99a01cb9 |
1 | /* -*-c-*- |
2 | * |
b817bfc6 |
3 | * $Id: oaep.c,v 1.6 2004/04/08 01:36:15 mdw Exp $ |
99a01cb9 |
4 | * |
5 | * Optimal asymmetric encryption packing |
6 | * |
7 | * (c) 2000 Straylight/Edgeware |
8 | */ |
9 | |
10 | /*----- Licensing notice --------------------------------------------------* |
11 | * |
12 | * This file is part of Catacomb. |
13 | * |
14 | * Catacomb is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU Library General Public License as |
16 | * published by the Free Software Foundation; either version 2 of the |
17 | * License, or (at your option) any later version. |
18 | * |
19 | * Catacomb is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | * GNU Library General Public License for more details. |
23 | * |
24 | * You should have received a copy of the GNU Library General Public |
25 | * License along with Catacomb; if not, write to the Free |
26 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
27 | * MA 02111-1307, USA. |
28 | */ |
29 | |
99a01cb9 |
30 | /*----- Header files ------------------------------------------------------*/ |
31 | |
32 | #include <string.h> |
33 | |
34 | #include <mLib/alloc.h> |
35 | #include <mLib/bits.h> |
36 | #include <mLib/dstr.h> |
37 | |
38 | #include "gcipher.h" |
39 | #include "ghash.h" |
40 | #include "grand.h" |
b817bfc6 |
41 | #include "rsa.h" |
99a01cb9 |
42 | |
43 | /*----- Main code ---------------------------------------------------------*/ |
44 | |
45 | /* --- @oaep_encode@ --- * |
46 | * |
b817bfc6 |
47 | * Arguments: @mp *d@ = where to put the answer |
48 | * @const void *m@ = pointer to message data |
99a01cb9 |
49 | * @size_t msz@ = size of message data |
b817bfc6 |
50 | * @octet *b@ = spare buffer |
51 | * @size_t sz@ = size of the buffer (big enough) |
52 | * @unsigned long nbits@ = length of bits of @n@ |
99a01cb9 |
53 | * @void *p@ = pointer to OAEP parameter block |
54 | * |
b817bfc6 |
55 | * Returns: The encoded plaintext, or null on failure. |
99a01cb9 |
56 | * |
57 | * Use: Implements the operation @EME-OAEP-ENCODE@, as defined in |
58 | * PKCS#1 v. 2.0 (RFC2437). |
59 | */ |
60 | |
b817bfc6 |
61 | mp *oaep_encode(mp *d, const void *m, size_t msz, octet *b, size_t sz, |
62 | unsigned long nbits, void *p) |
99a01cb9 |
63 | { |
64 | oaep *o = p; |
65 | size_t hsz = o->ch->hashsz; |
827a6719 |
66 | ghash *h; |
99a01cb9 |
67 | octet *q, *mq, *qq; |
68 | octet *pp; |
69 | gcipher *c; |
70 | size_t n; |
71 | |
72 | /* --- Ensure that everything is sensibly sized --- */ |
73 | |
74 | if (2 * hsz + 2 + msz > sz) |
b817bfc6 |
75 | return (0); |
99a01cb9 |
76 | |
77 | /* --- Make the `seed' value --- */ |
78 | |
b817bfc6 |
79 | q = b; |
99a01cb9 |
80 | *q++ = 0; sz--; |
81 | mq = q + hsz; |
82 | qq = q + sz; |
b817bfc6 |
83 | GR_FILL(o->r, q, hsz); |
99a01cb9 |
84 | |
85 | /* --- Fill in the rest of the buffer --- */ |
86 | |
b817bfc6 |
87 | h = GH_INIT(o->ch); |
88 | GH_HASH(h, o->ep, o->epsz); |
89 | GH_DONE(h, mq); |
90 | GH_DESTROY(h); |
99a01cb9 |
91 | pp = mq + hsz; |
92 | n = sz - 2 * hsz - msz - 1; |
93 | memset(pp, 0, n); |
