Mercurial > dropbear

comparison libtomcrypt/src/pk/pkcs1/pkcs_1_oaep_decode.c @ 391:00fcf5045160

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head c1db4398d56c56c6d06ae1e20c1e0d04dbb598ed) to branch 'au.asn.ucc.matt.dropbear' (head d26d5eb2837f46b56a33fb0e7573aa0201abd4d5)
author Matt Johnston <matt@ucc.asn.au>
date Thu, 11 Jan 2007 04:29:08 +0000
parents 0cbe8f6dbf9e
children f849a5ca2efc
comparison
equal deleted inserted replaced
390:d8e44bef7917 391:00fcf5045160
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, [email protected], http://libtomcrypt.com
10 */
11 #include "tomcrypt.h"
12
13 /**
14 @file pkcs_1_oaep_decode.c
15 OAEP Padding for PKCS #1, Tom St Denis
16 */
17
18 #ifdef PKCS_1
19
20 /**
21 PKCS #1 v2.00 OAEP decode
22 @param msg The encoded data to decode
23 @param msglen The length of the encoded data (octets)
24 @param lparam The session or system data (can be NULL)
25 @param lparamlen The length of the lparam
26 @param modulus_bitlen The bit length of the RSA modulus
27 @param hash_idx The index of the hash desired
28 @param out [out] Destination of decoding
29 @param outlen [in/out] The max size and resulting size of the decoding
30 @param res [out] Result of decoding, 1==valid, 0==invalid
31 @return CRYPT_OK if successful (even if invalid)
32 */
33 int pkcs_1_oaep_decode(const unsigned char *msg, unsigned long msglen,
34 const unsigned char *lparam, unsigned long lparamlen,
35 unsigned long modulus_bitlen, int hash_idx,
36 unsigned char *out, unsigned long *outlen,
37 int *res)
38 {
39 unsigned char *DB, *seed, *mask;
40 unsigned long hLen, x, y, modulus_len;
41 int err;
42
43 LTC_ARGCHK(msg != NULL);
44 LTC_ARGCHK(out != NULL);
45 LTC_ARGCHK(outlen != NULL);
46 LTC_ARGCHK(res != NULL);
47
48 /* default to invalid packet */
49 *res = 0;
50
51 /* test valid hash */
52 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
53 return err;
54 }
55 hLen = hash_descriptor[hash_idx].hashsize;
56 modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0);
57
58 /* test hash/message size */
59 if ((2*hLen >= (modulus_len - 2)) || (msglen != modulus_len)) {
60 return CRYPT_PK_INVALID_SIZE;
61 }
62
63 /* allocate ram for DB/mask/salt of size modulus_len */
64 DB = XMALLOC(modulus_len);
65 mask = XMALLOC(modulus_len);
66 seed = XMALLOC(hLen);
67 if (DB == NULL || mask == NULL || seed == NULL) {
68 if (DB != NULL) {
69 XFREE(DB);
70 }
71 if (mask != NULL) {
72 XFREE(mask);
73 }
74 if (seed != NULL) {
75 XFREE(seed);
76 }
77 return CRYPT_MEM;
78 }
79
80 /* ok so it's now in the form
81
82 0x00 || maskedseed || maskedDB
83
84 1 || hLen || modulus_len - hLen - 1
85
86 */
87
88 /* must have leading 0x00 byte */
89 if (msg[0] != 0x00) {
90 err = CRYPT_OK;
91 goto LBL_ERR;
92 }
93
94 /* now read the masked seed */
95 x = 1;
96 XMEMCPY(seed, msg + x, hLen);
97 x += hLen;
98
99 /* now read the masked DB */
100 XMEMCPY(DB, msg + x, modulus_len - hLen - 1);
101 x += modulus_len - hLen - 1;
102
103 /* compute MGF1 of maskedDB (hLen) */
104 if ((err = pkcs_1_mgf1(hash_idx, DB, modulus_len - hLen - 1, mask, hLen)) != CRYPT_OK) {
105 goto LBL_ERR;
106 }
107
108 /* XOR against seed */
109 for (y = 0; y < hLen; y++) {
110 seed[y] ^= mask[y];
111 }
112
113 /* compute MGF1 of seed (k - hlen - 1) */
114 if ((err = pkcs_1_mgf1(hash_idx, seed, hLen, mask, modulus_len - hLen - 1)) != CRYPT_OK) {
115 goto LBL_ERR;
116 }
117
118 /* xor against DB */
119 for (y = 0; y < (modulus_len - hLen - 1); y++) {
120 DB[y] ^= mask[y];
121 }
122
123 /* now DB == lhash || PS || 0x01 || M, PS == k - mlen - 2hlen - 2 zeroes */
124
125 /* compute lhash and store it in seed [reuse temps!] */
126 x = modulus_len;
127 if (lparam != NULL) {
128 if ((err = hash_memory(hash_idx, lparam, lparamlen, seed, &x)) != CRYPT_OK) {
129 goto LBL_ERR;
130 }
131 } else {
132 /* can't pass hash_memory a NULL so use DB with zero length */
133 if ((err = hash_memory(hash_idx, DB, 0, seed, &x)) != CRYPT_OK) {
134 goto LBL_ERR;
135 }
136 }
137
138 /* compare the lhash'es */
139 if (XMEMCMP(seed, DB, hLen) != 0) {
140 err = CRYPT_OK;
141 goto LBL_ERR;
142 }
143
144 /* now zeroes before a 0x01 */
145 for (x = hLen; x < (modulus_len - hLen - 1) && DB[x] == 0x00; x++) {
146 /* step... */
147 }
148
149 /* error out if wasn't 0x01 */
150 if (x == (modulus_len - hLen - 1) || DB[x] != 0x01) {
151 err = CRYPT_INVALID_PACKET;
152 goto LBL_ERR;
153 }
154
155 /* rest is the message (and skip 0x01) */
156 if ((modulus_len - hLen - 1 - ++x) > *outlen) {
157 *outlen = modulus_len - hLen - 1 - x;
158 err = CRYPT_BUFFER_OVERFLOW;
159 goto LBL_ERR;
160 }
161
162 /* copy message */
163 *outlen = modulus_len - hLen - 1 - x;
164 XMEMCPY(out, DB + x, modulus_len - hLen - 1 - x);
165 x += modulus_len - hLen - 1;
166
167 /* valid packet */
168 *res = 1;
169
170 err = CRYPT_OK;
171 LBL_ERR:
172 #ifdef LTC_CLEAN_STACK
173 zeromem(DB, modulus_len);
174 zeromem(seed, hLen);
175 zeromem(mask, modulus_len);
176 #endif
177
178 XFREE(seed);
179 XFREE(mask);
180 XFREE(DB);
181
182 return err;
183 }
184
185 #endif /* PKCS_1 */
186
187 /* $Source: /cvs/libtom/libtomcrypt/src/pk/pkcs1/pkcs_1_oaep_decode.c,v $ */
188 /* $Revision: 1.11 $ */
189 /* $Date: 2006/11/01 09:28:17 $ */