1 /* 2 * Pidgin-Encryption OAEP padding routines, from PKCS#1 v2.1 3 * 4 * Copyright (C) 2003 William Tompkins 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 */ 21 22 #include <pk11func.h> 23 #include <keyhi.h> 24 25 /* for g_assert; PORT_Assert seems disabled... */ 26 #include <glib.h> 27 28 #include "nss_mgf1.h" 29 #include "nss_oaep.h" 30 31 static const unsigned char SHA1_NullHash[20] = {0xda, 0x39, 0xa3, 0xee, 32 0x5e, 0x6b, 0x4b, 0x0d, 33 0x32, 0x55, 0xbf, 0xef, 34 0x95, 0x60, 0x18, 0x90, 35 0xaf, 0xd8, 0x07, 0x09}; 36 37 static const unsigned int hlen = 20; /* SHA1 hash length */ 38 39 int oaep_pad_block(unsigned char* padded_data, unsigned int padded_len, 40 const unsigned char* data, unsigned int data_len) { 41 42 43 unsigned char* seed_pos = padded_data + 1; 44 unsigned char* db_pos = seed_pos + hlen; 45 unsigned char* lhash_pos = db_pos; 46 unsigned char* ps_pos = lhash_pos + hlen; 47 unsigned char* msg_pos = padded_data + padded_len - data_len; 48 unsigned char* padded_end = padded_data + padded_len; /* one AFTER end */ 49 int ps_len = msg_pos - ps_pos; 50 51 SECStatus rv; 52 53 *padded_data = 0; 54 55 /* fill seed_pos with hlen random bytes */ 56 rv = PK11_GenerateRandom(seed_pos, hlen); 57 g_assert(rv == SECSuccess); 58 59 /* fill lhash_pos with sha-1 constant => empty label*/ 60 PORT_Memcpy(lhash_pos, SHA1_NullHash, hlen); 61 62 /* fill ps with 00 00 00 ... 00 01 */ 63 if (ps_len < 1) return 0; 64 PORT_Memset(ps_pos, 0, ps_len - 1); 65 ps_pos[ps_len - 1] = 1; 66 67 /* fill msg_pos with data */ 68 PORT_Memcpy(msg_pos, data, data_len); 69 70 /* Do the masking */ 71 72 73 mgf1(db_pos, padded_end - db_pos, seed_pos, hlen); 74 75 mgf1(seed_pos, hlen, db_pos, padded_end - db_pos); 76 77 return 1; 78 } 79 80 int oaep_unpad_block(unsigned char* unpadded_data, unsigned int * unpadded_len, 81 unsigned char* orig_padded_data, unsigned padded_len) { 82 83 unsigned char* padded_data = PORT_Alloc(padded_len); 84 85 unsigned char* seed_pos = padded_data + 1; 86 unsigned char* db_pos = seed_pos + hlen; 87 unsigned char* lhash_pos = db_pos; 88 unsigned char* ps_pos = lhash_pos + hlen; 89 unsigned char* padded_end = padded_data + padded_len; 90 unsigned char* msg_pos; 91 92 PORT_Memcpy(padded_data, orig_padded_data, padded_len); 93 94 *unpadded_len = 0; 95 96 mgf1(seed_pos, hlen, db_pos, padded_len - (db_pos - padded_data)); 97 98 mgf1(db_pos, padded_len - (db_pos - padded_data), 99 seed_pos, hlen); 100 101 102 if ((PORT_Memcmp(lhash_pos, SHA1_NullHash, hlen) != 0) || 103 (*padded_data != 0)) { 104 PORT_ZFree(padded_data, padded_len); 105 return 0; 106 } 107 108 msg_pos = ps_pos; 109 while ((msg_pos < padded_end) && (*msg_pos == 0)) { 110 ++msg_pos; 111 } 112 113 if ((msg_pos == padded_end) || (*msg_pos != 1)) { 114 PORT_ZFree(padded_data, padded_len); 115 return 0; 116 } 117 118 msg_pos++; 119 120 *unpadded_len = padded_len + padded_data - msg_pos; 121 PORT_Memcpy(unpadded_data, msg_pos, *unpadded_len); 122 123 PORT_ZFree(padded_data, padded_len); 124 125 return 1; 126 } 127 128 unsigned int oaep_max_unpadded_len(unsigned int padded_len) { 129 int extrastuff = 2 *hlen + 2; 130 131 if (padded_len < extrastuff) return 0; 132 return padded_len - extrastuff; 133 } 134 135 136 void oaep_test() { 137 int mod_size = 512/8; 138 139 unsigned char data[4096/8]; 140 unsigned char pad_data[4096/8]; 141 int data_size; 142 unsigned char data_out[4096/8]; 143 unsigned int data_out_len; 144 SECStatus rv; 145 146 /* overkill, but what the hey. */ 147 148 while (mod_size <= 4096/8) { 149 rv = PK11_GenerateRandom(data, oaep_max_unpadded_len(mod_size)); 150 g_assert(rv == SECSuccess); 151 152 for (data_size = 0; data_size <= oaep_max_unpadded_len(mod_size); ++data_size) { 153 g_assert( oaep_pad_block(pad_data, mod_size, data, data_size) ); 154 g_assert( oaep_unpad_block(data_out, &data_out_len, pad_data, mod_size) ); 155 g_assert( memcmp(data_out, data, data_size) == 0); 156 g_assert( data_size == data_out_len); 157 } 158 mod_size *= 2; 159 } 160 } 161