git.distorted.org.uk Git - u/mdw/catacomb/blob - oaep.c

   1 /* -*-c-*-
   2  *
   3  * $Id: oaep.c,v 1.6 2004/04/08 01:36:15 mdw Exp $
   4  *
   5  * Optimal asymmetric encryption packing
   6  *
   7  * (c) 2000 Straylight/Edgeware
   8  */
   9
  10 /*----- Licensing notice --------------------------------------------------*
  11  *
  12  * This file is part of Catacomb.
  13  *
  14  * Catacomb is free software; you can redistribute it and/or modify
  15  * it under the terms of the GNU Library General Public License as
  16  * published by the Free Software Foundation; either version 2 of the
  17  * License, or (at your option) any later version.
  18  *
  19  * Catacomb is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  * GNU Library General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU Library General Public
  25  * License along with Catacomb; if not, write to the Free
  26  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
  27  * MA 02111-1307, USA.
  28  */
  29
  30 /*----- Header files ------------------------------------------------------*/
  31
  32 #include <string.h>
  33
  34 #include <mLib/alloc.h>
  35 #include <mLib/bits.h>
  36 #include <mLib/dstr.h>
  37
  38 #include "ct.h"
  39 #include "gcipher.h"
  40 #include "ghash.h"
  41 #include "grand.h"
  42 #include "rsa.h"
  43
  44 /*----- Main code ---------------------------------------------------------*/
  45
  46 /* --- @oaep_encode@ --- *
  47  *
  48  * Arguments:   @mp *d@ = where to put the answer
  49  *              @const void *m@ = pointer to message data
  50  *              @size_t msz@ = size of message data
  51  *              @octet *b@ = spare buffer
  52  *              @size_t sz@ = size of the buffer (big enough)
  53  *              @unsigned long nbits@ = length of bits of @n@
  54  *              @void *p@ = pointer to OAEP parameter block
  55  *
  56  * Returns:     The encoded plaintext, or null on failure.
  57  *
  58  * Use:         Implements the operation @EME-OAEP-ENCODE@, as defined in
  59  *              PKCS#1 v. 2.0 (RFC2437).
  60  */
  61
  62 mp *oaep_encode(mp *d, const void *m, size_t msz, octet *b, size_t sz,
  63                 unsigned long nbits, void *p)
  64 {
  65   oaep *o = p;
  66   size_t hsz = o->ch->hashsz;
  67   ghash *h;
  68   octet *q, *mq;
  69   octet *pp;
  70   gcipher *c;
  71   size_t n;
  72
  73   /* --- Ensure that everything is sensibly sized --- */
  74
  75   if (2 * hsz + 2 + msz > sz)
  76     return (0);
  77
  78   /* --- Make the `seed' value --- */
  79
  80   q = b;
  81   *q++ = 0; sz--;
  82   mq = q + hsz;
  83   GR_FILL(o->r, q, hsz);
  84
  85   /* --- Fill in the rest of the buffer --- */
  86
  87   h = GH_INIT(o->ch);
  88   GH_HASH(h, o->ep, o->epsz);
  89   GH_DONE(h, mq);
  90   GH_DESTROY(h);
  91   pp = mq + hsz;
  92   n = sz - 2 * hsz - msz - 1;
  93   memset(pp, 0, n);
  94   pp += n;
  95   *pp++ = 1;
  96   memcpy(pp, m, msz);
  97
  98   /* --- Do the packing --- */
  99
 100   n = sz - hsz;
 101   c = GC_INIT(o->cc, q, hsz);
 102   GC_ENCRYPT(c, mq, mq, n);
 103   GC_DESTROY(c);
 104
 105   c = GC_INIT(o->cc, mq, n);
 106   GC_ENCRYPT(c, q, q, hsz);
 107   GC_DESTROY(c);
 108
 109   /* --- Done --- */
 110
 111   return (mp_loadb(d, b, sz + 1));
 112 }
 113
 114 /* --- @oaep_decode@ --- *
 115  *
 116  * Arguments:   @mp *m@ = the decrypted message
 117  *              @octet *b@ = pointer to a buffer to work in
 118  *              @size_t sz@ = the size of the buffer (big enough)
 119  *              @unsigned long nbits@ = the number of bits in @n@
 120  *              @void *p@ = pointer to OAEP parameter block
 121  *
 122  * Returns:     The length of the output string if successful, negative on
 123  *              failure.
 124  *
 125  * Use:         Implements the operation @EME-OAEP-DECODE@, as defined in
 126  *              PKCS#1 v. 2.0 (RFC2437).
 127  */
 128
 129 int oaep_decode(mp *m, octet *b, size_t sz, unsigned long nbits, void *p)
 130 {
 131   oaep *o = p;
 132   gcipher *c;
 133   ghash *h;
 134   octet *q, *mq, *qq;
 135   octet *pp;
 136   uint32 goodp = 1;
 137   size_t n;
 138   size_t hsz = o->ch->hashsz;
 139
 140   /* --- Ensure that the block is large enough --- */
 141
 142   if (sz < 2 * hsz)                     /* Doesn't depend on ciphertext */
 143     return (-1);
 144
 145   /* --- Decrypt the message --- */
 146
 147   mp_storeb(m, b, sz);
 148   q = b;
 149   goodp &= ct_inteq(*q, 0);
 150   q++; sz--;
 151   mq = q + hsz;
 152   qq = q + sz;
 153   n = sz - hsz;
 154   c = GC_INIT(o->cc, mq, n);
 155   GC_DECRYPT(c, q, q, hsz);
 156   GC_DESTROY(c);
 157
 158   c = GC_INIT(o->cc, q, hsz);
 159   GC_DECRYPT(c, mq, mq, n);
 160   GC_DESTROY(c);
 161   q--;
 162
 163   /* --- Check the hash on the encoding parameters --- */
 164
 165   h = GH_INIT(o->ch);
 166   GH_HASH(h, o->ep, o->epsz);
 167   GH_DONE(h, q);
 168   GH_DESTROY(h);
 169   goodp &= ct_memeq(q, mq, hsz);
 170
 171   /* --- Now find the start of the actual message --- */
 172
 173   pp = mq + hsz;
 174   while (*pp == 0 && pp < qq)
 175     pp++;
 176   goodp &= ~ct_intle(qq - b, pp - b);
 177   goodp &= ct_inteq(*pp, 1);
 178   pp++;
 179   n = qq - pp;
 180   memmove(q, pp, n);
 181   return (goodp ? n : -1);
 182 }
 183
 184 /*----- That's all, folks -------------------------------------------------*/