[u/mdw/catacomb] / oaep.c

/* -*-c-*-
 *
 * $Id: oaep.c,v 1.3 2001/02/22 09:04:39 mdw Exp $
 *
 * Optimal asymmetric encryption packing
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: oaep.c,v $
 * Revision 1.3  2001/02/22 09:04:39  mdw
 * Fix memory leaks.
 *
 * Revision 1.2  2000/07/15 10:01:48  mdw
 * Test rig added, based on RIPEMD160-MGF1 test vectors.
 *
 * Revision 1.1  2000/07/01 11:18:30  mdw
 * Support for Optimal Asymmetric Encryption Padding.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/alloc.h>
#include <mLib/bits.h>
#include <mLib/dstr.h>

#include "gcipher.h"
#include "ghash.h"
#include "grand.h"
#include "oaep.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @oaep_encode@ --- *
 *
 * Arguments:	@const void *msg@ = pointer to message data
 *		@size_t msz@ = size of message data
 *		@void *buf@ = pointer to output buffer
 *		@size_t sz@ = size of the output buffer
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	Zero if all went well, negative on failure.
 *
 * Use:		Implements the operation @EME-OAEP-ENCODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
{
  oaep *o = p;
  size_t hsz = o->ch->hashsz;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  gcipher *c;
  size_t n;

  /* --- Ensure that everything is sensibly sized --- */

  if (2 * hsz + 2 + msz > sz)
    return (-1);

  /* --- Make the `seed' value --- */

  q = buf;
  *q++ = 0; sz--;
  mq = q + hsz;
  qq = q + sz;
  o->r->ops->fill(o->r, q, hsz);

  /* --- Fill in the rest of the buffer --- */

  h = o->ch->init();
  h->ops->hash(h, o->ep, o->epsz);
  h->ops->done(h, mq);
  h->ops->destroy(h);
  pp = mq + hsz;
  n = sz - 2 * hsz - msz - 1;
  memset(pp, 0, n);
  pp += n;
  *pp++ = 1;
  memcpy(pp, msg, msz);

  /* --- Do the packing --- */

  n = sz - hsz;
  c = o->cc->init(q, hsz);
  c->ops->encrypt(c, mq, mq, n);
  c->ops->destroy(c);

  c = o->cc->init(mq, n);
  c->ops->encrypt(c, q, q, hsz);
  c->ops->destroy(c);

  /* --- Done --- */

  return (0);
}

/* --- @oaep_decode@ --- *
 *
 * Arguments:	@const void *buf@ = pointer to encoded buffer
 *		@size_t sz@ = size of the encoded buffer
 *		@dstr *d@ = pointer to destination string
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	The length of the output string if successful, negative on
 *		failure.
 *
 * Use:		Implements the operation @EME-OAEP-DECODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
{
  oaep *o = p;
  gcipher *c;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  size_t n;
  size_t hsz = o->ch->hashsz;
  int rc = -1;

  /* --- Ensure that the block is large enough --- */

  if (sz < 2 * hsz)
    return (-1);

  q = x_alloc(d->a, sz);
  memcpy(q, buf, sz);

  /* --- Decrypt the message --- */

  if (*q != 0)
    goto fail;
  q++; sz--;
  mq = q + hsz;
  qq = q + sz;
  n = sz - hsz;
  c = o->cc->init(mq, n);
  c->ops->decrypt(c, q, q, hsz);
  c->ops->destroy(c);

  c = o->cc->init(q, hsz);
  c->ops->decrypt(c, mq, mq, n);
  c->ops->destroy(c);
  q--;

  /* --- Check the hash on the encoding parameters --- */

  h = o->ch->init();
  h->ops->hash(h, o->ep, o->epsz);
  h->ops->done(h, q);
  h->ops->destroy(h);
  if (memcmp(q, mq, hsz) != 0)
    goto fail;

  /* --- Now find the start of the actual message --- */

  pp = mq + hsz;
  while (*pp == 0 && pp < qq)
    pp++;
  if (pp >= qq || *pp++ != 1)
    return (-1);
  n = qq - pp;
  dstr_putm(d, pp, n);
  rc = n;

fail:
  x_free(d->a, q);
  return (rc);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <mLib/testrig.h>

#include "rmd160.h"
#include "rmd160-mgf.h"

typedef struct gctx {
  grand r;
  octet *buf;
} gctx;

static void rfill(grand *r, void *buf, size_t sz)
{
  gctx *g = (gctx *)r;
  memcpy(buf, g->buf, sz);
}

static const grand_ops gops = {
  "const", 0, 0,
  0, 0,
  0, 0, 0, 0, rfill
};

static int verify(dstr *v)
{
  gctx gr;
  dstr d = DSTR_INIT;
  oaep o;
  int ok = 1;

  dstr_ensure(&d, v[3].len);
  d.len = v[3].len;
  gr.r.ops = &gops;
  gr.buf = (octet *)v[2].buf;

  o.cc = &rmd160_mgf;
  o.ch = &rmd160;
  o.r = &gr.r;
  o.ep = v[1].buf;
  o.epsz = v[1].len;

  if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) ||
      memcmp(d.buf, v[3].buf, d.len) != 0) {
    ok = 0;
    fputs("\nfailure in oaep_encode", stderr);
    fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
    fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
    fputc('\n', stderr);
  }

