diff options
Diffstat (limited to 'src/lib/libcrypto/rsa')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_asn1.c | 121 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_chk.c | 184 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_oaep.c | 162 |
3 files changed, 467 insertions, 0 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c new file mode 100644 index 0000000000..1455a7e0e4 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_asn1.c | |||
| @@ -0,0 +1,121 @@ | |||
| 1 | /* rsa_asn1.c */ | ||
| 2 | /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL | ||
| 3 | * project 2000. | ||
| 4 | */ | ||
| 5 | /* ==================================================================== | ||
| 6 | * Copyright (c) 2000 The OpenSSL Project. All rights reserved. | ||
| 7 | * | ||
| 8 | * Redistribution and use in source and binary forms, with or without | ||
| 9 | * modification, are permitted provided that the following conditions | ||
| 10 | * are met: | ||
| 11 | * | ||
| 12 | * 1. Redistributions of source code must retain the above copyright | ||
| 13 | * notice, this list of conditions and the following disclaimer. | ||
| 14 | * | ||
| 15 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 16 | * notice, this list of conditions and the following disclaimer in | ||
| 17 | * the documentation and/or other materials provided with the | ||
| 18 | * distribution. | ||
| 19 | * | ||
| 20 | * 3. All advertising materials mentioning features or use of this | ||
| 21 | * software must display the following acknowledgment: | ||
| 22 | * "This product includes software developed by the OpenSSL Project | ||
| 23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||
| 24 | * | ||
| 25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 26 | * endorse or promote products derived from this software without | ||
| 27 | * prior written permission. For written permission, please contact | ||
| 28 | * licensing@OpenSSL.org. | ||
| 29 | * | ||
| 30 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 31 | * nor may "OpenSSL" appear in their names without prior written | ||
| 32 | * permission of the OpenSSL Project. | ||
| 33 | * | ||
| 34 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 35 | * acknowledgment: | ||
| 36 | * "This product includes software developed by the OpenSSL Project | ||
| 37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||
| 38 | * | ||
| 39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 51 | * ==================================================================== | ||
| 52 | * | ||
| 53 | * This product includes cryptographic software written by Eric Young | ||
| 54 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
| 55 | * Hudson (tjh@cryptsoft.com). | ||
| 56 | * | ||
| 57 | */ | ||
| 58 | |||
| 59 | #include <stdio.h> | ||
| 60 | #include "cryptlib.h" | ||
| 61 | #include <openssl/bn.h> | ||
| 62 | #include <openssl/rsa.h> | ||
| 63 | #include <openssl/asn1t.h> | ||
| 64 | |||
| 65 | static ASN1_METHOD method={ | ||
| 66 | (int (*)()) i2d_RSAPrivateKey, | ||
| 67 | (char *(*)())d2i_RSAPrivateKey, | ||
| 68 | (char *(*)())RSA_new, | ||
| 69 | (void (*)()) RSA_free}; | ||
| 70 | |||
| 71 | ASN1_METHOD *RSAPrivateKey_asn1_meth(void) | ||
| 72 | { | ||
| 73 | return(&method); | ||
| 74 | } | ||
| 75 | |||
| 76 | /* Override the default free and new methods */ | ||
| 77 | static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) | ||
| 78 | { | ||
