3 * $Id: oaep.c,v 1.4 2002/01/13 13:50:21 mdw Exp $
5 * Optimal asymmetric encryption packing
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.4 2002/01/13 13:50:21 mdw
34 * Allow only one error return, to frustrate Manger's attack against OAEP.
36 * Revision 1.3 2001/02/22 09:04:39 mdw
39 * Revision 1.2 2000/07/15 10:01:48 mdw
40 * Test rig added, based on RIPEMD160-MGF1 test vectors.
42 * Revision 1.1 2000/07/01 11:18:30 mdw
43 * Support for Optimal Asymmetric Encryption Padding.
47 /*----- Header files ------------------------------------------------------*/
51 #include <mLib/alloc.h>
52 #include <mLib/bits.h>
53 #include <mLib/dstr.h>
60 /*----- Main code ---------------------------------------------------------*/
62 /* --- @oaep_encode@ --- *
64 * Arguments: @const void *msg@ = pointer to message data
65 * @size_t msz@ = size of message data
66 * @void *buf@ = pointer to output buffer
67 * @size_t sz@ = size of the output buffer
68 * @void *p@ = pointer to OAEP parameter block
70 * Returns: Zero if all went well, negative on failure.
72 * Use: Implements the operation @EME-OAEP-ENCODE@, as defined in
73 * PKCS#1 v. 2.0 (RFC2437).
76 int oaep_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p)
79 size_t hsz = o->ch->hashsz;
86 /* --- Ensure that everything is sensibly sized --- */
88 if (2 * hsz + 2 + msz > sz)
91 /* --- Make the `seed' value --- */
97 o->r->ops->fill(o->r, q, hsz);
99 /* --- Fill in the rest of the buffer --- */
102 h->ops->hash(h, o->ep, o->epsz);
106 n = sz - 2 * hsz - msz - 1;
110 memcpy(pp, msg, msz);
112 /* --- Do the packing --- */
115 c = o->cc->init(q, hsz);
116 c->ops->encrypt(c, mq, mq, n);
119 c = o->cc->init(mq, n);
120 c->ops->encrypt(c, q, q, hsz);
128 /* --- @oaep_decode@ --- *
130 * Arguments: @const void *buf@ = pointer to encoded buffer
131 * @size_t sz@ = size of the encoded buffer
132 * @dstr *d@ = pointer to destination string
133 * @void *p@ = pointer to OAEP parameter block
135 * Returns: The length of the output string if successful, negative on
138 * Use: Implements the operation @EME-OAEP-DECODE@, as defined in
139 * PKCS#1 v. 2.0 (RFC2437).
142 int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
150 size_t hsz = o->ch->hashsz;
153 /* --- Ensure that the block is large enough --- */
158 q = x_alloc(d->a, sz);
161 /* --- Decrypt the message --- */
167 c = o->cc->init(mq, n);
168 c->ops->decrypt(c, q, q, hsz);
171 c = o->cc->init(q, hsz);
172 c->ops->decrypt(c, mq, mq, n);
176 /* --- Check the hash on the encoding parameters --- */
179 h->ops->hash(h, o->ep, o->epsz);
182 if ((memcmp(q, mq, hsz) != 0) || (*q != 0))
185 /* --- Now find the start of the actual message --- */
188 while (*pp == 0 && pp < qq)
190 if (pp >= qq || *pp++ != 1)
201 /*----- Test rig ----------------------------------------------------------*/
205 #include <mLib/testrig.h>
208 #include "rmd160-mgf.h"
210 typedef struct gctx {
215 static void rfill(grand *r, void *buf, size_t sz)
218 memcpy(buf, g->buf, sz);
221 static const grand_ops gops = {
227 static int verify(dstr *v)
234 dstr_ensure(&d, v[3].len);
237 gr.buf = (octet *)v[2].buf;
245 if (oaep_encode(v[0].buf, v[0].len, d.buf, d.len, &o) ||
246 memcmp(d.buf, v[3].buf, d.len) != 0) {
248 fputs("\nfailure in oaep_encode", stderr);
249 fputs("\n message = ", stderr); type_hex.dump(&v[0], stderr);
250 fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
251 fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
252 fputs("\nexpected = ", stderr); type_hex.dump(&v[3], stderr);
253 fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
258 if (oaep_decode(v[3].buf, v[3].len, &d, &o) < 0 ||
259 d.len != v[0].len || memcmp(d.buf, v[0].buf, d.len) != 0) {
261 fputs("\nfailure in oaep_decode", stderr);
262 fputs("\n goop = ", stderr); type_hex.dump(&v[3], stderr);
263 fputs("\n params = ", stderr); type_hex.dump(&v[1], stderr);
264 fputs("\n salt = ", stderr); type_hex.dump(&v[2], stderr);
265 fputs("\nexpected = ", stderr); type_hex.dump(&v[0], stderr);
266 fputs("\n output = ", stderr); type_hex.dump(&d, stderr);
274 static test_chunk tests[] = {
275 { "oaep", verify, { &type_hex, &type_hex, &type_hex, &type_hex, 0 } },
279 int main(int argc, char *argv[])
281 test_run(argc, argv, tests, SRCDIR "/tests/oaep");
287 /*----- That's all, folks -------------------------------------------------*/