[u/mdw/catacomb] / oaep.c

/* -*-c-*-
 *
 * $Id: oaep.c,v 1.6 2004/04/08 01:36:15 mdw Exp $
 *
 * Optimal asymmetric encryption packing
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/alloc.h>
#include <mLib/bits.h>
#include <mLib/dstr.h>

#include "gcipher.h"
#include "ghash.h"
#include "grand.h"
#include "rsa.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @oaep_encode@ --- *
 *
 * Arguments:	@mp *d@ = where to put the answer
 *		@const void *m@ = pointer to message data
 *		@size_t msz@ = size of message data
 *		@octet *b@ = spare buffer
 *		@size_t sz@ = size of the buffer (big enough)
 *		@unsigned long nbits@ = length of bits of @n@
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	The encoded plaintext, or null on failure.
 *
 * Use:		Implements the operation @EME-OAEP-ENCODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

mp *oaep_encode(mp *d, const void *m, size_t msz, octet *b, size_t sz,
		unsigned long nbits, void *p)
{
  oaep *o = p;
  size_t hsz = o->ch->hashsz;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  gcipher *c;
  size_t n;

  /* --- Ensure that everything is sensibly sized --- */

  if (2 * hsz + 2 + msz > sz)
    return (0);

  /* --- Make the `seed' value --- */

  q = b;
  *q++ = 0; sz--;
  mq = q + hsz;
  qq = q + sz;
  GR_FILL(o->r, q, hsz);

  /* --- Fill in the rest of the buffer --- */

  h = GH_INIT(o->ch);
  GH_HASH(h, o->ep, o->epsz);
  GH_DONE(h, mq);
  GH_DESTROY(h);
  pp = mq + hsz;
  n = sz - 2 * hsz - msz - 1;
  memset(pp, 0, n);
  pp += n;
  *pp++ = 1;
  memcpy(pp, m, msz);

  /* --- Do the packing --- */

  n = sz - hsz;
  c = GC_INIT(o->cc, q, hsz);
  GC_ENCRYPT(c, mq, mq, n);
  GC_DESTROY(c);

  c = GC_INIT(o->cc, mq, n);
  GC_ENCRYPT(c, q, q, hsz);
  GC_DESTROY(c);

  /* --- Done --- */

  return (mp_loadb(d, b, sz + 1));
}

/* --- @oaep_decode@ --- *
 *
 * Arguments:	@mp *m@ = the decrypted message
 *		@octet *b@ = pointer to a buffer to work in
 *		@size_t sz@ = the size of the buffer (big enough)
 *		@unsigned long nbits@ = the number of bits in @n@
 *		@void *p@ = pointer to OAEP parameter block
 *
 * Returns:	The length of the output string if successful, negative on
 *		failure.
 *
 * Use:		Implements the operation @EME-OAEP-DECODE@, as defined in
 *		PKCS#1 v. 2.0 (RFC2437).
 */

static int memeq(const void *xx, const void *yy, size_t sz)
{
  int eq = 1;
  const octet *x = xx, *y = yy;
  while (sz) {				/* Always check every byte */
    if (*x++ != *y++) eq = 0;
    sz--;
  }
  return (eq);
}

int oaep_decode(mp *m, octet *b, size_t sz, unsigned long nbits, void *p)
{
  oaep *o = p;
  gcipher *c;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  unsigned bad = 0;
  size_t n;
  size_t hsz = o->ch->hashsz;

  /* --- Ensure that the block is large enough --- */

  if (sz < 2 * hsz)			/* Doesn't depend on ciphertext */
    return (-1);

  /* --- Decrypt the message --- */

  mp_storeb(m, b, sz);
  q = b;
  bad = *q;
  q++; sz--;
  mq = q + hsz;
  qq = q + sz;
  n = sz - hsz;
  c = GC_INIT(o->cc, mq, n);
  GC_DECRYPT(c, q, q, hsz);
  GC_DESTROY(c);

  c = GC_INIT(o->cc, q, hsz);
  GC_DECRYPT(c, mq, mq, n);
  GC_DESTROY(c);
  q--;