| 79 | if(operation == ASN1_OP_NEW_PRE) { | ||
| 80 | *pval = (ASN1_VALUE *)RSA_new(); | ||
| 81 | if(*pval) return 2; | ||
| 82 | return 0; | ||
| 83 | } else if(operation == ASN1_OP_FREE_PRE) { | ||
| 84 | RSA_free((RSA *)*pval); | ||
| 85 | *pval = NULL; | ||
| 86 | return 2; | ||
| 87 | } | ||
| 88 | return 1; | ||
| 89 | } | ||
| 90 | |||
| 91 | ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = { | ||
| 92 | ASN1_SIMPLE(RSA, version, LONG), | ||
| 93 | ASN1_SIMPLE(RSA, n, BIGNUM), | ||
| 94 | ASN1_SIMPLE(RSA, e, BIGNUM), | ||
| 95 | ASN1_SIMPLE(RSA, d, BIGNUM), | ||
| 96 | ASN1_SIMPLE(RSA, p, BIGNUM), | ||
| 97 | ASN1_SIMPLE(RSA, q, BIGNUM), | ||
| 98 | ASN1_SIMPLE(RSA, dmp1, BIGNUM), | ||
| 99 | ASN1_SIMPLE(RSA, dmq1, BIGNUM), | ||
| 100 | ASN1_SIMPLE(RSA, iqmp, BIGNUM) | ||
| 101 | } ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey) | ||
| 102 | |||
| 103 | |||
| 104 | ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = { | ||
| 105 | ASN1_SIMPLE(RSA, n, BIGNUM), | ||
| 106 | ASN1_SIMPLE(RSA, e, BIGNUM), | ||
| 107 | } ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey) | ||
| 108 | |||
| 109 | IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey) | ||
| 110 | |||
| 111 | IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey) | ||
| 112 | |||
| 113 | RSA *RSAPublicKey_dup(RSA *rsa) | ||
| 114 | { | ||
| 115 | return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa); | ||
| 116 | } | ||
| 117 | |||
| 118 | RSA *RSAPrivateKey_dup(RSA *rsa) | ||
| 119 | { | ||
| 120 | return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa); | ||
| 121 | } | ||
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c new file mode 100644 index 0000000000..91b9115798 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_chk.c | |||
| @@ -0,0 +1,184 @@ | |||
| 1 | /* crypto/rsa/rsa_chk.c -*- Mode: C; c-file-style: "eay" -*- */ | ||
| 2 | /* ==================================================================== | ||
| 3 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | ||
| 4 | * | ||
| 5 | * Redistribution and use in source and binary forms, with or without | ||
| 6 | * modification, are permitted provided that the following conditions | ||
| 7 | * are met: | ||
| 8 | * | ||
| 9 | * 1. Redistributions of source code must retain the above copyright | ||
| 10 | * notice, this list of conditions and the following disclaimer. | ||
| 11 | * | ||
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 13 | * notice, this list of conditions and the following disclaimer in | ||
| 14 | * the documentation and/or other materials provided with the | ||
| 15 | * distribution. | ||
| 16 | * | ||
| 17 | * 3. All advertising materials mentioning features or use of this | ||
| 18 | * software must display the following acknowledgment: | ||
| 19 | * "This product includes software developed by the OpenSSL Project | ||
| 20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||
| 21 | * | ||
| 22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 23 | * endorse or promote products derived from this software without | ||
| 24 | * prior written permission. For written permission, please contact | ||
| 25 | * openssl-core@OpenSSL.org. | ||
| 26 | * | ||
| 27 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 28 | * nor may "OpenSSL" appear in their names without prior written | ||
| 29 | * permission of the OpenSSL Project. | ||
| 30 | * | ||
| 31 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 32 | * acknowledgment: | ||