  DRESET(&d);
  if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 ||
      d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) {
    ok = 0;
    fputs("\nfailure in oaep_decode", stderr);
    fputs("\n    goop = ", stderr); type_hex.dump(&v[3], stderr);
    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
    fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
    fputc('\n', stderr);
  }

  dstr_destroy(&d);
  return (ok);
}

static test_chunk tests[] = {
  { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  test_run(argc, argv, tests, SRCDIR "/tests/oaep");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
99a01cb9	1	/* --c--
99a01cb9	2	*
827a6719	3	* $Id: oaep.c,v 1.3 2001/02/22 09:04:39 mdw Exp $
99a01cb9	4	*
	5	* Optimal asymmetric encryption packing
	6	*
	7	* (c) 2000 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: oaep.c,v $
827a6719	33	* Revision 1.3 2001/02/22 09:04:39 mdw
	34	* Fix memory leaks.
	35	*
49db8dbe	36	* Revision 1.2 2000/07/15 10:01:48 mdw
	37	* Test rig added, based on RIPEMD160-MGF1 test vectors.
	38	*
99a01cb9	39	* Revision 1.1 2000/07/01 11:18:30 mdw
	40	* Support for Optimal Asymmetric Encryption Padding.
	41	*
	42	*/
	43
	44	/----- Header files ------------------------------------------------------/
	45
	46	#include <string.h>
	47
	48	#include <mLib/alloc.h>
	49	#include <mLib/bits.h>
	50	#include <mLib/dstr.h>
	51
	52	#include "gcipher.h"
	53	#include "ghash.h"
	54	#include "grand.h"
	55	#include "oaep.h"
	56
	57	/----- Main code ---------------------------------------------------------/
	58
	59	/* --- @oaep_encode@ --- *
	60	*
	61	* Arguments: @const void *msg@ = pointer to message data
	62	* @size_t msz@ = size of message data
	63	* @void *buf@ = pointer to output buffer
	64	* @size_t sz@ = size of the output buffer
	65	* @void *p@ = pointer to OAEP parameter block
	66	*
	67	* Returns: Zero if all went well, negative on failure.
	68	*
	69	* Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
	70	* PKCS#1 v. 2.0 (RFC2437).
	71	*/
	72
	73	int oaep_encode(const void msg, size_t msz, void buf, size_t sz, void *p)
	74	{
	75	oaep *o = p;
	76	size_t hsz = o->ch->hashsz;
827a6719	77	ghash *h;
99a01cb9	78	octet q, mq, *qq;
	79	octet *pp;
	80	gcipher *c;
	81	size_t n;
	82
	83	/* --- Ensure that everything is sensibly sized --- */
	84
	85	if (2 * hsz + 2 + msz > sz)
	86	return (-1);
	87
	88	/* --- Make the `seed' value --- */
	89
	90	q = buf;
	91	*q++ = 0; sz--;
	92	mq = q + hsz;
	93	qq = q + sz;
	94	o->r->ops->fill(o->r, q, hsz);
	95
	96	/* --- Fill in the rest of the buffer --- */
	97
827a6719	98	h = o->ch->init();
99a01cb9	99	h->ops->hash(h, o->ep, o->epsz);
	100	h->ops->done(h, mq);
	101	h->ops->destroy(h);
	102	pp = mq + hsz;
	103	n = sz - 2 * hsz - msz - 1;
	104	memset(pp, 0, n);
	105	pp += n;
	106	*pp++ = 1;
	107	memcpy(pp, msg, msz);
	108
	109	/* --- Do the packing --- */
	110
	111	n = sz - hsz;
	112	c = o->cc->init(q, hsz);
	113	c->ops->encrypt(c, mq, mq, n);
	114	c->ops->destroy(c);
	115
	116	c = o->cc->init(mq, n);
	117	c->ops->encrypt(c, q, q, hsz);
	118	c->ops->destroy(c);
	119
	120	/* --- Done --- */
	121
	122	return (0);
	123	}
	124
	125	/* --- @oaep_decode@ --- *
	126	*
	127	* Arguments: @const void *buf@ = pointer to encoded buffer
	128	* @size_t sz@ = size of the encoded buffer
	129	* @dstr *d@ = pointer to destination string
	130	* @void *p@ = pointer to OAEP parameter block
	131	*
	132	* Returns: The length of the output string if successful, negative on
	133	* failure.
	134	*
	135	* Use: Implements the operation @EME-OAEP-DECODE@, as defined in
	136	* PKCS#1 v. 2.0 (RFC2437).
	137	*/
	138
