feat: Make PKCS1 v1.5 unpad with implicit rejection the default

Author: lubux

Cargo.toml

@@ -18,7 +18,9 @@ const-oid = { version = "0.10", default-features = false }
 crypto-bigint = { version = "0.7", default-features = false, features = ["zeroize", "alloc"] }
 crypto-primes = { version = "0.7", default-features = false }
 digest = { version = "0.11", default-features = false, features = ["alloc", "oid"] }
+hmac = { version = "0.13.0", default-features = false }
 rand_core = { version = "0.10", default-features = false }
+sha2 = { version = "0.11.0-rc.5", default-features = false, features = ["oid"] }
 signature = { version = "3.0.0-rc.10", default-features = false, features = ["alloc", "digest", "rand_core"] }
 zeroize = { version = "1.8", features = ["alloc"] }
 
@@ -28,8 +30,6 @@ pkcs1 = { version = "0.8.0-rc.4", optional = true, default-features = false, fea
 pkcs8 = { version = "0.11.0-rc.10", optional = true, default-features = false, features = ["alloc", "pem"] }
 serdect = { version = "0.4", optional = true }
 sha1 = { version = "0.11.0-rc.5", optional = true, default-features = false, features = ["oid"] }
-sha2 = { version = "0.11.0-rc.5", optional = true, default-features = false, features = ["oid"] }
-hmac = { version = "0.13.0", optional = true, default-features = false }
 spki = { version = "0.8.0-rc.4", optional = true, default-features = false, features = ["alloc"] }
 serde = { version = "1.0.184", optional = true, default-features = false, features = ["derive"] }
 
@@ -41,7 +41,6 @@ serde_test = "1.0.89"
 rand = { version = "0.10", features = ["chacha"] }
 rand_core = { version = "0.10", default-features = false }
 sha1 = { version = "0.11.0-rc.5", default-features = false, features = ["oid"] }
-sha2 = { version = "0.11.0-rc.5", default-features = false, features = ["oid"] }
 sha3 = { version = "0.11.0-rc.8", default-features = false, features = ["oid"] }
 hex = { version = "0.4.3", features = ["serde"] }
 serde_json = "1.0.138"
@@ -59,10 +58,9 @@ getrandom = ["crypto-bigint/getrandom", "crypto-common"]
 serde = ["encoding", "dep:serde", "dep:serdect", "crypto-bigint/serde"]
 pkcs5 = ["pkcs8/encryption"]
 std = ["pkcs1?/std", "pkcs8?/std"]
-implicit_rejection = ["sha2", "dep:hmac"]
 
 [package.metadata.docs.rs]
-features = ["std", "serde", "hazmat", "sha2"]
+features = ["std", "serde", "hazmat"]
 
 [profile.dev]
 opt-level = 2

src/algorithms/pkcs1v15.rs

@@ -8,20 +8,16 @@
 
 use alloc::vec::Vec;
 use const_oid::AssociatedOid;
-use crypto_bigint::{Choice, CtAssign, CtEq, CtSelect};
-use digest::Digest;
+use crypto_bigint::{BoxedUint, Choice, CtAssign, CtEq, CtGt, CtLt, CtSelect};
+use digest::{Digest, OutputSizeUser};
+use hmac::{Hmac, KeyInit, Mac};
 use rand_core::TryCryptoRng;
+use sha2::Sha256;
 use zeroize::Zeroizing;
 
-use crate::errors::{Error, Result};
-
-#[cfg(feature = "implicit_rejection")]
-use {
-    crate::algorithms::pad::uint_to_zeroizing_be_pad,
-    crypto_bigint::{BoxedUint, CtGt, CtLt},
-    digest::OutputSizeUser,
-    hmac::{Hmac, KeyInit, Mac},
-    sha2::Sha256,
+use crate::{
+    algorithms::pad::uint_to_zeroizing_be_pad,
+    errors::{Error, Result},
 };
 
 /// Fills the provided slice with random values, which are guaranteed
@@ -68,74 +64,16 @@ where
     Ok(em)
 }
 
