common: Add support for implicit rejection for RSA PKCS#1 v1.5 de-pad…

…ding

Implicit rejection returns a pseudo random message in case the RSA PKCS#1 v1.5
padding is incorrect, but returns no error. The pseudo random message is based
on static secret data (the private exponent) and the provided ciphertext, so
that the attacker cannot determine that the returned value is randomly generated
instead of the result of decryption and de-padding.

The implicit rejection algorithm is the same as used by OpenSSL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

usr/lib/common/h_extern.h

@@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata,
 CK_RV rsa_parse_block(CK_BYTE *in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
-                      CK_ULONG *out_data_len, CK_ULONG type);
+                      CK_ULONG *out_data_len, CK_ULONG type,
+                      CK_BYTE *kdk, CK_ULONG kdklen);
 
 CK_RV get_mgf_mech(CK_RSA_PKCS_MGF_TYPE mgf, CK_MECHANISM_TYPE *mech);
 
@@ -3182,6 +3183,14 @@ CK_RV openssl_specific_hmac_update(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
 CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
                                   CK_ULONG *sig_len, CK_BBOOL sign);
 
+CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
+                                      const CK_BYTE *in, CK_ULONG inlen,
+                                      CK_BYTE *kdk, CK_ULONG kdklen);
+CK_RV openssl_specific_rsa_prf(CK_BYTE *out, CK_ULONG outlen,
+                               const char *label, CK_ULONG labellen,
+                               const CK_BYTE *kdk, CK_ULONG kdklen,
+                               uint16_t bitlen);
+
 #include "tok_spec_struct.h"
 extern token_spec_t token_specific;