  /* --- Check the hash on the encoding parameters --- */

  h = GH_INIT(o->ch);
  GH_HASH(h, o->ep, o->epsz);
  GH_DONE(h, q);
  GH_DESTROY(h);
  bad |= !memeq(q, mq, hsz);

  /* --- Now find the start of the actual message --- */

  pp = mq + hsz;
  while (*pp == 0 && pp < qq)
    pp++;
  bad |= (pp >= qq) | (*pp != 1);
  pp++;
  n = qq - pp;
  memmove(q, pp, n);
  return (bad ? -1 : n);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
99a01cb9	1	/* --c--
99a01cb9	2	*
b817bfc6	3	* $Id: oaep.c,v 1.6 2004/04/08 01:36:15 mdw Exp $
99a01cb9	4	*
	5	* Optimal asymmetric encryption packing
	6	*
	7	* (c) 2000 Straylight/Edgeware
	8	*/
	9
45c0fd36	10	/----- Licensing notice --------------------------------------------------
99a01cb9	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
45c0fd36	18	*
99a01cb9	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
45c0fd36	23	*
99a01cb9	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
99a01cb9	30	/----- Header files ------------------------------------------------------/
	31
	32	#include <string.h>
	33
	34	#include <mLib/alloc.h>
	35	#include <mLib/bits.h>
	36	#include <mLib/dstr.h>
	37
	38	#include "gcipher.h"
	39	#include "ghash.h"
	40	#include "grand.h"
b817bfc6	41	#include "rsa.h"
99a01cb9	42
	43	/----- Main code ---------------------------------------------------------/
	44
	45	/* --- @oaep_encode@ --- *
	46	*
b817bfc6	47	* Arguments: @mp *d@ = where to put the answer
b817bfc6	48	* @const void *m@ = pointer to message data
99a01cb9	49	* @size_t msz@ = size of message data
b817bfc6	50	* @octet *b@ = spare buffer
	51	* @size_t sz@ = size of the buffer (big enough)
	52	* @unsigned long nbits@ = length of bits of @n@
99a01cb9	53	* @void *p@ = pointer to OAEP parameter block
99a01cb9	54	*
b817bfc6	55	* Returns: The encoded plaintext, or null on failure.
99a01cb9	56	*
	57	* Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
	58	* PKCS#1 v. 2.0 (RFC2437).
	59	*/
	60
b817bfc6	61	mp oaep_encode(mp d, const void m, size_t msz, octet b, size_t sz,
b817bfc6	62	unsigned long nbits, void *p)
99a01cb9	63	{
	64	oaep *o = p;
	65	size_t hsz = o->ch->hashsz;
827a6719	66	ghash *h;
99a01cb9	67	octet q, mq, *qq;
	68	octet *pp;
	69	gcipher *c;
	70	size_t n;
	71
	72	/* --- Ensure that everything is sensibly sized --- */
	73
	74	if (2 * hsz + 2 + msz > sz)
b817bfc6	75	return (0);
99a01cb9	76
	77	/* --- Make the `seed' value --- */
	78
b817bfc6	79	q = b;
99a01cb9	80	*q++ = 0; sz--;
	81	mq = q + hsz;
	82	qq = q + sz;
b817bfc6	83	GR_FILL(o->r, q, hsz);
99a01cb9	84
	85	/* --- Fill in the rest of the buffer --- */
	86
b817bfc6	87	h = GH_INIT(o->ch);
	88	GH_HASH(h, o->ep, o->epsz);
	89	GH_DONE(h, mq);
	90	GH_DESTROY(h);
99a01cb9	91	pp = mq + hsz;
	92	n = sz - 2 * hsz - msz - 1;