-/// Removes the encryption padding scheme from PKCS#1 v1.5.
-///
-/// Note that whether this function returns an error or not discloses secret
-/// information. If an attacker can cause this function to run repeatedly and
-/// learn whether each instance returned an error then they can decrypt and
-/// forge signatures as if they had the private key. See
-/// `decrypt_session_key` for a way of solving this problem.
-#[inline]
-pub(crate) fn pkcs1v15_encrypt_unpad(em: Vec<u8>, k: usize) -> Result<Vec<u8>> {
-    let (valid, out, index) = decrypt_inner(em, k)?;
-    if valid == 0 {
-        return Err(Error::Decryption);
-    }
-
-    Ok(out[index as usize..].to_vec())
-}
-
-/// Removes the PKCS1v15 padding It returns one or zero in valid that indicates whether the
-/// plaintext was correctly structured. In either case, the plaintext is
-/// returned in em so that it may be read independently of whether it was valid
-/// in order to maintain constant memory access patterns. If the plaintext was
-/// valid then index contains the index of the original message in em.
-#[inline]
-fn decrypt_inner(em: Vec<u8>, k: usize) -> Result<(u8, Vec<u8>, u32)> {
-    if k < 11 {
-        return Err(Error::Decryption);
-    }
-
-    let first_byte_is_zero = em[0].ct_eq(&0u8);
-    let second_byte_is_two = em[1].ct_eq(&2u8);
-
-    // The remainder of the plaintext must be a string of non-zero random
-    // octets, followed by a 0, followed by the message.
-    //   looking_for_index: 1 iff we are still looking for the zero.
-    //   index: the offset of the first zero byte.
-    let mut looking_for_index = Choice::TRUE;
-    let mut index = 0u32;
-
-    for (i, el) in em.iter().enumerate().skip(2) {
-        let equals0 = el.ct_eq(&0u8);
-        index.ct_assign(&(i as u32), looking_for_index & equals0);
-        looking_for_index &= !equals0;
-    }
-
-    // The PS padding must be at least 8 bytes long, and it starts two
-    // bytes into em.
-    // TODO: WARNING: THIS MUST BE CONSTANT TIME CHECK:
-    // Ref: https://github.com/dalek-cryptography/subtle/issues/20
-    // This is currently copy & paste from the constant time impl in
-    // go, but very likely not sufficient.
-    let valid_ps = Choice::from_u8_lsb((((2i32 + 8i32 - index as i32 - 1i32) >> 31) & 1) as u8);
-    let valid = first_byte_is_zero & second_byte_is_two & !looking_for_index & valid_ps;
-    index = u32::ct_select(&0, &(index + 1), valid);
-
-    Ok((valid.to_u8(), em, index))
-}
-
 /// Removes PKCS#1 v1.5 encryption padding with implicit rejection.
 ///
-/// Unlike [`pkcs1v15_encrypt_unpad`], this function does not return an error if
+/// This function does not return an error if
 /// the padding is invalid. Instead, it deterministically generates and returns
 /// a replacement random message using a key-derivation function.
 /// As a result, callers cannot distinguish between valid and
 /// invalid padding based on the output, thus preventing side-channel attacks.
 ///
 /// See
 /// [draft-irtf-cfrg-rsa-guidance-08 § 7.2](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-guidance-08#section-7.2)
-#[cfg(feature = "implicit_rejection")]
 pub(crate) fn pkcs1v15_encrypt_unpad_implicit_rejection(
     em: Vec<u8>,
     k: usize,
@@ -168,7 +106,7 @@ pub(crate) fn pkcs1v15_encrypt_unpad_implicit_rejection(
 
     // Select the rejection length from the prf output.
     let rejection_length = rejection_lengths.chunks_exact(2).fold(0u16, |acc, el| {
-        let candidate_length = (u16::from(el[0]) << 8 | u16::from(el[1])) & mask;
+        let candidate_length = ((u16::from(el[0]) << 8) | u16::from(el[1])) & mask;
         let less_than_max_length = candidate_length.ct_lt(&max_length);
         acc.ct_select(&candidate_length, less_than_max_length)
     });
@@ -216,10 +154,8 @@ pub(crate) fn pkcs1v15_encrypt_unpad_implicit_rejection(
     Ok(output)
 }
 
-#[cfg(feature = "implicit_rejection")]
 pub(crate) struct KeyDerivationKey(Zeroizing<[u8; 32]>);
 
-#[cfg(feature = "implicit_rejection")]
 impl KeyDerivationKey {
     /// Derives a key derivation key from the private key, the ciphertext, and the key length.
     ///

