From ec6325f5897037af068115ff5b83da2c2c17eae4 Mon Sep 17 00:00:00 2001
From: bg <daniel.otte@rub.de>
Date: Mon, 20 Feb 2012 17:34:51 +0100
Subject: [PATCH] + RSA-OAEP decryption

---
 rsa/rsa_oaep.c                | 98 ++++++++++++++++++++++++++++++-----
 rsa/rsa_oaep.h                |  4 ++
 test_src/main-rsa_oaep-test.c | 67 +++++++++++++++++-------
 3 files changed, 139 insertions(+), 30 deletions(-)

diff --git a/rsa/rsa_oaep.c b/rsa/rsa_oaep.c
index 0a5cf76..f39b599 100644
--- a/rsa/rsa_oaep.c
+++ b/rsa/rsa_oaep.c
@@ -31,9 +31,6 @@
 
 #include "hfal/hfal_sha1.h"
 
-#include "cli.h"
-#include "uart_lowlevel.h"
-
 mgf1_parameter_t mgf1_default_parameter = {
 		&sha1_desc
 };
@@ -73,7 +70,6 @@ uint8_t rsa_encrypt_oaep(void* dest, uint16_t* out_length,
 	 * */
 	off = (sizeof(bigint_word_t) -(bigint_get_first_set_bit(key->modulus)/8+1)%(sizeof(bigint_word_t)*8))
 			% (sizeof(bigint_word_t));
-	uart_flush(0);
 	buffer += off;
     buffer_len -= off;
 	uint8_t* seed_buffer = buffer + 1;
@@ -88,7 +84,6 @@ uint8_t rsa_encrypt_oaep(void* dest, uint16_t* out_length,
 	hfal_hash_mem(p->hf, db, label->label, label->length_b);
 	db[db_len - length_B - 1] = 0x01;
 	memcpy(db+db_len - length_B, src, length_B);
-	uart_flush(0);
 	if(seed){
 		memcpy(seed_buffer, seed, hv_len);
 	}else{
@@ -102,23 +97,102 @@ uint8_t rsa_encrypt_oaep(void* dest, uint16_t* out_length,
 		}
 	}
 
-//void mgf1(void* dest, const void* seed, uint16_t seed_len_B, uint16_t out_length_B, const mgf1_parameter_t* p);
-	cli_hexdump_block(dest, buffer_len+off, 4, 8);
 	p->mgf(maskbuffer, seed_buffer, hv_len, db_len, p->mgf_parameter);
 	memxor(db, maskbuffer, db_len);
 	p->mgf(maskbuffer, db, db_len, hv_len, p->mgf_parameter);
 	memxor(seed_buffer, maskbuffer, hv_len);
-	cli_putstr("\r\ngot to 112\r\n");
-	uart_flush(0);
 
 	x.wordv = dest;
 	x.length_B = key->modulus->length_B;
 	bigint_adjust(&x);
-	cli_putstr("\r\ngot to 118\r\n");
-	uart_flush(0);
 
