xref: /freebsd/contrib/bearssl/src/rsa/rsa_oaep_pad.c (revision 2aaf9152a852aba9eb2036b95f4948ee77988826)
1 /*
2  * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /*
28  * Hash some data. This is put as a separate function so that stack
29  * allocation of the hash function context is done only for the duration
30  * of the hash.
31  */
32 static void
hash_data(const br_hash_class * dig,void * dst,const void * src,size_t len)33 hash_data(const br_hash_class *dig, void *dst, const void *src, size_t len)
34 {
35 	br_hash_compat_context hc;
36 
37 	hc.vtable = dig;
38 	dig->init(&hc.vtable);
39 	dig->update(&hc.vtable, src, len);
40 	dig->out(&hc.vtable, dst);
41 }
42 
43 /* see inner.h */
44 size_t
br_rsa_oaep_pad(const br_prng_class ** rnd,const br_hash_class * dig,const void * label,size_t label_len,const br_rsa_public_key * pk,void * dst,size_t dst_max_len,const void * src,size_t src_len)45 br_rsa_oaep_pad(const br_prng_class **rnd, const br_hash_class *dig,
46 	const void *label, size_t label_len,
47 	const br_rsa_public_key *pk,
48 	void *dst, size_t dst_max_len,
49 	const void *src, size_t src_len)
50 {
51 	size_t k, hlen;
52 	unsigned char *buf;
53 
54 	hlen = br_digest_size(dig);
55 
56 	/*
57 	 * Compute actual modulus length (in bytes).
58 	 */
59 	k = pk->nlen;
60 	while (k > 0 && pk->n[k - 1] == 0) {
61 		k --;
62 	}
63 
64 	/*
65 	 * An error is reported if:
66 	 *  - the modulus is too short;
67 	 *  - the source message length is too long;
68 	 *  - the destination buffer is too short.
69 	 */
70 	if (k < ((hlen << 1) + 2)
71 		|| src_len > (k - (hlen << 1) - 2)
72 		|| dst_max_len < k)
73 	{
74 		return 0;
75 	}
76 
77 	/*
78 	 * Apply padding. At this point, things cannot fail.
79 	 */
80 	buf = dst;
81 
82 	/*
83 	 * Assemble: DB = lHash || PS || 0x01 || M
84 	 * We first place the source message M with memmove(), so that
85 	 * overlaps between source and destination buffers are supported.
86 	 */
87 	memmove(buf + k - src_len, src, src_len);
88 	hash_data(dig, buf + 1 + hlen, label, label_len);
89 	memset(buf + 1 + (hlen << 1), 0, k - src_len - (hlen << 1) - 2);
90 	buf[k - src_len - 1] = 0x01;
91 
92 	/*
93 	 * Make the random seed.
94 	 */
95 	(*rnd)->generate(rnd, buf + 1, hlen);
96 
97 	/*
98 	 * Mask DB with the mask generated from the seed.
99 	 */
100 	br_mgf1_xor(buf + 1 + hlen, k - hlen - 1, dig, buf + 1, hlen);
101 
102 	/*
103 	 * Mask the seed with the mask generated from the masked DB.
104 	 */
105 	br_mgf1_xor(buf + 1, hlen, dig, buf + 1 + hlen, k - hlen - 1);
106 
107 	/*
108 	 * Padding result: EM = 0x00 || maskedSeed || maskedDB.
109 	 */
110 	buf[0] = 0x00;
111 	return k;
112 }
113