4 This file is part of the ARM-Crypto-Lib.
5 Copyright (C) 2006-2012 Daniel Otte (daniel.otte@rub.de)
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "rsa_basic.h"
30 #include "random_dummy.h"
32 #include "hfal/hfal_sha1.h"
35 #include "uart_lowlevel.h"
37 mgf1_parameter_t mgf1_default_parameter = {
41 rsa_oaep_parameter_t rsa_oaep_default_parameter = {
44 &mgf1_default_parameter
47 rsa_label_t rsa_oaep_default_label = {
51 uint8_t rsa_encrypt_oaep(void* dest, uint16_t* out_length,
52 const void* src, uint16_t length_B,
53 rsa_publickey_t* key, const rsa_oaep_parameter_t *p,
54 const rsa_label_t* label, const void* seed){
57 p = &rsa_oaep_default_parameter;
60 label = &rsa_oaep_default_label;
62 uint16_t hv_len = (hfal_hash_getHashsize(p->hf)+7)/8;
63 if(length_B > bigint_length_B(key->modulus) - 2*hv_len - 2){
64 /* message too long */
67 uint16_t buffer_len = bigint_length_B(key->modulus);
69 cli_putstr("\r\n buffer_len = ");
70 cli_hexdump_rev(&buffer_len, 2);
71 cli_putstr("\r\n modulus_len = ");
72 cli_hexdump_rev(&key->modulus->length_B, 2);
74 uint8_t* buffer = (uint8_t*)dest;
76 /* the following needs some explanation:
77 * off is the offset which is used for compensating the effect of
78 * changeendian() when it operates on multi-byte words.
80 off = (sizeof(bigint_word_t) -(bigint_get_first_set_bit(key->modulus)/8+1)%(sizeof(bigint_word_t)*8))
81 % (sizeof(bigint_word_t));
84 // cli_putstr("\r\n off = ");
85 // cli_hexdump_byte(off);
86 uint8_t* seed_buffer = buffer + 1;
87 uint16_t db_len = buffer_len - hv_len - 1;
88 uint8_t* db = seed_buffer + hv_len;
89 uint16_t maskbuffer_len = db_len>hv_len?db_len:hv_len;
90 uint8_t maskbuffer[maskbuffer_len];
93 memset(dest, 0, seed_buffer - buffer + off);
94 memset(db + hv_len, 0, db_len - hv_len - length_B -1);
95 hfal_hash_mem(p->hf, db, label->label, label->length_b);
96 db[db_len - length_B - 1] = 0x01;
97 memcpy(db+db_len - length_B, src, length_B);
99 memcpy(seed_buffer, seed, hv_len);
101 /* generate random seed */
103 return 2; /* ERROR: no random generator specified */
106 for(i=0; i<hv_len; ++i){
107 seed_buffer[i] = prng_get_byte();
110 // cli_putstr("\r\n msg (raw, pre-feistel):\r\n");
111 // cli_hexdump_block(dest, bigint_length_B(key->modulus), 4, 16);
112 p->mgf(maskbuffer, seed_buffer, hv_len, db_len, p->mgf_parameter);
113 memxor(db, maskbuffer, db_len);
114 p->mgf(maskbuffer, db, db_len, hv_len, p->mgf_parameter);
115 memxor(seed_buffer, maskbuffer, hv_len);
116 // cli_putstr("\r\n msg (raw, post-feistel):\r\n");
117 // cli_hexdump_block(dest, bigint_length_B(key->modulus), 4, 16);
120 x.length_B = key->modulus->length_B;
123 rsa_os2ip(&x, NULL, bigint_length_B(key->modulus));
125 rsa_i2osp(NULL, &x, out_length);
129 uint8_t rsa_decrypt_oaep(void* dest, uint16_t* out_length,
130 const void* src, uint16_t length_B,
131 rsa_privatekey_t* key, const rsa_oaep_parameter_t *p,
132 const rsa_label_t* label, void* seed){
134 // cli_putstr("\r\n -->rsa_decrypt_oaep()"); uart_flush(0);
136 label = &rsa_oaep_default_label;
139 p = &rsa_oaep_default_parameter;
141 uint16_t x_len, data_len;
143 uint16_t hv_len = hfal_hash_getHashsize(p->hf)/8;
144 uint8_t label_hv[hv_len];
145 uint16_t msg_len = bigint_get_first_set_bit(key->modulus) / 8 + 1;
146 uint16_t db_len = msg_len - hv_len - 1;
147 uint8_t maskbuffer[db_len>hv_len?db_len:hv_len];
149 uint8_t *seed_buffer = dest;
150 uint8_t *db_buffer = seed_buffer + hv_len;
152 x_len = bigint_get_first_set_bit(key->modulus)/8;
153 memset(dest, 0, bigint_length_B(key->modulus) - length_B);
154 memcpy((uint8_t*)dest + bigint_length_B(key->modulus) - length_B, src, length_B);
156 // cli_putc('a'); uart_flush(0);
159 x.length_B = key->modulus->length_B;
164 // cli_putc('b'); uart_flush(0);
165 rsa_os2ip(&x, NULL, bigint_length_B(key->modulus));
166 // cli_putc('c'); uart_flush(0);
168 // cli_putc('d'); uart_flush(0);
169 rsa_i2osp(NULL, &x, &data_len);
171 // cli_putstr("\r\n msg (raw, pre-move):\r\n");
172 // cli_hexdump_block(dest, bigint_length_B(key->modulus), 4, 16);
174 if(data_len > x_len){
178 cli_putstr("\r\n moving some bytes; x_len = ");
179 cli_hexdump_rev(&x_len, 2);
180 cli_putstr(" data_len = ");
181 cli_hexdump_rev(&data_len, 2);
184 if(x_len != data_len){
185 memmove((uint8_t*)dest + x_len - data_len, dest, data_len);
186 // cli_putstr(" (oh, not dead yet?!)");
188 memset(dest, 0, x_len - data_len);
191 hfal_hash_mem(p->hf, label_hv, label->label, label->length_b);
193 cli_putstr("\r\n msg (raw, pre-feistel):\r\n");
194 cli_hexdump_block(seed_buffer, bigint_length_B(key->modulus), 4, 16);
197 p->mgf(maskbuffer, db_buffer, db_len, hv_len, p->mgf_parameter);
198 memxor(seed_buffer, maskbuffer, hv_len);
199 p->mgf(maskbuffer, seed_buffer, hv_len, db_len, p->mgf_parameter);
200 memxor(db_buffer, maskbuffer, db_len);
202 if(memcmp(label_hv, db_buffer, hv_len)){
203 // cli_putstr("\r\nDBG: DB:\r\n");
204 // cli_hexdump_block(db_buffer, db_len, 4, 16);
209 while(db_buffer[hv_len + ps_len++] == 0)
213 if(db_buffer[hv_len + ps_len] != 1){
218 memcpy(seed, seed_buffer, hv_len);
221 msg_len = db_len - hv_len - 1 - ps_len;
222 memmove(dest, db_buffer + hv_len + ps_len + 1, msg_len);
224 *out_length = msg_len;