Mercurial > dropbear

comparison libtomcrypt/src/pk/pkcs1/pkcs_1_oaep_decode.c @ 285:1b9e69c058d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3) to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author Matt Johnston <matt@ucc.asn.au>
date Wed, 08 Mar 2006 13:23:58 +0000
parents
children 0cbe8f6dbf9e
comparison
equal deleted inserted replaced
281:997e6f7dc01e 285:1b9e69c058d2
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, [email protected], http://libtomcrypt.org
10 */
11 #include "tomcrypt.h"
12
13 /**
14 @file pkcs_1_oaep_decode.c
15 OAEP Padding for PKCS #1, Tom St Denis
16 */
17
18 #ifdef PKCS_1
19
20 /**
21 PKCS #1 v2.00 OAEP decode
22 @param msg The encoded data to decode
23 @param msglen The length of the encoded data (octets)
24 @param lparam The session or system data (can be NULL)
25 @param lparamlen The length of the lparam
26 @param modulus_bitlen The bit length of the RSA modulus
27 @param hash_idx The index of the hash desired
28 @param out [out] Destination of decoding
29 @param outlen [in/out] The max size and resulting size of the decoding
30 @param res [out] Result of decoding, 1==valid, 0==invalid
31 @return CRYPT_OK if successful (even if invalid)
32 */
33 int pkcs_1_oaep_decode(const unsigned char *msg, unsigned long msglen,
34 const unsigned char *lparam, unsigned long lparamlen,
35 unsigned long modulus_bitlen, int hash_idx,
36 unsigned char *out, unsigned long *outlen,
37 int *res)
38 {
39 unsigned char *DB, *seed, *mask;
40 unsigned long hLen, x, y, modulus_len;
41 int err;
42
43 LTC_ARGCHK(msg != NULL);
44 LTC_ARGCHK(out != NULL);
45 LTC_ARGCHK(outlen != NULL);
46 LTC_ARGCHK(res != NULL);
47
48 /* default to invalid packet */
49 *res = 0;
50
51 /* test valid hash */
52 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
53 return err;
54 }
55 hLen = hash_descriptor[hash_idx].hashsize;
56 modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0);
57
58 /* test hash/message size */
59 if ((2*hLen >= (modulus_len - 2)) || (msglen != modulus_len)) {
60 return CRYPT_PK_INVALID_SIZE;
61 }
62
63 /* allocate ram for DB/mask/salt of size modulus_len */
64 DB = XMALLOC(modulus_len);
65 mask = XMALLOC(modulus_len);
66 seed = XMALLOC(hLen);
67 if (DB == NULL || mask == NULL || seed == NULL) {
68 if (DB != NULL) {
69 XFREE(DB);
70 }
71 if (mask != NULL) {
72 XFREE(mask);
73 }
74 if (seed != NULL) {
75 XFREE(seed);
76 }
77 return CRYPT_MEM;
78 }
79
80 /* ok so it's now in the form
81
82 0x00 || maskedseed || maskedDB
83
84 1 || hLen || modulus_len - hLen - 1
85
86 */
87
88 /* must have leading 0x00 byte */
89 if (msg[0] != 0x00) {
90 err = CRYPT_OK;
91 goto LBL_ERR;
92 }
93
94 /* now read the masked seed */
95 x = 1;
96 XMEMCPY(seed, msg + x, hLen);
97 x += hLen;
98
99 /* now read the masked DB */
100 XMEMCPY(DB, msg + x, modulus_len - hLen - 1);
101 x += modulus_len - hLen - 1;
102
103 /* compute MGF1 of maskedDB (hLen) */
104 if ((err = pkcs_1_mgf1(DB, modulus_len - hLen - 1, hash_idx, mask, hLen)) != CRYPT_OK) {
105 goto LBL_ERR;
106 }
107
108 /* XOR against seed */
109 for (y = 0; y < hLen; y++) {
110 seed[y] ^= mask[y];
111 }
112
113 /* compute MGF1 of seed (k - hlen - 1) */
114 if ((err = pkcs_1_mgf1(seed, hLen, hash_idx, mask, modulus_len - hLen - 1)) != CRYPT_OK) {
115 goto LBL_ERR;
116 }
117
118 /* xor against DB */
119 for (y = 0; y < (modulus_len - hLen - 1); y++) {
120 DB[y] ^= mask[y];
121 }
122
123 /* now DB == lhash || PS || 0x01 || M, PS == k - mlen - 2hlen - 2 zeroes */
124
125 /* compute lhash and store it in seed [reuse temps!] */
126 x = modulus_len;
127 if (lparam != NULL) {
128 if ((err = hash_memory(hash_idx, lparam, lparamlen, seed, &x)) != CRYPT_OK) {
129 goto LBL_ERR;
130 }
131 } else {
132 /* can't pass hash_memory a NULL so use DB with zero length */
133 if ((err = hash_memory(hash_idx, DB, 0, seed, &x)) != CRYPT_OK) {
134 goto LBL_ERR;
135 }
136 }
137
138 /* compare the lhash'es */
139 if (memcmp(seed, DB, hLen) != 0) {
140 err = CRYPT_OK;
141 goto LBL_ERR;
142 }
143
144 /* now zeroes before a 0x01 */
145 for (x = hLen; x < (modulus_len - hLen - 1) && DB[x] == 0x00; x++) {
146 /* step... */
147 }
148
149 /* error out if wasn't 0x01 */
150 if (x == (modulus_len - hLen - 1) || DB[x] != 0x01) {
151 err = CRYPT_OK;
152 goto LBL_ERR;
153 }
154
155 /* rest is the message (and skip 0x01) */
156 if ((modulus_len - hLen - 1) - ++x > *outlen) {
157 err = CRYPT_BUFFER_OVERFLOW;
158 goto LBL_ERR;
159 }
160
161 /* copy message */
162 *outlen = (modulus_len - hLen - 1) - x;
163 XMEMCPY(out, DB + x, modulus_len - hLen - 1 - x);
164 x += modulus_len - hLen - 1;
165
166 /* valid packet */
167 *res = 1;
168
169 err = CRYPT_OK;
170 LBL_ERR:
171 #ifdef LTC_CLEAN_STACK
172 zeromem(DB, modulus_len);
173 zeromem(seed, hLen);
174 zeromem(mask, modulus_len);
175 #endif
176
177 XFREE(seed);
178 XFREE(mask);
179 XFREE(DB);
180
181 return err;
182 }
183
184 #endif /* PKCS_1 */
185
186 /* $Source: /cvs/libtom/libtomcrypt/src/pk/pkcs1/pkcs_1_oaep_decode.c,v $ */
187 /* $Revision: 1.5 $ */
188 /* $Date: 2005/06/18 02:37:06 $ */