-	rsa_os2ip(&x, NULL, key->modulus->length_B * sizeof(bigint_word_t));
+	rsa_os2ip(&x, NULL, bigint_length_B(key->modulus));
 	rsa_enc(&x, key);
 	rsa_i2osp(NULL, &x, out_length);
 	return 0;
 }
+
+uint8_t rsa_decrypt_oaep(void* dest, uint16_t* out_length,
+		              const void* src, uint16_t length_B,
+		              rsa_privatekey_t* key, const rsa_oaep_parameter_t *p,
+		              const rsa_label_t* label, void* seed){
+
+	if(!label){
+		label = &rsa_oaep_default_label;
+	}
+	if(!p){
+		p = &rsa_oaep_default_parameter;
+	}
+	uint8_t *buffer =  dest;
+	uint16_t x_len, data_len;
+	bigint_t x;
+	uint16_t hv_len = hfal_hash_getHashsize(p->hf)/8;
+	uint8_t label_hv[hv_len];
+	uint16_t msg_len = (bigint_get_first_set_bit(key->modulus)+7)/8;
+	uint16_t db_len = msg_len - 1 - hv_len;
+	uint8_t maskbuffer[db_len>hv_len?db_len:hv_len];
+
+	uint8_t *seed_buffer = buffer + 1;
+	uint8_t *db_buffer = seed_buffer + hv_len;
+
+	x_len = bigint_length_B(key->modulus);
+	memset(dest, 0, x_len - length_B);
+	buffer = (uint8_t*)dest + x_len - length_B;
+	memcpy(buffer, src, length_B);
+
+	x.wordv = dest;
+	x.length_B = key->modulus->length_B;
+	bigint_adjust(&x);
+
+	rsa_os2ip(&x, NULL, bigint_length_B(key->modulus));
+	rsa_dec(&x, key);
+	rsa_i2osp(NULL, &x, &data_len);
+/*
+	if(data_len != x_len){
+		memmove(buffer + x_len - data_len, buffer, data_len);
+		memset(buffer, 0, x_len - data_len);
+	}
+*/
+	if(data_len > msg_len){
+		return 7;
+	}
+
+	memmove(buffer + msg_len - data_len, buffer, data_len);
+
+	hfal_hash_mem(p->hf, label_hv, label->label, label->length_b);
+/*
+	if(buffer[0] != 0){
+		return 1;
+	}
+*/
+	p->mgf(maskbuffer, db_buffer, db_len, hv_len, p->mgf_parameter);
+	memxor(seed_buffer, maskbuffer, hv_len);
+	p->mgf(maskbuffer, seed_buffer, hv_len, db_len, p->mgf_parameter);
+	memxor(db_buffer, maskbuffer, db_len);
+
+	if(memcmp(label_hv, db_buffer, hv_len)){
+		return 2;
+	}
+
+	uint16_t ps_len=0;
+	while(db_buffer[hv_len + ps_len++] == 0)
+		;
+
+	--ps_len;
+	if(db_buffer[hv_len + ps_len] != 1){
+		return 3;
+	}
+
+	if(seed){
+		memcpy(seed, seed_buffer, hv_len);
+	}
+
+	msg_len = db_len - hv_len - 1 - ps_len;
+	memmove(dest, db_buffer + hv_len + ps_len + 1, msg_len);
+
+	*out_length = msg_len;
+
+	return 0;
+}
+
+
diff --git a/rsa/rsa_oaep.h b/rsa/rsa_oaep.h
index 2e63f6e..1aed13b 100644
--- a/rsa/rsa_oaep.h
+++ b/rsa/rsa_oaep.h
@@ -46,5 +46,9 @@ uint8_t rsa_encrypt_oaep(void* dest, uint16_t* out_length,
 		              rsa_publickey_t* key, const rsa_oaep_parameter_t *p,
 		              const rsa_label_t* label, const void* seed);
 
+uint8_t rsa_decrypt_oaep(void* dest, uint16_t* out_length,
+		              const void* src, uint16_t length_B,
+		              rsa_privatekey_t* key, const rsa_oaep_parameter_t *p,
+		              const rsa_label_t* label, void* seed);
 
 #endif /* RSA_OAEP_H_ */
diff --git a/test_src/main-rsa_oaep-test.c b/test_src/main-rsa_oaep-test.c
index 4c06228..62cfe89 100644
--- a/test_src/main-rsa_oaep-test.c
+++ b/test_src/main-rsa_oaep-test.c
@@ -47,7 +47,7 @@ const char* algo_name = "RSA-OAEP";
  * ------------------------------ */
 
 /* RSA modulus n: */
-uint8_t modulus[] = {
+const uint8_t modulus[] = {
 0xa8, 0xb3, 0xb2, 0x84, 0xaf, 0x8e, 0xb5, 0x0b, 0x38, 0x70, 0x34, 0xa8, 0x60, 0xf1, 0x46, 0xc4,
 0x91, 0x9f, 0x31, 0x87, 0x63, 0xcd, 0x6c, 0x55, 0x98, 0xc8, 0xae, 0x48, 0x11, 0xa1, 0xe0, 0xab,
 0xc4, 0xc7, 0xe0, 0xb0, 0x82, 0xd6, 0x93, 0xa5, 0xe7, 0xfc, 0xed, 0x67, 0x5c, 0xf4, 0x66, 0x85,
@@ -59,12 +59,12 @@ uint8_t modulus[] = {
 };
 