src/lib.rs

@@ -20,10 +20,8 @@
 //!
 //! ## OAEP encryption
 //!
-//! Note: requires `sha2` feature of `rsa` crate is enabled.
 //!
-#![cfg_attr(feature = "sha2", doc = "```")]
-#![cfg_attr(not(feature = "sha2"), doc = "```ignore")]
+//! ```
 //! use rsa::{RsaPrivateKey, RsaPublicKey, Oaep, sha2::Sha256};
 //!
 //! let mut rng = rand::rng();
@@ -77,10 +75,8 @@
 //! See security notes in the <code><a href="./pkcs1v15/index.html">pkcs1v15</a></code> module.
 //! </div>
 //!
-//! Note: requires `sha2` feature of `rsa` crate is enabled.
 //!
-#![cfg_attr(feature = "sha2", doc = "```")]
-#![cfg_attr(not(feature = "sha2"), doc = "```ignore")]
+//! ```
 //! use rsa::RsaPrivateKey;
 //! use rsa::pkcs1v15::{SigningKey, VerifyingKey};
 //! use rsa::signature::{Keypair, RandomizedSigner, SignatureEncoding, Verifier};
@@ -104,10 +100,8 @@
 //!
 //! ## PSS signatures
 //!
-//! Note: requires `sha2` feature of `rsa` crate is enabled.
 //!
-#![cfg_attr(feature = "sha2", doc = "```")]
-#![cfg_attr(not(feature = "sha2"), doc = "```ignore")]
+//! ```
 //! use rsa::RsaPrivateKey;
 //! use rsa::pss::{BlindedSigningKey, VerifyingKey};
 //! use rsa::signature::{Keypair,RandomizedSigner, SignatureEncoding, Verifier};
@@ -253,7 +247,6 @@ mod key;
 pub use pkcs1;
 #[cfg(feature = "encoding")]
 pub use pkcs8;
-#[cfg(any(feature = "sha2", feature = "implicit_rejection"))]
 pub use sha2;
 
 pub use crate::{
@@ -265,8 +258,5 @@ pub use crate::{
     traits::keys::CrtValue,
 };
 
-#[cfg(feature = "implicit_rejection")]
-pub use pkcs1v15::Pkcs1v15EncryptImplicitRejection;
-
 #[cfg(feature = "hazmat")]
 pub mod hazmat;

src/pkcs1v15.rs

@@ -37,7 +37,6 @@ pub use self::{
     signing_key::SigningKey, verifying_key::VerifyingKey,
 };
 
-#[cfg(feature = "implicit_rejection")]
 use crate::algorithms::pkcs1v15::{pkcs1v15_encrypt_unpad_implicit_rejection, KeyDerivationKey};
 
 use alloc::{boxed::Box, vec::Vec};
@@ -52,7 +51,6 @@ use crate::algorithms::pkcs1v15::*;
 use crate::algorithms::rsa::{rsa_decrypt_and_check, rsa_encrypt};
 use crate::errors::{Error, Result};
 use crate::key::{self, RsaPrivateKey, RsaPublicKey};
-#[cfg(feature = "implicit_rejection")]
 use crate::traits::PrivateKeyParts;
 use crate::traits::{PaddingScheme, PublicKeyParts, SignatureScheme};
 
@@ -61,32 +59,6 @@ use crate::traits::{PaddingScheme, PublicKeyParts, SignatureScheme};
 pub struct Pkcs1v15Encrypt;
 
 impl PaddingScheme for Pkcs1v15Encrypt {
-    fn decrypt<Rng: TryCryptoRng + ?Sized>(
-        self,
-        rng: Option<&mut Rng>,
-        priv_key: &RsaPrivateKey,
-        ciphertext: &[u8],
-    ) -> Result<Vec<u8>> {
-        decrypt(rng, priv_key, ciphertext)
-    }
-
-    fn encrypt<Rng: TryCryptoRng + ?Sized>(
-        self,
-        rng: &mut Rng,
-        pub_key: &RsaPublicKey,
-        msg: &[u8],
-    ) -> Result<Vec<u8>> {
-        encrypt(rng, pub_key, msg)
-    }
-}
-
-/// Encryption using PKCS#1 v1.5 padding with implicit rejection.
-#[cfg(feature = "implicit_rejection")]
-#[derive(Clone, Copy, Debug, Default, Eq, PartialEq)]
-pub struct Pkcs1v15EncryptImplicitRejection;
-
-#[cfg(feature = "implicit_rejection")]
-impl PaddingScheme for Pkcs1v15EncryptImplicitRejection {
     fn decrypt<Rng: TryCryptoRng + ?Sized>(
         self,
         rng: Option<&mut Rng>,
@@ -190,43 +162,18 @@ fn encrypt<R: TryCryptoRng + ?Sized>(
     uint_to_be_pad(rsa_encrypt(pub_key, &int)?, pub_key.size())
 }
 