| 33 | * "This product includes software developed by the OpenSSL Project | ||
| 34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||
| 35 | * | ||
| 36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 48 | * ==================================================================== | ||
| 49 | */ | ||
| 50 | |||
| 51 | #include <openssl/bn.h> | ||
| 52 | #include <openssl/err.h> | ||
| 53 | #include <openssl/rsa.h> | ||
| 54 | |||
| 55 | |||
| 56 | int RSA_check_key(RSA *key) | ||
| 57 | { | ||
| 58 | BIGNUM *i, *j, *k, *l, *m; | ||
| 59 | BN_CTX *ctx; | ||
| 60 | int r; | ||
| 61 | int ret=1; | ||
| 62 | |||
| 63 | i = BN_new(); | ||
| 64 | j = BN_new(); | ||
| 65 | k = BN_new(); | ||
| 66 | l = BN_new(); | ||
| 67 | m = BN_new(); | ||
| 68 | ctx = BN_CTX_new(); | ||
| 69 | if (i == NULL || j == NULL || k == NULL || l == NULL || | ||
| 70 | m == NULL || ctx == NULL) | ||
| 71 | { | ||
| 72 | ret = -1; | ||
| 73 | RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); | ||
| 74 | goto err; | ||
| 75 | } | ||
| 76 | |||
| 77 | /* p prime? */ | ||
| 78 | r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL); | ||
| 79 | if (r != 1) | ||
| 80 | { | ||
| 81 | ret = r; | ||
| 82 | if (r != 0) | ||
| 83 | goto err; | ||
| 84 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); | ||
| 85 | } | ||
| 86 | |||
| 87 | /* q prime? */ | ||
| 88 | r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL); | ||
| 89 | if (r != 1) | ||
| 90 | { | ||
| 91 | ret = r; | ||
| 92 | if (r != 0) | ||
| 93 | goto err; | ||
| 94 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); | ||
| 95 | } | ||
| 96 | |||
| 97 | /* n = p*q? */ | ||
| 98 | r = BN_mul(i, key->p, key->q, ctx); | ||
| 99 | if (!r) { ret = -1; goto err; } | ||
| 100 | |||
| 101 | if (BN_cmp(i, key->n) != 0) | ||
| 102 | { | ||
| 103 | ret = 0; | ||
| 104 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); | ||
| 105 | } | ||
| 106 | |||
| 107 | /* d*e = 1 mod lcm(p-1,q-1)? */ | ||
| 108 | |||
| 109 | r = BN_sub(i, key->p, BN_value_one()); | ||
| 110 | if (!r) { ret = -1; goto err; } | ||
| 111 | r = BN_sub(j, key->q, BN_value_one()); | ||
| 112 | if (!r) { ret = -1; goto err; } | ||
| 113 | |||
| 114 | /* now compute k = lcm(i,j) */ | ||
| 115 | r = BN_mul(l, i, j, ctx); | ||
| 116 | if (!r) { ret = -1; goto err; } | ||
| 117 | r = BN_gcd(m, i, j, ctx); | ||
| 118 | if (!r) { ret = -1; goto err; } | ||
| 119 | r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */ | ||
| 120 | if (!r) { ret = -1; goto err; } | ||
| 121 | |||
| 122 | r = BN_mod_mul(i, key->d, key->e, k, ctx); | ||
| 123 | if (!r) { ret = -1; goto err; } | ||
| 124 | |||
| 125 | if (!BN_is_one(i)) | ||
| 126 | { | ||
| 127 | ret = 0; | ||
| 128 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); | ||
| 129 | } | ||
| 130 | |||
| 131 | if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) | ||
| 132 | { | ||
| 133 | /* dmp1 = d mod (p-1)? */ | ||
| 134 | r = BN_sub(i, key->p, BN_value_one()); | ||
| 135 | if (!r) { ret = -1; goto err; } | ||
| 136 | |||
| 137 | r = BN_mod(j, key->d, i, ctx); | ||
| 138 | if (!r) { ret = -1; goto err; } | ||
| 139 | |||
| 140 | if (BN_cmp(j, key->dmp1) != 0) | ||
| 141 | { | ||
| 142 | ret = 0; | ||
| 143 | RSAerr(RSA_F_RSA_CHECK_KEY, | ||
| 144 | RSA_R_DMP1_NOT_CONGRUENT_TO_D); | ||
| 145 | } | ||
| 146 | |||
| 147 | /* dmq1 = d mod (q-1)? */ | ||
| 148 | r = BN_sub(i, key->q, BN_value_one()); | ||
