1 files changed, 162 insertions, 0 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000000..843c40c864
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,162 @@
+/* crypto/rsa/rsa_oaep.c */
+/* Written by Ulf Moeller. This software is distributed on an "AS IS"
+   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
+/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, unsigned char *param, int plen)
+    {
+    int i, emlen = tlen - 1;
+    unsigned char *db, *seed;
+    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+        return (0);
+        }
+    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+        return (0);
+        }
+    
+    dbmask = Malloc(emlen - SHA_DIGEST_LENGTH);
+    if (dbmask == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (0);
+        }
+    to[0] = 0;
+    seed = to + 1;
+    db = to + SHA_DIGEST_LENGTH + 1;
+    SHA1(param, plen, db);
+    memset(db + SHA_DIGEST_LENGTH, 0,
+           emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+    RAND_bytes(seed, SHA_DIGEST_LENGTH);
+#ifdef PKCS_TESTVECT
+    memcpy(seed,
+           "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
+           20);
+#endif
+    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+        db[i] ^= dbmask[i];
+    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= seedmask[i];
+    Free(dbmask);
+    return (1);
+    }
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, int num, unsigned char *param,
+             int plen)
+    {
+    int i, dblen, mlen = -1;
+    unsigned char *maskeddb;
+    int lzero;
+    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+        return (-1);
+        }
+    dblen = num - SHA_DIGEST_LENGTH;
+    db = Malloc(dblen);
+    if (db == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (-1);
+        }
+    lzero = num - flen;
+    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+    
+    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= from[i - lzero];
+  
+    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < dblen; i++)
+        db[i] ^= maskeddb[i];
+    SHA1(param, plen, phash);
+    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    else
+        {
+        for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+            if (db[i] != 0x00)
+                break;
+        if (db[i] != 0x01 || i++ >= dblen)
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
+                   RSA_R_OAEP_DECODING_ERROR);
+        else
+            {
+            mlen = dblen - i;
+            if (tlen < mlen)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+                mlen = -1;
+                }
+            else
+                memcpy(to, db + i, mlen);
+            }
+        }
+    Free(db);
+    return (mlen);
+    }
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
+    {
+    long i, outlen = 0;
+    unsigned char cnt[4];
+    SHA_CTX c;
+    unsigned char md[SHA_DIGEST_LENGTH];
+    for (i = 0; outlen < len; i++)
+        {
+        cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
+          cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
+        SHA1_Init(&c);
+        SHA1_Update(&c, seed, seedlen);
+        SHA1_Update(&c, cnt, 4);
+        if (outlen + SHA_DIGEST_LENGTH <= len)
+            {
+            SHA1_Final(mask + outlen, &c);
+            outlen += SHA_DIGEST_LENGTH;
+            }
+        else
+            {
+            SHA1_Final(md, &c);
+            memcpy(mask + outlen, md, len - outlen);
+            outlen = len;
+            }
+        }
+    return (0);
+    }
+#endif

diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c new file mode 100644 index 0000000000..843c40c864 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,162 @@
	1	/* crypto/rsa/rsa_oaep.c */
	2	/* Written by Ulf Moeller. This software is distributed on an "AS IS"
	3	basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
	4
	5	/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
	6
	7	#if !defined(NO_SHA) && !defined(NO_SHA1)
	8	#include <stdio.h>
	9	#include "cryptlib.h"
	10	#include <openssl/bn.h>
	11	#include <openssl/rsa.h>
	12	#include <openssl/sha.h>
	13	#include <openssl/rand.h>
	14
	15	int MGF1(unsigned char mask, long len, unsigned char seed, long seedlen);
	16
	17	int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
	18	unsigned char from, int flen, unsigned char param, int plen)
	19	{
	20	int i, emlen = tlen - 1;
	21	unsigned char db, seed;
	22	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
	23
	24	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
	25	{
	26	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
	27	RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
	28	return (0);
	29	}
	30
	31	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
	32	{
	33	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
	34	return (0);
	35	}
	36
	37	dbmask = Malloc(emlen - SHA_DIGEST_LENGTH);
	38	if (dbmask == NULL)
	39	{
	40	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
	41	return (0);
	42	}
	43
	44	to[0] = 0;
	45	seed = to + 1;
	46	db = to + SHA_DIGEST_LENGTH + 1;
	47
	48	SHA1(param, plen, db);
	49	memset(db + SHA_DIGEST_LENGTH, 0,
	50	emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
	51	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
	52	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
	53	RAND_bytes(seed, SHA_DIGEST_LENGTH);
	54	#ifdef PKCS_TESTVECT
	55	memcpy(seed,
	56	"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
	57	20);
	58	#endif
	59
	60	MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
	61	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
	62	db[i] ^= dbmask[i];
	63
	64	MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
	65	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
	66	seed[i] ^= seedmask[i];
	67
	68	Free(dbmask);
	69	return (1);
	70	}
	71
	72	int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
	73	unsigned char from, int flen, int num, unsigned char param,
	74	int plen)
	75	{
	76	int i, dblen, mlen = -1;
	77	unsigned char *maskeddb;
	78	int lzero;
	79	unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
	80
	81	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
	82	{
	83	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
	84	return (-1);
	85	}
	86
	87	dblen = num - SHA_DIGEST_LENGTH;
	88	db = Malloc(dblen);
	89	if (db == NULL)
	90	{
	91	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
	92	return (-1);
	93	}
	94
	95	lzero = num - flen;
	96	maskeddb = from - lzero + SHA_DIGEST_LENGTH;
	97
	98	MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
	99	for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
	100	seed[i] ^= from[i - lzero];
	101
	102	MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
	103	for (i = 0; i < dblen; i++)
	104	db[i] ^= maskeddb[i];
	105
	106	SHA1(param, plen, phash);
	107
	108	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
	109	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
	110	else
	111	{
	112	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
	113	if (db[i] != 0x00)
	114	break;
	115	if (db[i] != 0x01 \|\| i++ >= dblen)
	116	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
	117	RSA_R_OAEP_DECODING_ERROR);
	118	else
	119	{
	120	mlen = dblen - i;
	121	if (tlen < mlen)
	122	{
	123	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
	124	mlen = -1;
	125	}
	126	else
	127	memcpy(to, db + i, mlen);
	128	}
	129	}
	130	Free(db);
	131	return (mlen);
	132	}
	133
	134	int MGF1(unsigned char mask, long len, unsigned char seed, long seedlen)
	135	{
	136	long i, outlen = 0;
	137	unsigned char cnt[4];
	138	SHA_CTX c;
	139	unsigned char md[SHA_DIGEST_LENGTH];
	140
	141	for (i = 0; outlen < len; i++)
	142	{
	143	cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
	144	cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
	145	SHA1_Init(&c);
	146	SHA1_Update(&c, seed, seedlen);
	147	SHA1_Update(&c, cnt, 4);
	148	if (outlen + SHA_DIGEST_LENGTH <= len)
	149	{
	150	SHA1_Final(mask + outlen, &c);
	151	outlen += SHA_DIGEST_LENGTH;
	152	}
	153	else
	154	{
	155	SHA1_Final(md, &c);
	156	memcpy(mask + outlen, md, len - outlen);
	157	outlen = len;
	158	}
	159	}
	160	return (0);
	161	}
	162	#endif