	139	int oaep_decode(const void buf, size_t sz, dstr d, void *p)
	140	{
	141	oaep *o = p;
	142	gcipher *c;
	143	ghash *h;
	144	octet q, mq, *qq;
	145	octet *pp;
	146	size_t n;
	147	size_t hsz = o->ch->hashsz;
	148	int rc = -1;
	149
	150	/* --- Ensure that the block is large enough --- */
	151
	152	if (sz < 2 * hsz)
	153	return (-1);
	154
	155	q = x_alloc(d->a, sz);
	156	memcpy(q, buf, sz);
	157
	158	/* --- Decrypt the message --- */
	159
	160	if (*q != 0)
	161	goto fail;
	162	q++; sz--;
163	mq = q + hsz;
164	qq = q + sz;
165	n = sz - hsz;
166	c = o->cc->init(mq, n);
167	c->ops->decrypt(c, q, q, hsz);
168	c->ops->destroy(c);
169
170	c = o->cc->init(q, hsz);
171	c->ops->decrypt(c, mq, mq, n);
172	c->ops->destroy(c);
173	q--;
174
175	/* --- Check the hash on the encoding parameters --- */
176
177	h = o->ch->init();
178	h->ops->hash(h, o->ep, o->epsz);
179	h->ops->done(h, q);
827a6719	180	h->ops->destroy(h);
99a01cb9	181	if (memcmp(q, mq, hsz) != 0)
	182	goto fail;
	183
	184	/* --- Now find the start of the actual message --- */
	185
	186	pp = mq + hsz;
	187	while (*pp == 0 && pp < qq)
	188	pp++;
	189	if (pp >= qq \|\| *pp++ != 1)
	190	return (-1);
	191	n = qq - pp;
	192	dstr_putm(d, pp, n);
	193	rc = n;
	194
	195	fail:
	196	x_free(d->a, q);
	197	return (rc);
	198	}
	199
49db8dbe	200	/----- Test rig ----------------------------------------------------------/
	201
	202	#ifdef TEST_RIG
	203
	204	#include <mLib/testrig.h>
	205
	206	#include "rmd160.h"
	207	#include "rmd160-mgf.h"
	208
	209	typedef struct gctx {
	210	grand r;
	211	octet *buf;
	212	} gctx;
	213
	214	static void rfill(grand r, void buf, size_t sz)
	215	{
	216	gctx g = (gctx )r;
	217	memcpy(buf, g->buf, sz);
	218	}
	219
	220	static const grand_ops gops = {
	221	"const", 0, 0,
	222	0, 0,
	223	0, 0, 0, 0, rfill
	224	};
	225
	226	static int verify(dstr *v)
	227	{
	228	gctx gr;
	229	dstr d = DSTR_INIT;
	230	oaep o;
	231	int ok = 1;
	232
	233	dstr_ensure(&d, v[3].len);
	234	d.len = v[3].len;
	235	gr.r.ops = &gops;
827a6719	236	gr.buf = (octet *)v[2].buf;
49db8dbe	237
	238	o.cc = &rmd160_mgf;
	239	o.ch = &rmd160;
	240	o.r = &gr.r;
	241	o.ep = v[1].buf;
	242	o.epsz = v[1].len;
	243
	244	if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) \|\|
	245	memcmp(d.buf, v[3].buf, d.len) != 0) {
	246	ok = 0;
	247	fputs("\nfailure in oaep_encode", stderr);
	248	fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
	249	fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
	250	fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
	251	fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
	252	fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
	253	fputc('\n', stderr);
	254	}
	255
	256	DRESET(&d);
	257	if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 \|\|
	258	d.len != v[0].len \|\| memcmp(d.buf, v[0].buf, d.len) != 0) {
	259	ok = 0;
	260	fputs("\nfailure in oaep_decode", stderr);
	261	fputs("\n goop = ", stderr); type_hex.dump(&v[3], stderr);
	262	fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
	263	fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
	264	fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
	265	fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
	266	fputc('\n', stderr);
	267	}
	268
	269	dstr_destroy(&d);
	270	return (ok);
	271	}
	272
	273	static test_chunk tests[] = {
	274	{ "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
	275	{ 0, 0, { 0 } }
	276	};
	277
	278	int main(int argc, char *argv[])
	279	{
	280	test_run(argc, argv, tests, SRCDIR "/tests/oaep");
	281	return (0);
	282	}
	283
	284	#endif
	285
99a01cb9	286	/----- That's all, folks -------------------------------------------------/