Allow only one error return, to frustrate Manger's attack against OAEP.

[catacomb] / oaep.c

/* -*-c-*-
 *
 * $Id: oaep.c,v 1.4 2002/01/13 13:50:21 mdw Exp $
 *
 * Optimal asymmetric encryption packing
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: oaep.c,v $
 * Revision 1.4  2002/01/13 13:50:21  mdw
 * Allow only one error return, to frustrate Manger's attack against OAEP.
 *
 * Revision 1.3  2001/02/22 09:04:39  mdw
 * Fix memory leaks.
 *
 * Revision 1.2  2000/07/15 10:01:48  mdw
 * Test rig added, based on RIPEMD160-MGF1 test vectors.
 *
 * Revision 1.1  2000/07/01 11:18:30  mdw
 * Support for Optimal Asymmetric Encryption Padding.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/alloc.h>
#include <mLib/bits.h>
#include <mLib/dstr.h>

#include "gcipher.h"
#include "ghash.h"
#include "grand.h"
#include "oaep.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @oaep_encode@ --- *
 *
 * Arguments:   @const void *msg@ = pointer to message data
 *              @size_t msz@ = size of message data
 *              @void *buf@ = pointer to output buffer
 *              @size_t sz@ = size of the output buffer
 *              @void *p@ = pointer to OAEP parameter block
 *
 * Returns:     Zero if all went well, negative on failure.
 *
 * Use:         Implements the operation @EME-OAEP-ENCODE@, as defined in
 *              PKCS#1 v. 2.0 (RFC2437).
 */

int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
{
  oaep *o = p;
  size_t hsz = o->ch->hashsz;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  gcipher *c;
  size_t n;

  /* --- Ensure that everything is sensibly sized --- */

  if (2 * hsz + 2 + msz > sz)
    return (-1);

  /* --- Make the `seed' value --- */

  q = buf;
  *q++ = 0; sz--;
  mq = q + hsz;
  qq = q + sz;
  o->r->ops->fill(o->r, q, hsz);

  /* --- Fill in the rest of the buffer --- */

  h = o->ch->init();
  h->ops->hash(h, o->ep, o->epsz);
  h->ops->done(h, mq);
  h->ops->destroy(h);
  pp = mq + hsz;
  n = sz - 2 * hsz - msz - 1;
  memset(pp, 0, n);
  pp += n;
  *pp++ = 1;
  memcpy(pp, msg, msz);

  /* --- Do the packing --- */

  n = sz - hsz;
  c = o->cc->init(q, hsz);
  c->ops->encrypt(c, mq, mq, n);
  c->ops->destroy(c);

  c = o->cc->init(mq, n);
  c->ops->encrypt(c, q, q, hsz);
  c->ops->destroy(c);

  /* --- Done --- */

  return (0);
}

/* --- @oaep_decode@ --- *
 *
 * Arguments:   @const void *buf@ = pointer to encoded buffer
 *              @size_t sz@ = size of the encoded buffer
 *              @dstr *d@ = pointer to destination string
 *              @void *p@ = pointer to OAEP parameter block
 *
 * Returns:     The length of the output string if successful, negative on
 *              failure.
 *
 * Use:         Implements the operation @EME-OAEP-DECODE@, as defined in
 *              PKCS#1 v. 2.0 (RFC2437).
 */

int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
{
  oaep *o = p;
  gcipher *c;
  ghash *h;
  octet *q, *mq, *qq;
  octet *pp;
  size_t n;
  size_t hsz = o->ch->hashsz;
  int rc = -1;

  /* --- Ensure that the block is large enough --- */

  if (sz < 2 * hsz)
    return (-1);

  q = x_alloc(d->a, sz);
  memcpy(q, buf, sz);

  /* --- Decrypt the message --- */

  q++; sz--;
  mq = q + hsz;
  qq = q + sz;
  n = sz - hsz;
  c = o->cc->init(mq, n);
  c->ops->decrypt(c, q, q, hsz);
  c->ops->destroy(c);

  c = o->cc->init(q, hsz);
  c->ops->decrypt(c, mq, mq, n);
  c->ops->destroy(c);
  q--;

  /* --- Check the hash on the encoding parameters --- */

  h = o->ch->init();
  h->ops->hash(h, o->ep, o->epsz);
  h->ops->done(h, q);
  h->ops->destroy(h);
  if ((memcmp(q, mq, hsz) != 0) || (*q != 0))
    goto fail;

  /* --- Now find the start of the actual message --- */

  pp = mq + hsz;
  while (*pp == 0 && pp < qq)
    pp++;
  if (pp >= qq || *pp++ != 1)
    return (-1);
  n = qq - pp;
  dstr_putm(d, pp, n);
  rc = n;

fail:
  x_free(d->a, q);
  return (rc);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <mLib/testrig.h>

#include "rmd160.h"
#include "rmd160-mgf.h"

typedef struct gctx {
  grand r;
  octet *buf;
} gctx;

static void rfill(grand *r, void *buf, size_t sz)
{
  gctx *g = (gctx *)r;
  memcpy(buf, g->buf, sz);
}

static const grand_ops gops = {
  "const", 0, 0,
  0, 0,
  0, 0, 0, 0, rfill
};

static int verify(dstr *v)
{
  gctx gr;
  dstr d = DSTR_INIT;
  oaep o;
  int ok = 1;

  dstr_ensure(&d, v[3].len);
  d.len = v[3].len;
  gr.r.ops = &gops;
  gr.buf = (octet *)v[2].buf;

  o.cc = &rmd160_mgf;
  o.ch = &rmd160;
  o.r = &gr.r;
  o.ep = v[1].buf;
  o.epsz = v[1].len;

  if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) ||
      memcmp(d.buf, v[3].buf, d.len) != 0) {
    ok = 0;
    fputs("\nfailure in oaep_encode", stderr);
    fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
    fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
    fputc('\n', stderr);
  }

  DRESET(&d);
  if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 ||
      d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) {
    ok = 0;
    fputs("\nfailure in oaep_decode", stderr);
    fputs("\n    goop = ", stderr); type_hex.dump(&v[3], stderr);
    fputs("\n  params = ", stderr); type_hex.dump(&v[1], stderr);
    fputs("\n    salt = ", stderr); type_hex.dump(&v[2], stderr);
    fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
    fputs("\n  output = ", stderr); type_hex.dump(&d, stderr);
    fputc('\n', stderr);
  }

  dstr_destroy(&d);
  return (ok);
}

static test_chunk tests[] = {
  { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  test_run(argc, argv, tests, SRCDIR "/tests/oaep");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/