| 149 | if (!r) { ret = -1; goto err; } | ||
| 150 | |||
| 151 | r = BN_mod(j, key->d, i, ctx); | ||
| 152 | if (!r) { ret = -1; goto err; } | ||
| 153 | |||
| 154 | if (BN_cmp(j, key->dmq1) != 0) | ||
| 155 | { | ||
| 156 | ret = 0; | ||
| 157 | RSAerr(RSA_F_RSA_CHECK_KEY, | ||
| 158 | RSA_R_DMQ1_NOT_CONGRUENT_TO_D); | ||
| 159 | } | ||
| 160 | |||
| 161 | /* iqmp = q^-1 mod p? */ | ||
| 162 | if(!BN_mod_inverse(i, key->q, key->p, ctx)) | ||
| 163 | { | ||
| 164 | ret = -1; | ||
| 165 | goto err; | ||
| 166 | } | ||
| 167 | |||
| 168 | if (BN_cmp(i, key->iqmp) != 0) | ||
| 169 | { | ||
| 170 | ret = 0; | ||
| 171 | RSAerr(RSA_F_RSA_CHECK_KEY, | ||
| 172 | RSA_R_IQMP_NOT_INVERSE_OF_Q); | ||
| 173 | } | ||
| 174 | } | ||
| 175 | |||
| 176 | err: | ||
| 177 | if (i != NULL) BN_free(i); | ||
| 178 | if (j != NULL) BN_free(j); | ||
| 179 | if (k != NULL) BN_free(k); | ||
| 180 | if (l != NULL) BN_free(l); | ||
| 181 | if (m != NULL) BN_free(m); | ||
| 182 | if (ctx != NULL) BN_CTX_free(ctx); | ||
| 183 | return (ret); | ||
| 184 | } | ||
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c new file mode 100644 index 0000000000..843c40c864 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_oaep.c | |||
| @@ -0,0 +1,162 @@ | |||
| 1 | /* crypto/rsa/rsa_oaep.c */ | ||
| 2 | /* Written by Ulf Moeller. This software is distributed on an "AS IS" | ||
| 3 | basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ | ||
| 4 | |||
| 5 | /* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ | ||
| 6 | |||
| 7 | #if !defined(NO_SHA) && !defined(NO_SHA1) | ||
| 8 | #include <stdio.h> | ||
| 9 | #include "cryptlib.h" | ||
| 10 | #include <openssl/bn.h> | ||
| 11 | #include <openssl/rsa.h> | ||
| 12 | #include <openssl/sha.h> | ||
| 13 | #include <openssl/rand.h> | ||
| 14 | |||
| 15 | int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen); | ||
| 16 | |||
| 17 | int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, | ||
| 18 | unsigned char *from, int flen, unsigned char *param, int plen) | ||
| 19 | { | ||
| 20 | int i, emlen = tlen - 1; | ||
| 21 | unsigned char *db, *seed; | ||
| 22 | unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; | ||
| 23 | |||
| 24 | if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) | ||
| 25 | { | ||
| 26 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, | ||
| 27 | RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); | ||
| 28 | return (0); | ||
| 29 | } | ||
| 30 | |||
| 31 | if (emlen < 2 * SHA_DIGEST_LENGTH + 1) | ||
| 32 | { | ||
| 33 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); | ||
| 34 | return (0); | ||
| 35 | } | ||
| 36 | |||
| 37 | dbmask = Malloc(emlen - SHA_DIGEST_LENGTH); | ||
| 38 | if (dbmask == NULL) | ||
| 39 | { | ||
| 40 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); | ||
| 41 | return (0); | ||
| 42 | } | ||
| 43 | |||
| 44 | to[0] = 0; | ||
| 45 | seed = to + 1; | ||
| 46 | db = to + SHA_DIGEST_LENGTH + 1; | ||
| 47 | |||
| 48 | SHA1(param, plen, db); | ||
| 49 | memset(db + SHA_DIGEST_LENGTH, 0, | ||
| 50 | emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); | ||
| 51 | db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; | ||
| 52 | memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); | ||
| 53 | RAND_bytes(seed, SHA_DIGEST_LENGTH); | ||
| 54 | #ifdef PKCS_TESTVECT | ||
| 55 | memcpy(seed, | ||
| 56 | "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", | ||
| 57 | 20); | ||
| 58 | #endif | ||
