[u/mdw/catacomb] / pub / oaep.c

/* -*-c-*-
 *
 * Optimal asymmetric encryption packing
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/alloc.h>
#include <mLib/bits.h>
#include <mLib/dstr.h>

#include "ct.h"
#include "gcipher.h"
#include "ghash.h"
#include "grand.h"
#include "rsa.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @oaep_encode@ --- *
 *
 * Arguments:	@mp *d@ = where to put the answer
 *		@const void *m@ = pointer to message data
 *		@size_t msz@ = size of message data
 *		@octet *b@ = spare buffer
 *		@size_t sz@ = size of the buffer (big enough)
 *		@unsigned long nbits@ = length of bits of @n@
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	The encoded plaintext, or null on failure.
 *
 * Use:		Implements the operation @EME-OAEP-ENCODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

mp *oaep_encode(mp *d, const void *m, size_t msz, octet *b, size_t sz,
		unsigned long nbits, void *p)
{
  oaep *o = p;
  size_t hsz = o->ch->hashsz;
  ghash *h;
  octet *q, *mq;
  octet *pp;
  gcipher *c;
  size_t n;

  /* --- Ensure that everything is sensibly sized --- */

  if (2 * hsz + 2 + msz > sz)
    return (0);

  /* --- Make the `seed' value --- */

  q = b;
  *q++ = 0; sz--;
  mq = q + hsz;
  GR_FILL(o->r, q, hsz);

  /* --- Fill in the rest of the buffer --- */

  h = GH_INIT(o->ch);
  GH_HASH(h, o->ep, o->epsz);
  GH_DONE(h, mq);
  GH_DESTROY(h);
  pp = mq + hsz;
  n = sz - 2 * hsz - msz - 1;
  memset(pp, 0, n);
  pp += n;
  *pp++ = 1;
  memcpy(pp, m, msz);

  /* --- Do the packing --- */

  n = sz - hsz;
  c = GC_INIT(o->cc, q, hsz);
  GC_ENCRYPT(c, mq, mq, n);
  GC_DESTROY(c);

  c = GC_INIT(o->cc, mq, n);
  GC_ENCRYPT(c, q, q, hsz);
  GC_DESTROY(c);

  /* --- Done --- */

  return (mp_loadb(d, b, sz + 1));
}

/* --- @oaep_decode@ --- *
 *
 * Arguments:	@mp *m@ = the decrypted message
 *		@octet *b@ = pointer to a buffer to work in
 *		@size_t sz@ = the size of the buffer (big enough)
 *		@unsigned long nbits@ = the number of bits in @n@
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	The length of the output string if successful, negative on
 *		failure.
 *
 * Use:		Implements the operation @EME-OAEP-DECODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

int oaep_decode(mp *m, octet *b, size_t sz, unsigned long nbits, void *p)
{
  oaep *o = p;
  gcipher *c;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  uint32 goodp = 1;
  size_t n;
  size_t hsz = o->ch->hashsz;

  /* --- Ensure that the block is large enough --- */

  if (sz < 2 * hsz)			/* Doesn't depend on ciphertext */
    return (-1);

  /* --- Decrypt the message --- */

  mp_storeb(m, b, sz);
  q = b;
  goodp &= ct_inteq(*q, 0);
  q++; sz--;
  mq = q + hsz;
  qq = q + sz;
  n = sz - hsz;
  c = GC_INIT(o->cc, mq, n);
  GC_DECRYPT(c, q, q, hsz);
  GC_DESTROY(c);

  c = GC_INIT(o->cc, q, hsz);
  GC_DECRYPT(c, mq, mq, n);
  GC_DESTROY(c);
  q--;

  /* --- Check the hash on the encoding parameters --- */

  h = GH_INIT(o->ch);
  GH_HASH(h, o->ep, o->epsz);
  GH_DONE(h, q);
  GH_DESTROY(h);
  goodp &= ct_memeq(q, mq, hsz);

