99a01cb9 |
1 | /* -*-c-*- |
2 | * |
d3916b7c |
3 | * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $ |
99a01cb9 |
4 | * |
5 | * Optimal asymmetric encryption packing |
6 | * |
7 | * (c) 2000 Straylight/Edgeware |
8 | */ |
9 | |
10 | /*----- Licensing notice --------------------------------------------------* |
11 | * |
12 | * This file is part of Catacomb. |
13 | * |
14 | * Catacomb is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU Library General Public License as |
16 | * published by the Free Software Foundation; either version 2 of the |
17 | * License, or (at your option) any later version. |
18 | * |
19 | * Catacomb is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | * GNU Library General Public License for more details. |
23 | * |
24 | * You should have received a copy of the GNU Library General Public |
25 | * License along with Catacomb; if not, write to the Free |
26 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
27 | * MA 02111-1307, USA. |
28 | */ |
29 | |
30 | /*----- Revision history --------------------------------------------------* |
31 | * |
32 | * $Log: oaep.c,v $ |
d3916b7c |
33 | * Revision 1.5 2002/01/13 20:20:39 mdw |
34 | * Hack the @oaep_decode@ code some more, to make it work again. |
35 | * |
2730bf33 |
36 | * Revision 1.4 2002/01/13 13:50:21 mdw |
37 | * Allow only one error return, to frustrate Manger's attack against OAEP. |
38 | * |
827a6719 |
39 | * Revision 1.3 2001/02/22 09:04:39 mdw |
40 | * Fix memory leaks. |
41 | * |
49db8dbe |
42 | * Revision 1.2 2000/07/15 10:01:48 mdw |
43 | * Test rig added, based on RIPEMD160-MGF1 test vectors. |
44 | * |
99a01cb9 |
45 | * Revision 1.1 2000/07/01 11:18:30 mdw |
46 | * Support for Optimal Asymmetric Encryption Padding. |
47 | * |
48 | */ |
49 | |
50 | /*----- Header files ------------------------------------------------------*/ |
51 | |
52 | #include <string.h> |
53 | |
54 | #include <mLib/alloc.h> |
55 | #include <mLib/bits.h> |
56 | #include <mLib/dstr.h> |
57 | |
58 | #include "gcipher.h" |
59 | #include "ghash.h" |
60 | #include "grand.h" |
61 | #include "oaep.h" |
62 | |
63 | /*----- Main code ---------------------------------------------------------*/ |
64 | |
65 | /* --- @oaep_encode@ --- * |
66 | * |
67 | * Arguments: @const void *msg@ = pointer to message data |
68 | * @size_t msz@ = size of message data |
69 | * @void *buf@ = pointer to output buffer |
70 | * @size_t sz@ = size of the output buffer |
71 | * @void *p@ = pointer to OAEP parameter block |
72 | * |
73 | * Returns: Zero if all went well, negative on failure. |
74 | * |
75 | * Use: Implements the operation @EME-OAEP-ENCODE@, as defined in |
76 | * PKCS#1 v. 2.0 (RFC2437). |
77 | */ |
78 | |
79 | int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p) |
80 | { |
81 | oaep *o = p; |
82 | size_t hsz = o->ch->hashsz; |
827a6719 |
83 | ghash *h; |
99a01cb9 |
84 | octet *q, *mq, *qq; |
85 | octet *pp; |
86 | gcipher *c; |
87 | size_t n; |
88 | |
89 | /* --- Ensure that everything is sensibly sized --- */ |
90 | |
91 | if (2 * hsz + 2 + msz > sz) |
92 | return (-1); |
93 | |
94 | /* --- Make the `seed' value --- */ |
95 | |
96 | q = buf; |
97 | *q++ = 0; sz--; |
98 | mq = q + hsz; |
99 | qq = q + sz; |
100 | o->r->ops->fill(o->r, q, hsz); |
101 | |
102 | /* --- Fill in the rest of the buffer --- */ |
103 | |
827a6719 |
104 | h = o->ch->init(); |
99a01cb9 |
105 | h->ops->hash(h, o->ep, o->epsz); |
106 | h->ops->done(h, mq); |
107 | h->ops->destroy(h); |
108 | pp = mq + hsz; |
109 | n = sz - 2 * hsz - msz - 1; |
110 | memset(pp, 0, n); |
111 | pp += n; |
112 | *pp++ = 1; |
113 | memcpy(pp, msg, msz); |
114 | |
115 | /* --- Do the packing --- */ |
116 | |
117 | n = sz - hsz; |
118 | c = o->cc->init(q, hsz); |
119 | c->ops->encrypt(c, mq, mq, n); |
120 | c->ops->destroy(c); |
121 | |
122 | c = o->cc->init(mq, n); |
123 | c->ops->encrypt(c, q, q, hsz); |
124 | c->ops->destroy(c); |
125 | |
126 | /* --- Done --- */ |
127 | |
128 | return (0); |
129 | } |
130 | |
131 | /* --- @oaep_decode@ --- * |
132 | * |
133 | * Arguments: @const void *buf@ = pointer to encoded buffer |
134 | * @size_t sz@ = size of the encoded buffer |
135 | * @dstr *d@ = pointer to destination string |
136 | * @void *p@ = pointer to OAEP parameter block |
137 | * |
138 | * Returns: The length of the output string if successful, negative on |
139 | * failure. |