| 59 | |||
| 60 | MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); | ||
| 61 | for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) | ||
| 62 | db[i] ^= dbmask[i]; | ||
| 63 | |||
| 64 | MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); | ||
| 65 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) | ||
| 66 | seed[i] ^= seedmask[i]; | ||
| 67 | |||
| 68 | Free(dbmask); | ||
| 69 | return (1); | ||
| 70 | } | ||
| 71 | |||
| 72 | int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | ||
| 73 | unsigned char *from, int flen, int num, unsigned char *param, | ||
| 74 | int plen) | ||
| 75 | { | ||
| 76 | int i, dblen, mlen = -1; | ||
| 77 | unsigned char *maskeddb; | ||
| 78 | int lzero; | ||
| 79 | unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; | ||
| 80 | |||
| 81 | if (--num < 2 * SHA_DIGEST_LENGTH + 1) | ||
| 82 | { | ||
| 83 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | ||
| 84 | return (-1); | ||
| 85 | } | ||
| 86 | |||
| 87 | dblen = num - SHA_DIGEST_LENGTH; | ||
| 88 | db = Malloc(dblen); | ||
| 89 | if (db == NULL) | ||
| 90 | { | ||
| 91 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); | ||
| 92 | return (-1); | ||
| 93 | } | ||
| 94 | |||
| 95 | lzero = num - flen; | ||
| 96 | maskeddb = from - lzero + SHA_DIGEST_LENGTH; | ||
| 97 | |||
| 98 | MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); | ||
| 99 | for (i = lzero; i < SHA_DIGEST_LENGTH; i++) | ||
| 100 | seed[i] ^= from[i - lzero]; | ||
| 101 | |||
| 102 | MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); | ||
| 103 | for (i = 0; i < dblen; i++) | ||
| 104 | db[i] ^= maskeddb[i]; | ||
| 105 | |||
| 106 | SHA1(param, plen, phash); | ||
| 107 | |||
| 108 | if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) | ||
| 109 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | ||
| 110 | else | ||
| 111 | { | ||
| 112 | for (i = SHA_DIGEST_LENGTH; i < dblen; i++) | ||
| 113 | if (db[i] != 0x00) | ||
| 114 | break; | ||
| 115 | if (db[i] != 0x01 || i++ >= dblen) | ||
| 116 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, | ||
| 117 | RSA_R_OAEP_DECODING_ERROR); | ||
| 118 | else | ||
| 119 | { | ||
| 120 | mlen = dblen - i; | ||
| 121 | if (tlen < mlen) | ||
| 122 | { | ||
| 123 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); | ||
| 124 | mlen = -1; | ||
| 125 | } | ||
| 126 | else | ||
| 127 | memcpy(to, db + i, mlen); | ||
| 128 | } | ||
| 129 | } | ||
| 130 | Free(db); | ||
| 131 | return (mlen); | ||
| 132 | } | ||
| 133 | |||
| 134 | int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen) | ||
| 135 | { | ||
| 136 | long i, outlen = 0; | ||
| 137 | unsigned char cnt[4]; | ||
| 138 | SHA_CTX c; | ||
| 139 | unsigned char md[SHA_DIGEST_LENGTH]; | ||
| 140 | |||
| 141 | for (i = 0; outlen < len; i++) | ||
| 142 | { | ||
| 143 | cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255, | ||
| 144 | cnt[2] = (i >> 8) & 255, cnt[3] = i & 255; | ||
| 145 | SHA1_Init(&c); | ||
| 146 | SHA1_Update(&c, seed, seedlen); | ||
| 147 | SHA1_Update(&c, cnt, 4); | ||
| 148 | if (outlen + SHA_DIGEST_LENGTH <= len) | ||
| 149 | { | ||
| 150 | SHA1_Final(mask + outlen, &c); | ||
| 151 | outlen += SHA_DIGEST_LENGTH; | ||
| 152 | } | ||
| 153 | else | ||
| 154 | { | ||
| 155 | SHA1_Final(md, &c); | ||
| 156 | memcpy(mask + outlen, md, len - outlen); | ||
| 157 | outlen = len; | ||
| 158 | } | ||
| 159 | } | ||
| 160 | return (0); | ||
| 161 | } | ||
| 162 | #endif | ||