1 /*
2  * Pidgin-Encryption OAEP padding routines, from PKCS#1 v2.1
3  *
4  * Copyright (C) 2003 William Tompkins
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
19  *
20  */
21 
22 #include <pk11func.h>
23 #include <keyhi.h>
24 
25 /* for g_assert; PORT_Assert seems disabled... */
26 #include <glib.h>
27 
28 #include "nss_mgf1.h"
29 #include "nss_oaep.h"
30 
31 static const unsigned char SHA1_NullHash[20] = {0xda, 0x39, 0xa3, 0xee,
32                                                 0x5e, 0x6b, 0x4b, 0x0d,
33                                                 0x32, 0x55, 0xbf, 0xef,
34                                                 0x95, 0x60, 0x18, 0x90,
35                                                 0xaf, 0xd8, 0x07, 0x09};
36 
37 static const unsigned int hlen = 20;  /* SHA1 hash length */
38 
39 int oaep_pad_block(unsigned char* padded_data, unsigned int padded_len,
40                    const unsigned char* data, unsigned int data_len) {
41 
42 
43    unsigned char* seed_pos = padded_data + 1;
44    unsigned char* db_pos = seed_pos + hlen;
45    unsigned char* lhash_pos = db_pos;
46    unsigned char* ps_pos = lhash_pos + hlen;
47    unsigned char* msg_pos = padded_data + padded_len - data_len;
48    unsigned char* padded_end = padded_data + padded_len; /* one AFTER end */
49    int ps_len = msg_pos - ps_pos;
50 
51    SECStatus rv;
52 
53    *padded_data = 0;
54 
55    /* fill seed_pos with hlen random bytes */
56    rv = PK11_GenerateRandom(seed_pos, hlen);
57    g_assert(rv == SECSuccess);
58 
59    /* fill lhash_pos with sha-1 constant => empty label*/
60    PORT_Memcpy(lhash_pos, SHA1_NullHash, hlen);
61 
62    /* fill ps with 00 00 00 ... 00 01 */
63    if (ps_len < 1) return 0;
64    PORT_Memset(ps_pos, 0, ps_len - 1);
65    ps_pos[ps_len - 1] = 1;
66 
67    /* fill msg_pos with data */
68    PORT_Memcpy(msg_pos, data, data_len);
69 
70    /* Do the masking */
71 
72 
73    mgf1(db_pos, padded_end - db_pos, seed_pos, hlen);
74 
75    mgf1(seed_pos, hlen, db_pos, padded_end - db_pos);
76 
77    return 1;
78 }
79 
80 int oaep_unpad_block(unsigned char* unpadded_data, unsigned int * unpadded_len,
81                      unsigned char* orig_padded_data, unsigned padded_len) {
82 
83    unsigned char* padded_data = PORT_Alloc(padded_len);
84 
85    unsigned char* seed_pos = padded_data + 1;
86    unsigned char* db_pos = seed_pos + hlen;
87    unsigned char* lhash_pos = db_pos;
88    unsigned char* ps_pos = lhash_pos + hlen;
89    unsigned char* padded_end = padded_data + padded_len;
90    unsigned char* msg_pos;
91 
92    PORT_Memcpy(padded_data, orig_padded_data, padded_len);
93 
94    *unpadded_len = 0;
95 
96    mgf1(seed_pos, hlen, db_pos, padded_len - (db_pos - padded_data));
97 
98    mgf1(db_pos, padded_len - (db_pos - padded_data),
99         seed_pos, hlen);
100 
101 
102    if ((PORT_Memcmp(lhash_pos, SHA1_NullHash, hlen) != 0) ||
103        (*padded_data != 0)) {
104       PORT_ZFree(padded_data, padded_len);
105       return 0;
106    }
107 
108    msg_pos = ps_pos;
109    while ((msg_pos < padded_end) && (*msg_pos == 0)) {
110       ++msg_pos;
111    }
112 
113    if ((msg_pos == padded_end) || (*msg_pos != 1)) {
114       PORT_ZFree(padded_data, padded_len);
115       return 0;
116    }
117 
118    msg_pos++;
119 
120    *unpadded_len = padded_len + padded_data - msg_pos;
121    PORT_Memcpy(unpadded_data, msg_pos, *unpadded_len);
122 
123    PORT_ZFree(padded_data, padded_len);
124 
125    return 1;
126 }
127 
128 unsigned int oaep_max_unpadded_len(unsigned int padded_len) {
129    int extrastuff = 2 *hlen + 2;
130 
131    if (padded_len < extrastuff) return 0;
132    return padded_len - extrastuff;
133 }
134 
135 
136 void oaep_test() {
137    int mod_size = 512/8;
138 
139    unsigned char data[4096/8];
140    unsigned char pad_data[4096/8];
141    int data_size;
142    unsigned char data_out[4096/8];
143    unsigned int data_out_len;
144    SECStatus rv;
145 
146    /* overkill, but what the hey.  */
147 
148    while (mod_size <= 4096/8) {
149       rv = PK11_GenerateRandom(data, oaep_max_unpadded_len(mod_size));
150       g_assert(rv == SECSuccess);
151 
152       for (data_size = 0; data_size <= oaep_max_unpadded_len(mod_size); ++data_size) {
153          g_assert( oaep_pad_block(pad_data, mod_size, data, data_size) );
154          g_assert( oaep_unpad_block(data_out, &data_out_len, pad_data, mod_size) );
155          g_assert( memcmp(data_out, data, data_size) == 0);
156          g_assert( data_size == data_out_len);
157       }
158       mod_size *= 2;
159    }
160 }
161