140 | * |
141 | * Use: Implements the operation @EME-OAEP-DECODE@, as defined in |
142 | * PKCS#1 v. 2.0 (RFC2437). |
143 | */ |
144 | |
145 | int oaep_decode(const void *buf, size_t sz, dstr *d, void *p) |
146 | { |
147 | oaep *o = p; |
148 | gcipher *c; |
149 | ghash *h; |
150 | octet *q, *mq, *qq; |
151 | octet *pp; |
d3916b7c |
152 | unsigned bad = 0; |
99a01cb9 |
153 | size_t n; |
154 | size_t hsz = o->ch->hashsz; |
155 | int rc = -1; |
156 | |
157 | /* --- Ensure that the block is large enough --- */ |
158 | |
159 | if (sz < 2 * hsz) |
160 | return (-1); |
161 | |
162 | q = x_alloc(d->a, sz); |
163 | memcpy(q, buf, sz); |
164 | |
165 | /* --- Decrypt the message --- */ |
166 | |
d3916b7c |
167 | bad = *q; |
99a01cb9 |
168 | q++; sz--; |
169 | mq = q + hsz; |
170 | qq = q + sz; |
171 | n = sz - hsz; |
172 | c = o->cc->init(mq, n); |
173 | c->ops->decrypt(c, q, q, hsz); |
174 | c->ops->destroy(c); |
175 | |
176 | c = o->cc->init(q, hsz); |
177 | c->ops->decrypt(c, mq, mq, n); |
178 | c->ops->destroy(c); |
179 | q--; |
180 | |
181 | /* --- Check the hash on the encoding parameters --- */ |
182 | |
183 | h = o->ch->init(); |
184 | h->ops->hash(h, o->ep, o->epsz); |
185 | h->ops->done(h, q); |
827a6719 |
186 | h->ops->destroy(h); |
d3916b7c |
187 | bad |= memcmp(q, mq, hsz); |
99a01cb9 |
188 | |
189 | /* --- Now find the start of the actual message --- */ |
190 | |
191 | pp = mq + hsz; |
192 | while (*pp == 0 && pp < qq) |
193 | pp++; |
d3916b7c |
194 | bad |= (pp >= qq) | (*pp++ != 1); |
99a01cb9 |
195 | n = qq - pp; |
196 | dstr_putm(d, pp, n); |
d3916b7c |
197 | if (!bad) |
198 | rc = n; |
99a01cb9 |
199 | |
99a01cb9 |
200 | x_free(d->a, q); |
201 | return (rc); |
202 | } |
203 | |
49db8dbe |
204 | /*----- Test rig ----------------------------------------------------------*/ |
205 | |
206 | #ifdef TEST_RIG |
207 | |
208 | #include <mLib/testrig.h> |
209 | |
210 | #include "rmd160.h" |
211 | #include "rmd160-mgf.h" |
212 | |
213 | typedef struct gctx { |
214 | grand r; |
215 | octet *buf; |
216 | } gctx; |
217 | |
218 | static void rfill(grand *r, void *buf, size_t sz) |
219 | { |
220 | gctx *g = (gctx *)r; |
221 | memcpy(buf, g->buf, sz); |
222 | } |
223 | |
224 | static const grand_ops gops = { |
225 | "const", 0, 0, |
226 | 0, 0, |
227 | 0, 0, 0, 0, rfill |
228 | }; |
229 | |
230 | static int verify(dstr *v) |
231 | { |
232 | gctx gr; |
233 | dstr d = DSTR_INIT; |
234 | oaep o; |
235 | int ok = 1; |
236 | |
237 | dstr_ensure(&d, v[3].len); |
238 | d.len = v[3].len; |
239 | gr.r.ops = &gops; |
827a6719 |
240 | gr.buf = (octet *)v[2].buf; |
49db8dbe |
241 | |
242 | o.cc = &rmd160_mgf; |
243 | o.ch = &rmd160; |
244 | o.r = &gr.r; |
245 | o.ep = v[1].buf; |
246 | o.epsz = v[1].len; |
247 | |
248 | if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) || |
249 | memcmp(d.buf, v[3].buf, d.len) != 0) { |
250 | ok = 0; |
251 | fputs("\nfailure in oaep_encode", stderr); |
252 | fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr); |
253 | fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr); |
254 | fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr); |
255 | fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr); |
256 | fputs("\n output = ", stderr); type_hex.dump(&d, stderr); |
257 | fputc('\n', stderr); |
258 | } |
259 | |
260 | DRESET(&d); |
261 | if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 || |
262 | d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) { |
263 | ok = 0; |
264 | fputs("\nfailure in oaep_decode", stderr); |
265 | fputs("\n goop = ", stderr); type_hex.dump(&v[3], stderr); |
266 | fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr); |
267 | fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr); |
268 | fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr); |
269 | fputs("\n output = ", stderr); type_hex.dump(&d, stderr); |
270 | fputc('\n', stderr); |
271 | } |
272 | |
273 | dstr_destroy(&d); |
274 | return (ok); |
275 | } |
276 | |
277 | static test_chunk tests[] = { |
278 | { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } }, |
279 | { 0, 0, { 0 } } |
280 | }; |
281 | |
282 | int main(int argc, char *argv[]) |
283 | { |
284 | test_run(argc, argv, tests, SRCDIR "/tests/oaep"); |
285 | return (0); |
286 | } |
287 | |
288 | #endif |
289 | |
99a01cb9 |
290 | /*----- That's all, folks -------------------------------------------------*/ |