projects / u / mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update manuals.
[u/mdw/catacomb] / oaep.c
1 /* -*-c-*-
2 *
3 * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $
4 *
5 * Optimal asymmetric encryption packing
6 *
7 * (c) 2000 Straylight/Edgeware
8 */
9
10 /*----- Licensing notice --------------------------------------------------*
11 *
12 * This file is part of Catacomb.
13 *
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
18 *
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
23 *
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
27 * MA 02111-1307, USA.
28 */
29
30 /*----- Revision history --------------------------------------------------*
31 *
32 * $Log: oaep.c,v $
33 * Revision 1.5 2002/01/13 20:20:39 mdw
34 * Hack the @oaep_decode@ code some more, to make it work again.
35 *
36 * Revision 1.4 2002/01/13 13:50:21 mdw
37 * Allow only one error return, to frustrate Manger's attack against OAEP.
38 *
39 * Revision 1.3 2001/02/22 09:04:39 mdw
40 * Fix memory leaks.
41 *
42 * Revision 1.2 2000/07/15 10:01:48 mdw
43 * Test rig added, based on RIPEMD160-MGF1 test vectors.
44 *
45 * Revision 1.1 2000/07/01 11:18:30 mdw
46 * Support for Optimal Asymmetric Encryption Padding.
47 *
48 */
49
50 /*----- Header files ------------------------------------------------------*/
51
52 #include <string.h>
53
54 #include <mLib/alloc.h>
55 #include <mLib/bits.h>
56 #include <mLib/dstr.h>
57
58 #include "gcipher.h"
59 #include "ghash.h"
60 #include "grand.h"
61 #include "oaep.h"
62
63 /*----- Main code ---------------------------------------------------------*/
64
65 /* --- @oaep_encode@ --- *
66 *
67 * Arguments: @const void *msg@ = pointer to message data
68 * @size_t msz@ = size of message data
69 * @void *buf@ = pointer to output buffer
70 * @size_t sz@ = size of the output buffer
71 * @void *p@ = pointer to OAEP parameter block
72 *
73 * Returns: Zero if all went well, negative on failure.
74 *
75 * Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
76 * PKCS#1 v. 2.0 (RFC2437).
77 */
78
79 int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
80 {
81 oaep *o = p;
82 size_t hsz = o->ch->hashsz;
83 ghash *h;
84 octet *q, *mq, *qq;
85 octet *pp;
86 gcipher *c;
87 size_t n;
88
89 /* --- Ensure that everything is sensibly sized --- */
90
91 if (2 * hsz + 2 + msz > sz)
92 return (-1);
93
94 /* --- Make the `seed' value --- */
95
96 q = buf;
97 *q++ = 0; sz--;
98 mq = q + hsz;
99 qq = q + sz;
100 o->r->ops->fill(o->r, q, hsz);
101
102 /* --- Fill in the rest of the buffer --- */
103
104 h = o->ch->init();
105 h->ops->hash(h, o->ep, o->epsz);
106 h->ops->done(h, mq);
107 h->ops->destroy(h);
108 pp = mq + hsz;
109 n = sz - 2 * hsz - msz - 1;
110 memset(pp, 0, n);
111 pp += n;
112 *pp++ = 1;
113 memcpy(pp, msg, msz);
114
115 /* --- Do the packing --- */
116
117 n = sz - hsz;
118 c = o->cc->init(q, hsz);
119 c->ops->encrypt(c, mq, mq, n);
120 c->ops->destroy(c);
121
122 c = o->cc->init(mq, n);
123 c->ops->encrypt(c, q, q, hsz);
124 c->ops->destroy(c);
125
126 /* --- Done --- */
127
128 return (0);
129 }
130
131 /* --- @oaep_decode@ --- *
132 *
133 * Arguments: @const void *buf@ = pointer to encoded buffer
134 * @size_t sz@ = size of the encoded buffer
135 * @dstr *d@ = pointer to destination string
136 * @void *p@ = pointer to OAEP parameter block
137 *
138 * Returns: The length of the output string if successful, negative on
139 * failure.
