/* -*-c-*-
*
- * $Id: oaep.c,v 1.2 2000/07/15 10:01:48 mdw Exp $
+ * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $
*
* Optimal asymmetric encryption packing
*
/*----- Revision history --------------------------------------------------*
*
* $Log: oaep.c,v $
+ * Revision 1.5 2002/01/13 20:20:39 mdw
+ * Hack the @oaep_decode@ code some more, to make it work again.
+ *
+ * Revision 1.4 2002/01/13 13:50:21 mdw
+ * Allow only one error return, to frustrate Manger's attack against OAEP.
+ *
+ * Revision 1.3 2001/02/22 09:04:39 mdw
+ * Fix memory leaks.
+ *
* Revision 1.2 2000/07/15 10:01:48 mdw
* Test rig added, based on RIPEMD160-MGF1 test vectors.
*
{
oaep *o = p;
size_t hsz = o->ch->hashsz;
- ghash *h = o->ch->init();
+ ghash *h;
octet *q, *mq, *qq;
octet *pp;
gcipher *c;
/* --- Fill in the rest of the buffer --- */
+ h = o->ch->init();
h->ops->hash(h, o->ep, o->epsz);
h->ops->done(h, mq);
h->ops->destroy(h);
ghash *h;
octet *q, *mq, *qq;
octet *pp;
+ unsigned bad = 0;
size_t n;
size_t hsz = o->ch->hashsz;
int rc = -1;
/* --- Decrypt the message --- */
- if (*q != 0)
- goto fail;
+ bad = *q;
q++; sz--;
mq = q + hsz;
qq = q + sz;
h = o->ch->init();
h->ops->hash(h, o->ep, o->epsz);
h->ops->done(h, q);
- if (memcmp(q, mq, hsz) != 0)
- goto fail;
+ h->ops->destroy(h);
+ bad |= memcmp(q, mq, hsz);
/* --- Now find the start of the actual message --- */
pp = mq + hsz;
while (*pp == 0 && pp < qq)
pp++;
- if (pp >= qq || *pp++ != 1)
- return (-1);
+ bad |= (pp >= qq) | (*pp++ != 1);
n = qq - pp;
dstr_putm(d, pp, n);
- rc = n;
+ if (!bad)
+ rc = n;
-fail:
x_free(d->a, q);
return (rc);
}
dstr_ensure(&d, v[3].len);
d.len = v[3].len;
gr.r.ops = &gops;
- gr.buf = v[2].buf;
+ gr.buf = (octet *)v[2].buf;
o.cc = &rmd160_mgf;
o.ch = &rmd160;