 /* RSA public exponent e: */
-uint8_t public_exponent[] = {
+const uint8_t public_exponent[] = {
 0x00, 0x01, 0x00, 0x01
 };
 
 /* RSA private exponent d: */
-uint8_t private_exponent[] = {
+const uint8_t private_exponent[] = {
 0x53, 0x33, 0x9c, 0xfd, 0xb7, 0x9f, 0xc8, 0x46, 0x6a, 0x65, 0x5c, 0x73, 0x16, 0xac, 0xa8, 0x5c,
 0x55, 0xfd, 0x8f, 0x6d, 0xd8, 0x98, 0xfd, 0xaf, 0x11, 0x95, 0x17, 0xef, 0x4f, 0x52, 0xe8, 0xfd,
 0x8e, 0x25, 0x8d, 0xf9, 0x3f, 0xee, 0x18, 0x0f, 0xa0, 0xe4, 0xab, 0x29, 0x69, 0x3c, 0xd8, 0x3b,
@@ -76,7 +76,7 @@ uint8_t private_exponent[] = {
 };
 
 /* Prime p: */
-uint8_t p[] = {
+const uint8_t p[] = {
 0xd3, 0x27, 0x37, 0xe7, 0x26, 0x7f, 0xfe, 0x13, 0x41, 0xb2, 0xd5, 0xc0, 0xd1, 0x50, 0xa8, 0x1b,
 0x58, 0x6f, 0xb3, 0x13, 0x2b, 0xed, 0x2f, 0x8d, 0x52, 0x62, 0x86, 0x4a, 0x9c, 0xb9, 0xf3, 0x0a,
 0xf3, 0x8b, 0xe4, 0x48, 0x59, 0x8d, 0x41, 0x3a, 0x17, 0x2e, 0xfb, 0x80, 0x2c, 0x21, 0xac, 0xf1,
@@ -84,7 +84,7 @@ uint8_t p[] = {
 };
 
 /* Prime q: */
-uint8_t q[] = {
+const uint8_t q[] = {
 0xcc, 0x88, 0x53, 0xd1, 0xd5, 0x4d, 0xa6, 0x30, 0xfa, 0xc0, 0x04, 0xf4, 0x71, 0xf2, 0x81, 0xc7,
 0xb8, 0x98, 0x2d, 0x82, 0x24, 0xa4, 0x90, 0xed, 0xbe, 0xb3, 0x3d, 0x3e, 0x3d, 0x5c, 0xc9, 0x3c,
 0x47, 0x65, 0x70, 0x3d, 0x1d, 0xd7, 0x91, 0x64, 0x2f, 0x1f, 0x11, 0x6a, 0x0d, 0xd8, 0x52, 0xbe,
@@ -92,7 +92,7 @@ uint8_t q[] = {
 };
 
 /* p's CRT exponent dP: */
-uint8_t dp[] = {
+const uint8_t dp[] = {
 0x0e, 0x12, 0xbf, 0x17, 0x18, 0xe9, 0xce, 0xf5, 0x59, 0x9b, 0xa1, 0xc3, 0x88, 0x2f, 0xe8, 0x04,
 0x6a, 0x90, 0x87, 0x4e, 0xef, 0xce, 0x8f, 0x2c, 0xcc, 0x20, 0xe4, 0xf2, 0x74, 0x1f, 0xb0, 0xa3,
 0x3a, 0x38, 0x48, 0xae, 0xc9, 0xc9, 0x30, 0x5f, 0xbe, 0xcb, 0xd2, 0xd7, 0x68, 0x19, 0x96, 0x7d,
@@ -100,7 +100,7 @@ uint8_t dp[] = {
 };
 