140 *
141 * Use: Implements the operation @EME-OAEP-DECODE@, as defined in
142 * PKCS#1 v. 2.0 (RFC2437).
143 */
144
145 int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
146 {
147 oaep *o = p;
148 gcipher *c;
149 ghash *h;
150 octet *q, *mq, *qq;
151 octet *pp;
152 unsigned bad = 0;
153 size_t n;
154 size_t hsz = o->ch->hashsz;
155 int rc = -1;
156
157 /* --- Ensure that the block is large enough --- */
158
159 if (sz < 2 * hsz)
160 return (-1);
161
162 q = x_alloc(d->a, sz);
163 memcpy(q, buf, sz);
164
165 /* --- Decrypt the message --- */
166
167 bad = *q;
168 q++; sz--;
169 mq = q + hsz;
170 qq = q + sz;
171 n = sz - hsz;
172 c = o->cc->init(mq, n);
173 c->ops->decrypt(c, q, q, hsz);
174 c->ops->destroy(c);
175
176 c = o->cc->init(q, hsz);
177 c->ops->decrypt(c, mq, mq, n);
178 c->ops->destroy(c);
179 q--;
180
181 /* --- Check the hash on the encoding parameters --- */
182
183 h = o->ch->init();
184 h->ops->hash(h, o->ep, o->epsz);
185 h->ops->done(h, q);
186 h->ops->destroy(h);
187 bad |= memcmp(q, mq, hsz);
188
189 /* --- Now find the start of the actual message --- */
190
191 pp = mq + hsz;
192 while (*pp == 0 && pp < qq)
193 pp++;
194 bad |= (pp >= qq) | (*pp++ != 1);
195 n = qq - pp;
196 dstr_putm(d, pp, n);
197 if (!bad)
198 rc = n;
199
200 x_free(d->a, q);
201 return (rc);
202 }
203
204 /*----- Test rig ----------------------------------------------------------*/
205
206 #ifdef TEST_RIG
207
208 #include <mLib/testrig.h>
209
210 #include "rmd160.h"
211 #include "rmd160-mgf.h"
212
213 typedef struct gctx {
214 grand r;
215 octet *buf;
216 } gctx;
217
218 static void rfill(grand *r, void *buf, size_t sz)
219 {
220 gctx *g = (gctx *)r;
221 memcpy(buf, g->buf, sz);
222 }
223
224 static const grand_ops gops = {
225 "const", 0, 0,
226 0, 0,
227 0, 0, 0, 0, rfill
228 };
229
230 static int verify(dstr *v)
231 {
232 gctx gr;
233 dstr d = DSTR_INIT;
234 oaep o;
235 int ok = 1;
236
237 dstr_ensure(&d, v[3].len);
238 d.len = v[3].len;
239 gr.r.ops = &gops;
240 gr.buf = (octet *)v[2].buf;
241
242 o.cc = &rmd160_mgf;
243 o.ch = &rmd160;
244 o.r = &gr.r;
245 o.ep = v[1].buf;
246 o.epsz = v[1].len;
247
248 if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) ||
249 memcmp(d.buf, v[3].buf, d.len) != 0) {
250 ok = 0;
251 fputs("\nfailure in oaep_encode", stderr);
252 fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
253 fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
254 fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
255 fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
256 fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
257 fputc('\n', stderr);
258 }
259
260 DRESET(&d);
261 if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 ||
262 d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) {
263 ok = 0;
264 fputs("\nfailure in oaep_decode", stderr);
265 fputs("\n goop = ", stderr); type_hex.dump(&v[3], stderr);
266 fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
267 fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
268 fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
269 fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
270 fputc('\n', stderr);
271 }
272
273 dstr_destroy(&d);
274 return (ok);
275 }
276
277 static test_chunk tests[] = {
278 { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
279 { 0, 0, { 0 } }
280 };
281
282 int main(int argc, char *argv[])
283 {
284 test_run(argc, argv, tests, SRCDIR "/tests/oaep");
285 return (0);
286 }
287
288 #endif
289
290 /*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library (downstream of http://git.distorted.org.uk/~mdw/catacomb/)