment. See comment in function 
+ *   openssl_specific_rsa_prf() for a list of changes.
  * - The implementation of function decode_eme_oaep() in
  *   usr/lib/common/mech_rsa.c is copied from OpenSSL's function
  *   RSA_padding_check_PKCS1_OAEP_mgf1() in crypto/rsa/rsa_oaep.c and is
  *   slightly modified to fit to the OpenCryptoki environment. See comment in
  *   function decode_eme_oaep() for a list of changes.
  *
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * The OpenSSL code is licensed under the Apache License 2.0 (the "License"). 
  * You can obtain a copy in the file LICENSE in the OpenSSL source distribution

usr/lib/common/h_extern.h

@@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata,
 CK_RV rsa_parse_block(CK_BYTE *in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
-                      CK_ULONG *out_data_len, CK_ULONG type);
+                      CK_ULONG *out_data_len, CK_ULONG type,
+                      CK_BYTE *kdk, CK_ULONG kdklen);
 
 CK_RV get_mgf_mech(CK_RSA_PKCS_MGF_TYPE mgf, CK_MECHANISM_TYPE *mech);
 
@@ -3182,6 +3183,14 @@ CK_RV openssl_specific_hmac_update(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
 CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
                                   CK_ULONG *sig_len, CK_BBOOL sign);
 
+CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
+                                      const CK_BYTE *in, CK_ULONG inlen,
+                                      CK_BYTE *kdk, CK_ULONG kdklen);
+CK_RV openssl_specific_rsa_prf(CK_BYTE *out, CK_ULONG outlen,
+                               const char *label, CK_ULONG labellen,
+                               const CK_BYTE *kdk, CK_ULONG kdklen,
+                               uint16_t bitlen);
+
 #include "tok_spec_struct.h"
 extern token_spec_t token_specific;