/**
(PKCS #1 v2.0) decrypt then OAEP depad
@param in The ciphertext
@param inlen The length of the ciphertext (octets)
@param out [out] The plaintext
@param outlen [in/out] The max size and resulting size of the plaintext (octets)
@param lparam The system "lparam" value
@param lparamlen The length of the lparam value (octets)
@param hash_idx The index of the hash desired
@param stat [out] Result of the decryption, 1==valid, 0==invalid
@param key The corresponding private RSA key
@return CRYPT_OK if succcessul (even if invalid)
*/
int rsa_decrypt_key(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
const unsigned char *lparam, unsigned long lparamlen,
int hash_idx, int *stat,
rsa_key *key)
{
unsigned long modulus_bitlen, modulus_bytelen, x;
int err;
unsigned char *tmp;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(stat != NULL);
/* default to invalid */
*stat = 0;
/* valid hash ? */
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
return err;
}
/* get modulus len in bits */
modulus_bitlen = mp_count_bits( (key->N));
/* outlen must be at least the size of the modulus */
modulus_bytelen = mp_unsigned_bin_size( (key->N));
if (modulus_bytelen != inlen) {
return CRYPT_INVALID_PACKET;
}
/* allocate ram */
tmp = XMALLOC(inlen);
if (tmp == NULL) {
return CRYPT_MEM;
}
/* rsa decode the packet */
x = inlen;
if ((err = ltc_mp.rsa_me(in, inlen, tmp, &x, PK_PRIVATE, key)) != CRYPT_OK) {
XFREE(tmp);
return err;
}
/* now OAEP decode the packet */
err = pkcs_1_oaep_decode(tmp, x, lparam, lparamlen, modulus_bitlen, hash_idx,
out, outlen, stat);
XFREE(tmp);
return err;
}
/**
LTC_PKCS #1 decrypt then v1.5 or OAEP depad
@param in The ciphertext
@param inlen The length of the ciphertext (octets)
@param out [out] The plaintext
@param outlen [in/out] The max size and resulting size of the plaintext (octets)
@param lparam The system "lparam" value
@param lparamlen The length of the lparam value (octets)
@param hash_idx The index of the hash desired
@param padding Type of padding (LTC_LTC_PKCS_1_OAEP or LTC_LTC_PKCS_1_V1_5)
@param stat [out] Result of the decryption, 1==valid, 0==invalid
@param key The corresponding private RSA key
@return CRYPT_OK if succcessul (even if invalid)
*/
int rsa_decrypt_key_ex(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
const unsigned char *lparam, unsigned long lparamlen,
int hash_idx, int padding,
int *stat, rsa_key *key)
{
unsigned long modulus_bitlen, modulus_bytelen, x;
int err;
unsigned char *tmp;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(stat != NULL);
/* default to invalid */
*stat = 0;
/* valid padding? */
if ((padding != LTC_LTC_PKCS_1_V1_5) &&
(padding != LTC_LTC_PKCS_1_OAEP)) {
return CRYPT_PK_INVALID_PADDING;
}
if (padding == LTC_LTC_PKCS_1_OAEP) {
/* valid hash ? */
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
return err;
}
}
/* get modulus len in bits */
modulus_bitlen = mp_count_bits( (key->N));
/* outlen must be at least the size of the modulus */
modulus_bytelen = mp_unsigned_bin_size( (key->N));
if (modulus_bytelen != inlen) {
return CRYPT_INVALID_PACKET;
}
/* allocate ram */
tmp = XMALLOC(inlen);
if (tmp == NULL) {
return CRYPT_MEM;
}
/* rsa decode the packet */
x = inlen;
if ((err = ltc_mp.rsa_me(in, inlen, tmp, &x, PK_PUBLIC, key)) != CRYPT_OK) {
XFREE(tmp);
return err;
}
if (padding == LTC_LTC_PKCS_1_OAEP) {
/* now OAEP decode the packet */
err = pkcs_1_oaep_decode(tmp, x, lparam, lparamlen, modulus_bitlen, hash_idx,
out, outlen, stat);
} else {
/* now LTC_PKCS #1 v1.5 depad the packet */
err = pkcs_1_v1_5_decode(tmp, x, LTC_LTC_PKCS_1_EME, modulus_bitlen, out, outlen, stat);
}
XFREE(tmp);
return err;
}
int pkcs_1_test(void)
{
unsigned char buf[3][128];
int res1, res2, res3, prng_idx, hash_idx;
unsigned long x, y, l1, l2, l3, i1, i2, lparamlen, saltlen, modlen;
static const unsigned char lparam[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
/* get hash/prng */
hash_idx = find_hash("sha1");
prng_idx = find_prng("yarrow");
if (hash_idx == -1 || prng_idx == -1) {
fprintf(stderr, "pkcs_1 tests require sha1/yarrow");
return 1;
}
/* do many tests */
for (x = 0; x < 100; x++) {
zeromem(buf, sizeof(buf));
/* make a dummy message (of random length) */
l3 = (rand() & 31) + 8;
for (y = 0; y < l3; y++) buf[0][y] = rand() & 255;
/* random modulus len (v1.5 must be multiple of 8 though arbitrary sizes seem to work) */
modlen = 800 + 8 * (abs(rand()) % 28);
/* pick a random lparam len [0..16] */
lparamlen = abs(rand()) % 17;
/* pick a random saltlen 0..16 */
saltlen = abs(rand()) % 17;
/* PKCS #1 v2.0 supports modlens not multiple of 8 */
modlen = 800 + (abs(rand()) % 224);
/* encode it */
l1 = sizeof(buf[1]);
DO(pkcs_1_oaep_encode(buf[0], l3, lparam, lparamlen, modlen, &yarrow_prng, prng_idx, hash_idx, buf[1], &l1));
/* decode it */
l2 = sizeof(buf[2]);
DO(pkcs_1_oaep_decode(buf[1], l1, lparam, lparamlen, modlen, hash_idx, buf[2], &l2, &res1));
if (res1 != 1 || l2 != l3 || memcmp(buf[2], buf[0], l3) != 0) {
fprintf(stderr, "Outsize == %lu, should have been %lu, res1 = %d, lparamlen = %lu, msg contents follow.\n", l2, l3, res1, lparamlen);
fprintf(stderr, "ORIGINAL:\n");
for (x = 0; x < l3; x++) {
fprintf(stderr, "%02x ", buf[0][x]);
}
fprintf(stderr, "\nRESULT:\n");
for (x = 0; x < l2; x++) {
fprintf(stderr, "%02x ", buf[2][x]);
}
fprintf(stderr, "\n\n");
return 1;
}
/* test PSS */
l1 = sizeof(buf[1]);
DO(pkcs_1_pss_encode(buf[0], l3, saltlen, &yarrow_prng, prng_idx, hash_idx, modlen, buf[1], &l1));
DO(pkcs_1_pss_decode(buf[0], l3, buf[1], l1, saltlen, hash_idx, modlen, &res1));
buf[0][i1 = abs(rand()) % l3] ^= 1;
DO(pkcs_1_pss_decode(buf[0], l3, buf[1], l1, saltlen, hash_idx, modlen, &res2));
buf[0][i1] ^= 1;
buf[1][i2 = abs(rand()) % l1] ^= 1;
DO(pkcs_1_pss_decode(buf[0], l3, buf[1], l1, saltlen, hash_idx, modlen, &res3));
if (!(res1 == 1 && res2 == 0 && res3 == 0)) {
fprintf(stderr, "PSS failed: %d, %d, %d, %lu, %lu\n", res1, res2, res3, l3, saltlen);
return 1;
}
}
return 0;
}