 /* q's CRT exponent dQ: */
-uint8_t dq[] = {
+const uint8_t dq[] = {
 0x95, 0x29, 0x7b, 0x0f, 0x95, 0xa2, 0xfa, 0x67, 0xd0, 0x07, 0x07, 0xd6, 0x09, 0xdf, 0xd4, 0xfc,
 0x05, 0xc8, 0x9d, 0xaf, 0xc2, 0xef, 0x6d, 0x6e, 0xa5, 0x5b, 0xec, 0x77, 0x1e, 0xa3, 0x33, 0x73,
 0x4d, 0x92, 0x51, 0xe7, 0x90, 0x82, 0xec, 0xda, 0x86, 0x6e, 0xfe, 0xf1, 0x3c, 0x45, 0x9e, 0x1a,
@@ -108,7 +108,7 @@ uint8_t dq[] = {
 };
 
 /* CRT coefficient qInv: */
-uint8_t qinv[] = {
+const uint8_t qinv[] = {
 0x4f, 0x45, 0x6c, 0x50, 0x24, 0x93, 0xbd, 0xc0, 0xed, 0x2a, 0xb7, 0x56, 0xa3, 0xa6, 0xed, 0x4d,
 0x67, 0x35, 0x2a, 0x69, 0x7d, 0x42, 0x16, 0xe9, 0x32, 0x12, 0xb1, 0x27, 0xa6, 0x3d, 0x54, 0x11,
 0xce, 0x6f, 0xa9, 0x8d, 0x5d, 0xbe, 0xfd, 0x73, 0x26, 0x3e, 0x37, 0x28, 0x14, 0x27, 0x43, 0x81,
@@ -120,19 +120,19 @@ uint8_t qinv[] = {
  * --------------------------------- */
 
 /* Message to be, encrypted: */
-uint8_t message[] = {
+const uint8_t message[] = {
 0x66, 0x28, 0x19, 0x4e, 0x12, 0x07, 0x3d, 0xb0, 0x3b, 0xa9, 0x4c, 0xda, 0x9e, 0xf9, 0x53, 0x23,
 0x97, 0xd5, 0x0d, 0xba, 0x79, 0xb9, 0x87, 0x00, 0x4a, 0xfe, 0xfe, 0x34
 };
 
 /* Seed: */
-uint8_t seed[] = {
+const uint8_t seed[] = {
 0x18, 0xb7, 0x76, 0xea, 0x21, 0x06, 0x9d, 0x69, 0x77, 0x6a, 0x33, 0xe9, 0x6b, 0xad, 0x48, 0xe1,
 0xdd, 0xa0, 0xa5, 0xef
 };
 
 /* Encryption: */
-uint8_t encrypted[] = {
+const uint8_t encrypted[] = {
 0x35, 0x4f, 0xe6, 0x7b, 0x4a, 0x12, 0x6d, 0x5d, 0x35, 0xfe, 0x36, 0xc7, 0x77, 0x79, 0x1a, 0x3f,
 0x7b, 0xa1, 0x3d, 0xef, 0x48, 0x4e, 0x2d, 0x39, 0x08, 0xaf, 0xf7, 0x22, 0xfa, 0xd4, 0x68, 0xfb,
 0x21, 0x69, 0x6d, 0xe9, 0x5d, 0x0b, 0xe9, 0x11, 0xc2, 0xd3, 0x17, 0x4f, 0x8a, 0xfc, 0xc2, 0x01,
@@ -143,6 +143,30 @@ uint8_t encrypted[] = {
 0x40, 0x24, 0x30, 0x9c, 0xe1, 0xec, 0xcc, 0xb5, 0x21, 0x00, 0x35, 0xd4, 0x7a, 0xc7, 0x2e, 0x8a
 };
 