94 | pp += n; |
95 | *pp++ = 1; |
b817bfc6 |
96 | memcpy(pp, m, msz); |
99a01cb9 |
97 | |
98 | /* --- Do the packing --- */ |
99 | |
100 | n = sz - hsz; |
b817bfc6 |
101 | c = GC_INIT(o->cc, q, hsz); |
102 | GC_ENCRYPT(c, mq, mq, n); |
103 | GC_DESTROY(c); |
99a01cb9 |
104 | |
b817bfc6 |
105 | c = GC_INIT(o->cc, mq, n); |
106 | GC_ENCRYPT(c, q, q, hsz); |
107 | GC_DESTROY(c); |
99a01cb9 |
108 | |
109 | /* --- Done --- */ |
110 | |
b817bfc6 |
111 | return (mp_loadb(d, b, sz + 1)); |
99a01cb9 |
112 | } |
113 | |
114 | /* --- @oaep_decode@ --- * |
115 | * |
b817bfc6 |
116 | * Arguments: @mp *m@ = the decrypted message |
117 | * @octet *b@ = pointer to a buffer to work in |
118 | * @size_t sz@ = the size of the buffer (big enough) |
119 | * @unsigned long nbits@ = the number of bits in @n@ |
99a01cb9 |
120 | * @void *p@ = pointer to OAEP parameter block |
121 | * |
122 | * Returns: The length of the output string if successful, negative on |
123 | * failure. |
124 | * |
125 | * Use: Implements the operation @EME-OAEP-DECODE@, as defined in |
126 | * PKCS#1 v. 2.0 (RFC2437). |
127 | */ |
128 | |
b817bfc6 |
129 | static int memeq(const void *xx, const void *yy, size_t sz) |
130 | { |
131 | int eq = 1; |
132 | const octet *x = xx, *y = yy; |
133 | while (sz) { /* Always check every byte */ |
134 | if (*x++ != *y++) eq = 0; |
135 | sz--; |
136 | } |
137 | return (eq); |
138 | } |
139 | |
140 | int oaep_decode(mp *m, octet *b, size_t sz, unsigned long nbits, void *p) |
99a01cb9 |
141 | { |
142 | oaep *o = p; |
143 | gcipher *c; |
144 | ghash *h; |
145 | octet *q, *mq, *qq; |
146 | octet *pp; |
d3916b7c |
147 | unsigned bad = 0; |
99a01cb9 |
148 | size_t n; |
149 | size_t hsz = o->ch->hashsz; |
99a01cb9 |
150 | |
151 | /* --- Ensure that the block is large enough --- */ |
152 | |
b817bfc6 |
153 | if (sz < 2 * hsz) /* Doesn't depend on ciphertext */ |
99a01cb9 |
154 | return (-1); |
155 | |
99a01cb9 |
156 | /* --- Decrypt the message --- */ |
157 | |
b817bfc6 |
158 | mp_storeb(m, b, sz); |
159 | q = b; |
d3916b7c |
160 | bad = *q; |
99a01cb9 |
161 | q++; sz--; |
162 | mq = q + hsz; |
163 | qq = q + sz; |
164 | n = sz - hsz; |
b817bfc6 |
165 | c = GC_INIT(o->cc, mq, n); |
166 | GC_DECRYPT(c, q, q, hsz); |
167 | GC_DESTROY(c); |
99a01cb9 |
168 | |
b817bfc6 |
169 | c = GC_INIT(o->cc, q, hsz); |
170 | GC_DECRYPT(c, mq, mq, n); |
171 | GC_DESTROY(c); |
99a01cb9 |
172 | q--; |
173 | |
174 | /* --- Check the hash on the encoding parameters --- */ |
175 | |
b817bfc6 |
176 | h = GH_INIT(o->ch); |
177 | GH_HASH(h, o->ep, o->epsz); |
178 | GH_DONE(h, q); |
179 | GH_DESTROY(h); |
180 | bad |= !memeq(q, mq, hsz); |
99a01cb9 |
181 | |
182 | /* --- Now find the start of the actual message --- */ |
183 | |
184 | pp = mq + hsz; |
185 | while (*pp == 0 && pp < qq) |
186 | pp++; |
d3916b7c |
187 | bad |= (pp >= qq) | (*pp++ != 1); |
99a01cb9 |
188 | n = qq - pp; |
b817bfc6 |
189 | memmove(q, pp, n); |
190 | return (bad ? -1 : n); |
49db8dbe |
191 | } |
192 | |
99a01cb9 |
193 | /*----- That's all, folks -------------------------------------------------*/ |