  /* --- Now find the start of the actual message --- */

  pp = mq + hsz;
  while (*pp == 0 && pp < qq)
    pp++;
  goodp &= ~ct_intle(qq - b, pp - b);
  goodp &= ct_inteq(*pp, 1);
  pp++;
  n = qq - pp;
  memmove(q, pp, n);
  return (goodp ? n : -1);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
99a01cb9	1	/* --c--
99a01cb9	2	*
99a01cb9	3	* Optimal asymmetric encryption packing
	4	*
	5	* (c) 2000 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
99a01cb9	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
99a01cb9	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
99a01cb9	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
99a01cb9	28	/----- Header files ------------------------------------------------------/
	29
	30	#include <string.h>
	31
	32	#include <mLib/alloc.h>
	33	#include <mLib/bits.h>
	34	#include <mLib/dstr.h>
	35
52f339e9	36	#include "ct.h"
99a01cb9	37	#include "gcipher.h"
	38	#include "ghash.h"
	39	#include "grand.h"
b817bfc6	40	#include "rsa.h"
99a01cb9	41
	42	/----- Main code ---------------------------------------------------------/
	43
	44	/* --- @oaep_encode@ --- *
	45	*
b817bfc6	46	* Arguments: @mp *d@ = where to put the answer
b817bfc6	47	* @const void *m@ = pointer to message data
99a01cb9	48	* @size_t msz@ = size of message data
b817bfc6	49	* @octet *b@ = spare buffer
	50	* @size_t sz@ = size of the buffer (big enough)
	51	* @unsigned long nbits@ = length of bits of @n@
99a01cb9	52	* @void *p@ = pointer to OAEP parameter block
99a01cb9	53	*
b817bfc6	54	* Returns: The encoded plaintext, or null on failure.
99a01cb9	55	*
	56	* Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
	57	* PKCS#1 v. 2.0 (RFC2437).
	58	*/
	59
b817bfc6	60	mp oaep_encode(mp d, const void m, size_t msz, octet b, size_t sz,
b817bfc6	61	unsigned long nbits, void *p)
99a01cb9	62	{
	63	oaep *o = p;
	64	size_t hsz = o->ch->hashsz;
827a6719	65	ghash *h;
52f339e9	66	octet q, mq;
99a01cb9	67	octet *pp;
	68	gcipher *c;
	69	size_t n;
	70
	71	/* --- Ensure that everything is sensibly sized --- */
	72
	73	if (2 * hsz + 2 + msz > sz)
b817bfc6	74	return (0);
99a01cb9	75
	76	/* --- Make the `seed' value --- */
	77
b817bfc6	78	q = b;
99a01cb9	79	*q++ = 0; sz--;
99a01cb9	80	mq = q + hsz;
b817bfc6	81	GR_FILL(o->r, q, hsz);
99a01cb9	82
	83	/* --- Fill in the rest of the buffer --- */
	84
b817bfc6	85	h = GH_INIT(o->ch);
	86	GH_HASH(h, o->ep, o->epsz);
	87	GH_DONE(h, mq);
	88	GH_DESTROY(h);
99a01cb9	89	pp = mq + hsz;
	90	n = sz - 2 * hsz - msz - 1;
	91	memset(pp, 0, n);
	92	pp += n;
	93	*pp++ = 1;
b817bfc6	94	memcpy(pp, m, msz);
99a01cb9	95
	96	/* --- Do the packing --- */
	97
	98	n = sz - hsz;
b817bfc6	99	c = GC_INIT(o->cc, q, hsz);
	100	GC_ENCRYPT(c, mq, mq, n);
	101	GC_DESTROY(c);
99a01cb9	102
b817bfc6	103	c = GC_INIT(o->cc, mq, n);
	104	GC_ENCRYPT(c, q, q, hsz);
	105	GC_DESTROY(c);
99a01cb9	106
	107	/* --- Done --- */
	108
b817bfc6	109	return (mp_loadb(d, b, sz + 1));
99a01cb9	110	}
	111
	112	/* --- @oaep_decode@ --- *
	113	*
b817bfc6	114	* Arguments: @mp *m@ = the decrypted message
	115	* @octet *b@ = pointer to a buffer to work in
	116	* @size_t sz@ = the size of the buffer (big enough)
	117	* @unsigned long nbits@ = the number of bits in @n@
99a01cb9	118	* @void *p@ = pointer to OAEP parameter block
	119	*
	120	* Returns: The length of the output string if successful, negative on
	121	* failure.
	122	*
	123	* Use: Implements the operation @EME-OAEP-DECODE@, as defined in
	124	* PKCS#1 v. 2.0 (RFC2437).
	125	*/
	126
b817bfc6	127	int oaep_decode(mp m, octet b, size_t sz, unsigned long nbits, void *p)
99a01cb9	128	{
	129	oaep *o = p;
	130	gcipher *c;
	131	ghash *h;
	132	octet q, mq, *qq;
	133	octet *pp;
52f339e9	134	uint32 goodp = 1;
99a01cb9	135	size_t n;
99a01cb9	136	size_t hsz = o->ch->hashsz;
99a01cb9	137
	138	/* --- Ensure that the block is large enough --- */
	139
b817bfc6	140	if (sz < 2 * hsz) /* Doesn't depend on ciphertext */
99a01cb9	141	return (-1);
99a01cb9	142
99a01cb9	143	/* --- Decrypt the message --- */
99a01cb9	144
b817bfc6	145	mp_storeb(m, b, sz);
b817bfc6	146	q = b;
52f339e9	147	goodp &= ct_inteq(*q, 0);
99a01cb9	148	q++; sz--;
	149	mq = q + hsz;
	150	qq = q + sz;
	151	n = sz - hsz;
b817bfc6	152	c = GC_INIT(o->cc, mq, n);
	153	GC_DECRYPT(c, q, q, hsz);
	154	GC_DESTROY(c);
99a01cb9	155
b817bfc6	156	c = GC_INIT(o->cc, q, hsz);
	157	GC_DECRYPT(c, mq, mq, n);
	158	GC_DESTROY(c);
99a01cb9	159	q--;
	160
	161	/* --- Check the hash on the encoding parameters --- */
	162
b817bfc6	163	h = GH_INIT(o->ch);
	164	GH_HASH(h, o->ep, o->epsz);
	165	GH_DONE(h, q);
	166	GH_DESTROY(h);
52f339e9	167	goodp &= ct_memeq(q, mq, hsz);
99a01cb9	168
	169	/* --- Now find the start of the actual message --- */
	170
	171	pp = mq + hsz;
	172	while (*pp == 0 && pp < qq)
	173	pp++;
52f339e9 MW	174	goodp &= ~ct_intle(qq - b, pp - b);
52f339e9 MW	175	goodp &= ct_inteq(*pp, 1);
78ec50fa	176	pp++;
99a01cb9	177	n = qq - pp;
b817bfc6	178	memmove(q, pp, n);
52f339e9	179	return (goodp ? n : -1);
49db8dbe	180	}
49db8dbe	181
99a01cb9	182	/----- That's all, folks -------------------------------------------------/