3 * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $
5 * Optimal asymmetric encryption packing
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.5 2002/01/13 20:20:39 mdw
34 * Hack the @oaep_decode@ code some more, to make it work again.
36 * Revision 1.4 2002/01/13 13:50:21 mdw
37 * Allow only one error return, to frustrate Manger's attack against OAEP.
39 * Revision 1.3 2001/02/22 09:04:39 mdw
42 * Revision 1.2 2000/07/15 10:01:48 mdw
43 * Test rig added, based on RIPEMD160-MGF1 test vectors.
45 * Revision 1.1 2000/07/01 11:18:30 mdw
46 * Support for Optimal Asymmetric Encryption Padding.
50 /*----- Header files ------------------------------------------------------*/
54 #include <mLib/alloc.h>
55 #include <mLib/bits.h>
56 #include <mLib/dstr.h>
63 /*----- Main code ---------------------------------------------------------*/
65 /* --- @oaep_encode@ --- *
67 * Arguments: @const void *msg@ = pointer to message data
68 * @size_t msz@ = size of message data
69 * @void *buf@ = pointer to output buffer
70 * @size_t sz@ = size of the output buffer
71 * @void *p@ = pointer to OAEP parameter block
73 * Returns: Zero if all went well, negative on failure.
75 * Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
76 * PKCS#1 v. 2.0 (RFC2437).
79 int oaep_encode(const void *msg
, size_t msz
, void *buf
, size_t sz
, void *p
)
82 size_t hsz
= o
->ch
->hashsz
;
89 /* --- Ensure that everything is sensibly sized --- */
91 if (2 * hsz
+ 2 + msz
> sz
)
94 /* --- Make the `seed' value --- */
100 o
->r
->ops
->fill(o
->r
, q
, hsz
);
102 /* --- Fill in the rest of the buffer --- */
105 h
->ops
->hash(h
, o
->ep
, o
->epsz
);
109 n
= sz
- 2 * hsz
- msz
- 1;
113 memcpy(pp
, msg
, msz
);
115 /* --- Do the packing --- */
118 c
= o
->cc
->init(q
, hsz
);
119 c
->ops
->encrypt(c
, mq
, mq
, n
);
122 c
= o
->cc
->init(mq
, n
);
123 c
->ops
->encrypt(c
, q
, q
, hsz
);
131 /* --- @oaep_decode@ --- *
133 * Arguments: @const void *buf@ = pointer to encoded buffer
134 * @size_t sz@ = size of the encoded buffer
135 * @dstr *d@ = pointer to destination string
136 * @void *p@ = pointer to OAEP parameter block
138 * Returns: The length of the output string if successful, negative on
141 * Use: Implements the operation @EME-OAEP-DECODE@, as defined in
142 * PKCS#1 v. 2.0 (RFC2437).
145 int oaep_decode(const void *buf
, size_t sz
, dstr
*d
, void *p
)
154 size_t hsz
= o
->ch
->hashsz
;
157 /* --- Ensure that the block is large enough --- */
162 q
= x_alloc(d
->a
, sz
);
165 /* --- Decrypt the message --- */
172 c
= o
->cc
->init(mq
, n
);
173 c
->ops
->decrypt(c
, q
, q
, hsz
);
176 c
= o
->cc
->init(q
, hsz
);
177 c
->ops
->decrypt(c
, mq
, mq
, n
);
181 /* --- Check the hash on the encoding parameters --- */
184 h
->ops
->hash(h
, o
->ep
, o
->epsz
);
187 bad
|= memcmp(q
, mq
, hsz
);
189 /* --- Now find the start of the actual message --- */
192 while (*pp
== 0 && pp
< qq
)
194 bad
|= (pp
>= qq
) | (*pp
++ != 1);
204 /*----- Test rig ----------------------------------------------------------*/
208 #include <mLib/testrig.h>
211 #include "rmd160-mgf.h"
213 typedef struct gctx
{
218 static void rfill(grand
*r
, void *buf
, size_t sz
)
221 memcpy(buf
, g
->buf
, sz
);
224 static const grand_ops gops
= {
230 static int verify(dstr
*v
)
237 dstr_ensure(&d
, v
[3].len
);
240 gr
.buf
= (octet
*)v
[2].buf
;
248 if (oaep_encode(v
[0].buf
, v
[0].len
, d
.buf
, d
.len
, &o
) ||
249 memcmp(d
.buf
, v
[3].buf
, d
.len
) != 0) {
251 fputs("\nfailure in oaep_encode", stderr
);
252 fputs("\n message = ", stderr
); type_hex
.dump(&v
[0], stderr
);
253 fputs("\n params = ", stderr
); type_hex
.dump(&v
[1], stderr
);
254 fputs("\n salt = ", stderr
); type_hex
.dump(&v
[2], stderr
);
255 fputs("\nexpected = ", stderr
); type_hex
.dump(&v
[3], stderr
);
256 fputs("\n output = ", stderr
); type_hex
.dump(&d
, stderr
);
261 if (oaep_decode(v
[3].buf
, v
[3].len
, &d
, &o
) < 0 ||
262 d
.len
!= v
[0].len
|| memcmp(d
.buf
, v
[0].buf
, d
.len
) != 0) {
264 fputs("\nfailure in oaep_decode", stderr
);
265 fputs("\n goop = ", stderr
); type_hex
.dump(&v
[3], stderr
);
266 fputs("\n params = ", stderr
); type_hex
.dump(&v
[1], stderr
);
267 fputs("\n salt = ", stderr
); type_hex
.dump(&v
[2], stderr
);
268 fputs("\nexpected = ", stderr
); type_hex
.dump(&v
[0], stderr
);
269 fputs("\n output = ", stderr
); type_hex
.dump(&d
, stderr
);
277 static test_chunk tests
[] = {
278 { "oaep", verify
, { &type_hex
, &type_hex
, &type_hex
, &type_hex
, 0 } },
282 int main(int argc
, char *argv
[])
284 test_run(argc
, argv
, tests
, SRCDIR
"/tests/oaep");
290 /*----- That's all, folks -------------------------------------------------*/