X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/99a01cb9f0ce9a6aa95f3a60f53c14f4e216158b..962dd3329d51f1d18313a17eb0cb4695ee4421a0:/oaep.c

diff --git a/oaep.c b/oaep.c
index 0e135f2..f69c864 100644
--- a/oaep.c
+++ b/oaep.c
@@ -1,6 +1,6 @@
 /* -*-c-*-
  *
- * $Id: oaep.c,v 1.1 2000/07/01 11:18:30 mdw Exp $
+ * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $
  *
  * Optimal asymmetric encryption packing
  *
@@ -30,6 +30,18 @@
 /*----- Revision history --------------------------------------------------* 
  *
  * $Log: oaep.c,v $
+ * Revision 1.5  2002/01/13 20:20:39  mdw
+ * Hack the @oaep_decode@ code some more, to make it work again.
+ *
+ * Revision 1.4  2002/01/13 13:50:21  mdw
+ * Allow only one error return, to frustrate Manger's attack against OAEP.
+ *
+ * Revision 1.3  2001/02/22 09:04:39  mdw
+ * Fix memory leaks.
+ *
+ * Revision 1.2  2000/07/15 10:01:48  mdw
+ * Test rig added, based on RIPEMD160-MGF1 test vectors.
+ *
  * Revision 1.1  2000/07/01 11:18:30  mdw
  * Support for Optimal Asymmetric Encryption Padding.
  *
@@ -68,7 +80,7 @@ int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
 {
   oaep *o = p;
   size_t hsz = o->ch->hashsz;
-  ghash *h = o->ch->init();
+  ghash *h;
   octet *q, *mq, *qq;
   octet *pp;
   gcipher *c;
@@ -89,6 +101,7 @@ int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
 
   /* --- Fill in the rest of the buffer --- */
 
+  h = o->ch->init();
   h->ops->hash(h, o->ep, o->epsz);
   h->ops->done(h, mq);
   h->ops->destroy(h);
@@ -136,6 +149,7 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
   ghash *h;
   octet *q, *mq, *qq;
   octet *pp;
+  unsigned bad = 0;
   size_t n;
   size_t hsz = o->ch->hashsz;
   int rc = -1;
@@ -150,8 +164,7 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
 
   /* --- Decrypt the message --- */
 
-  if (*q != 0)
-    goto fail;
+  bad = *q;
   q++; sz--;
   mq = q + hsz;
   qq = q + sz;
@@ -170,23 +183,108 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
   h = o->ch->init();
   h->ops->hash(h, o->ep, o->epsz);
   h->ops->done(h, q);
-  if (memcmp(q, mq, hsz) != 0)
-    goto fail;
+  h->ops->destroy(h);
+  bad |= memcmp(q, mq, hsz);
 
   /* --- Now find the start of the actual message --- */
 
   pp = mq + hsz;
   while (*pp == 0 && pp < qq)
     pp++;
-  if (pp >= qq || *pp++ != 1)
-    return (-1);
+  bad |= (pp >= qq) | (*pp++ != 1);
   n = qq - pp;
   dstr_putm(d, pp, n);
-  rc = n;
+  if (!bad)
+    rc = n;
 
-fail:
   x_free(d->a, q);
   return (rc);
 }
 
+/*----- Test rig ----------------------------------------------------------*/
+
+#ifdef TEST_RIG
+
+#include <mLib/testrig.h>
+
+#include "rmd160.h"
+#include "rmd160-mgf.h"
+
+typedef struct gctx {
+  grand r;
+  octet *buf;
+} gctx;
+
+static void rfill(grand *r, void *buf, size_t sz)
+{
+  gctx *g = (gctx *)r;
+  memcpy(buf, g->buf, sz);
+}
+
+static const grand_ops gops = {
+  "const", 0, 0,
+  0, 0,
+  0, 0, 0, 0, rfill
+};
+
+static int verify(dstr *v)
+{
+  gctx gr;
+  dstr d = DSTR_INIT;
+  oaep o;
+  int ok = 1;
+
+  dstr_ensure(&d, v[3].len);
+  d.len = v[3].len;
+  gr.r.ops = &gops;
+  gr.buf = (octet *)v[2].buf;
+
+  o.cc = &rmd160_mgf;
+  o.ch = &rmd160;
+  o.r = &gr.r;
+  o.ep = v[1].buf;
+  o.epsz = v[1].len;
+
+  if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) ||
+      memcmp(d.buf, v[3].buf, d.len) != 0) {
+    ok = 0;
+    fputs("\nfailure in oaep_encode", stderr);
+    fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
+    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
+    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
+    fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
+    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
+    fputc('\n', stderr);
+  }
+
+  DRESET(&d);
+  if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 ||
+      d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) {
+    ok = 0;
+    fputs("\nfailure in oaep_decode", stderr);
+    fputs("\n    goop = ", stderr); type_hex.dump(&v[3], stderr);
+    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
+    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
+    fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
+    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
+    fputc('\n', stderr);
+  }
+
+  dstr_destroy(&d);
+  return (ok);
+}
+
+static test_chunk tests[] = {
+  { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
+  { 0, 0, { 0 } }
+};
+
+int main(int argc, char *argv[])
+{
+  test_run(argc, argv, tests, SRCDIR "/tests/oaep");
+  return (0);
+}
+
+#endif
+
 /*----- That's all, folks -------------------------------------------------*/