+/* Message to be encrypted: */
+const uint8_t message2[] = {
+0x75, 0x0c, 0x40, 0x47, 0xf5, 0x47, 0xe8, 0xe4, 0x14, 0x11, 0x85, 0x65, 0x23, 0x29, 0x8a, 0xc9,
+0xba, 0xe2, 0x45, 0xef, 0xaf, 0x13, 0x97, 0xfb, 0xe5, 0x6f, 0x9d, 0xd5
+};
+
+/* Seed: */
+const uint8_t seed2[] = {
+0x0c, 0xc7, 0x42, 0xce, 0x4a, 0x9b, 0x7f, 0x32, 0xf9, 0x51, 0xbc, 0xb2, 0x51, 0xef, 0xd9, 0x25,
+0xfe, 0x4f, 0xe3, 0x5f
+};
+
+/* Encryption: */
+const uint8_t encrypted2[] = {
+0x64, 0x0d, 0xb1, 0xac, 0xc5, 0x8e, 0x05, 0x68, 0xfe, 0x54, 0x07, 0xe5, 0xf9, 0xb7, 0x01, 0xdf,
+0xf8, 0xc3, 0xc9, 0x1e, 0x71, 0x6c, 0x53, 0x6f, 0xc7, 0xfc, 0xec, 0x6c, 0xb5, 0xb7, 0x1c, 0x11,
+0x65, 0x98, 0x8d, 0x4a, 0x27, 0x9e, 0x15, 0x77, 0xd7, 0x30, 0xfc, 0x7a, 0x29, 0x93, 0x2e, 0x3f,
+0x00, 0xc8, 0x15, 0x15, 0x23, 0x6d, 0x8d, 0x8e, 0x31, 0x01, 0x7a, 0x7a, 0x09, 0xdf, 0x43, 0x52,
+0xd9, 0x04, 0xcd, 0xeb, 0x79, 0xaa, 0x58, 0x3a, 0xdc, 0xc3, 0x1e, 0xa6, 0x98, 0xa4, 0xc0, 0x52,
+0x83, 0xda, 0xba, 0x90, 0x89, 0xbe, 0x54, 0x91, 0xf6, 0x7c, 0x1a, 0x4e, 0xe4, 0x8d, 0xc7, 0x4b,
+0xbb, 0xe6, 0x64, 0x3a, 0xef, 0x84, 0x66, 0x79, 0xb4, 0xcb, 0x39, 0x5a, 0x35, 0x2d, 0x5e, 0xd1,
+0x15, 0x91, 0x2d, 0xf6, 0x96, 0xff, 0xe0, 0x70, 0x29, 0x32, 0x94, 0x6d, 0x71, 0x49, 0x2b, 0x44
+};
+
 rsa_publickey_t pub_key;
 rsa_privatekey_t priv_key;
 
@@ -237,12 +261,13 @@ void load_fix_rsa(void){
 }
 
 
-#define MSG message
-#define SEED seed
+#define MSG       message2
+#define SEED      seed2
+#define ENCRYPTED encrypted2
 
 void quick_test(void){
 	uint8_t *ciphertext, *plaintext, rc;
-	uint16_t clen; //, plen;
+	uint16_t clen, plen;
 	ciphertext = malloc(clen = pub_key.modulus->length_B * sizeof(bigint_word_t));
 	plaintext = malloc(pub_key.modulus->length_B * sizeof(bigint_word_t));
 //	memcpy(ciphertext, message1, sizeof(message1));
@@ -258,17 +283,23 @@ void quick_test(void){
 	}
 	cli_putstr("\r\n\r\nciphertext:");
 	cli_hexdump_block(ciphertext, clen, 4, 8);
+	if(clen!=sizeof(ENCRYPTED) || memcmp(ENCRYPTED, ciphertext, clen)){
+		cli_putstr("\r\n>>FAIL<<");
+	}else{
+		cli_putstr("\r\n>>OK<<");
+	}
 	uart_flush(0);
-/*
-	rc = rsa_decrypt_pkcs15(plaintext, &plen, ciphertext, clen, &priv_key, NULL);
+
+
+	rc = rsa_decrypt_oaep(plaintext, &plen, ciphertext, clen, &priv_key, NULL, NULL, NULL);
 	if(rc){
-		cli_putstr("\r\nERROR: rsa_encrypt_pkcs15 returned: ");
+		cli_putstr("\r\nERROR: rsa_decrypt_oaep returned: ");
 		cli_hexdump_byte(rc);
 		return;
 	}
 	cli_putstr("\r\n\r\nplaintext:");
 	cli_hexdump_block(plaintext, plen, 4, 8);
-*/
+
 	free(ciphertext);
 	free(plaintext);
 }
-- 
2.39.2