-/// Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
-///
-/// If an `rng` is passed, it uses RSA blinding to avoid timing side-channel attacks.
-///
-/// Note that whether this function returns an error or not discloses secret
-/// information. If an attacker can cause this function to run repeatedly and
-/// learn whether each instance returned an error then they can decrypt and
-/// forge signatures as if they had the private key. See
-/// `decrypt_session_key` for a way of solving this problem.
-#[inline]
-fn decrypt<R: TryCryptoRng + ?Sized>(
-    rng: Option<&mut R>,
-    priv_key: &RsaPrivateKey,
-    ciphertext: &[u8],
-) -> Result<Vec<u8>> {
-    key::check_public(priv_key)?;
-
-    let ciphertext = BoxedUint::from_be_slice(ciphertext, priv_key.n_bits_precision())?;
-    let em = rsa_decrypt_and_check(priv_key, rng, &ciphertext)?;
-    let em = uint_to_zeroizing_be_pad(em, priv_key.size())?;
-
-    pkcs1v15_encrypt_unpad(em, priv_key.size())
-}
-
 /// Decrypts plaintext using RSA and the PKCS#1 v1.5 padding scheme with implicit rejection.
 ///
 /// If an `rng` is provided, RSA blinding is used to avoid timing side-channel attacks.
 ///
-/// Unlike [`decrypt`], this function does not return an error if
+/// This function does not return an error if
 /// the padding is invalid. Instead, it deterministically generates and returns
 /// a replacement random message using a key-derivation function.
 /// As a result, callers cannot distinguish between valid and
 /// invalid paddings based on the output, thus reducing the risk of side-channel attacks.
 ///
 /// See
 /// [draft-irtf-cfrg-rsa-guidance-08](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-guidance-08)
-#[cfg(feature = "implicit_rejection")]
 #[inline]
 fn decrypt_implicit_rejection<R: TryCryptoRng + ?Sized>(
     rng: Option<&mut R>,
@@ -299,25 +246,21 @@ mod oid {
             const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.5");
     }
 
-    #[cfg(feature = "sha2")]
     impl RsaSignatureAssociatedOid for sha2::Sha224 {
         const OID: ObjectIdentifier =
             const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.14");
     }
 
-    #[cfg(feature = "sha2")]
     impl RsaSignatureAssociatedOid for sha2::Sha256 {
         const OID: ObjectIdentifier =
             const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
     }
 
-    #[cfg(feature = "sha2")]
     impl RsaSignatureAssociatedOid for sha2::Sha384 {
         const OID: ObjectIdentifier =
             const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.12");
     }
 
-    #[cfg(feature = "sha2")]
     impl RsaSignatureAssociatedOid for sha2::Sha512 {
         const OID: ObjectIdentifier =
             const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.13");
@@ -416,7 +359,7 @@ mod tests {
 
             let blind: bool = rng.next_u32() < (1u32 << 31);
             let blinder = if blind { Some(&mut rng) } else { None };
-            let plaintext = decrypt(blinder, &priv_key, &ciphertext).unwrap();
+            let plaintext = decrypt_implicit_rejection(blinder, &priv_key, &ciphertext).unwrap();
             assert_eq!(input, plaintext);
         }
     }

src/pkcs1v15/decrypting_key.rs

@@ -1,6 +1,7 @@
 use super::EncryptingKey;
 use crate::{
     dummy_rng::DummyRng,
+    pkcs1v15::decrypt_implicit_rejection,
     traits::{Decryptor, EncryptingKeypair, RandomizedDecryptor},
     Result, RsaPrivateKey,
 };
@@ -28,14 +29,7 @@ impl DecryptingKey {
 
 impl Decryptor for DecryptingKey {
     fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>> {
-        #[cfg(feature = "implicit_rejection")]
-        {
-            crate::pkcs1v15::decrypt_implicit_rejection::<DummyRng>(None, &self.inner, ciphertext)
-        }
-        #[cfg(not(feature = "implicit_rejection"))]
-        {
-            crate::pkcs1v15::decrypt::<DummyRng>(None, &self.inner, ciphertext)
-        }
+        decrypt_implicit_rejection::<DummyRng>(None, &self.inner, ciphertext)
     }
 }
 
@@ -45,14 +39,7 @@ impl RandomizedDecryptor for DecryptingKey {
         rng: &mut R,
         ciphertext: &[u8],
     ) -> Result<Vec<u8>> {
-        #[cfg(feature = "implicit_rejection")]
-        {
-            crate::pkcs1v15::decrypt_implicit_rejection::<R>(Some(rng), &self.inner, ciphertext)
-        }
-        #[cfg(not(feature = "implicit_rejection"))]
-        {
-            crate::pkcs1v15::decrypt::<R>(Some(rng), &self.inner, ciphertext)
-        }
+        decrypt_implicit_rejection::<R>(Some(rng), &self.inner, ciphertext)
     }
 }