	93	memset(pp, 0, n);
	94	pp += n;
	95	*pp++ = 1;
b817bfc6	96	memcpy(pp, m, msz);
99a01cb9	97
	98	/* --- Do the packing --- */
	99
	100	n = sz - hsz;
b817bfc6	101	c = GC_INIT(o->cc, q, hsz);
	102	GC_ENCRYPT(c, mq, mq, n);
	103	GC_DESTROY(c);
99a01cb9	104
b817bfc6	105	c = GC_INIT(o->cc, mq, n);
	106	GC_ENCRYPT(c, q, q, hsz);
	107	GC_DESTROY(c);
99a01cb9	108
	109	/* --- Done --- */
	110
b817bfc6	111	return (mp_loadb(d, b, sz + 1));
99a01cb9	112	}
	113
	114	/* --- @oaep_decode@ --- *
	115	*
b817bfc6	116	* Arguments: @mp *m@ = the decrypted message
	117	* @octet *b@ = pointer to a buffer to work in
	118	* @size_t sz@ = the size of the buffer (big enough)
	119	* @unsigned long nbits@ = the number of bits in @n@
99a01cb9	120	* @void *p@ = pointer to OAEP parameter block
	121	*
	122	* Returns: The length of the output string if successful, negative on
	123	* failure.
	124	*
	125	* Use: Implements the operation @EME-OAEP-DECODE@, as defined in
	126	* PKCS#1 v. 2.0 (RFC2437).
	127	*/
	128
b817bfc6	129	static int memeq(const void xx, const void yy, size_t sz)
	130	{
	131	int eq = 1;
	132	const octet x = xx, y = yy;
	133	while (sz) { /* Always check every byte */
	134	if (x++ != y++) eq = 0;
	135	sz--;
	136	}
	137	return (eq);
	138	}
	139
	140	int oaep_decode(mp m, octet b, size_t sz, unsigned long nbits, void *p)
99a01cb9	141	{
	142	oaep *o = p;
	143	gcipher *c;
	144	ghash *h;
	145	octet q, mq, *qq;
	146	octet *pp;
d3916b7c	147	unsigned bad = 0;
99a01cb9	148	size_t n;
99a01cb9	149	size_t hsz = o->ch->hashsz;
99a01cb9	150
	151	/* --- Ensure that the block is large enough --- */
	152
b817bfc6	153	if (sz < 2 * hsz) /* Doesn't depend on ciphertext */
99a01cb9	154	return (-1);
99a01cb9	155
99a01cb9	156	/* --- Decrypt the message --- */
99a01cb9	157
b817bfc6	158	mp_storeb(m, b, sz);
b817bfc6	159	q = b;
d3916b7c	160	bad = *q;
99a01cb9	161	q++; sz--;
	162	mq = q + hsz;
	163	qq = q + sz;
	164	n = sz - hsz;
b817bfc6	165	c = GC_INIT(o->cc, mq, n);
	166	GC_DECRYPT(c, q, q, hsz);
	167	GC_DESTROY(c);
99a01cb9	168
b817bfc6	169	c = GC_INIT(o->cc, q, hsz);
	170	GC_DECRYPT(c, mq, mq, n);
	171	GC_DESTROY(c);
99a01cb9	172	q--;
	173
	174	/* --- Check the hash on the encoding parameters --- */
	175
b817bfc6	176	h = GH_INIT(o->ch);
	177	GH_HASH(h, o->ep, o->epsz);
	178	GH_DONE(h, q);
	179	GH_DESTROY(h);
	180	bad \|= !memeq(q, mq, hsz);
99a01cb9	181
	182	/* --- Now find the start of the actual message --- */
	183
	184	pp = mq + hsz;
	185	while (*pp == 0 && pp < qq)
	186	pp++;
78ec50fa MW	187	bad \|= (pp >= qq) \| (*pp != 1);
78ec50fa MW	188	pp++;
99a01cb9	189	n = qq - pp;
b817bfc6	190	memmove(q, pp, n);
b817bfc6	191	return (bad ? -1 : n);
49db8dbe	192	}
49db8dbe	193
99a01cb9	194	/----- That's all, folks -------------------------------------------------/