rsa_oaep.c revision 9dc0df1bac950d6e491f9a7c7e4888f2b301cb15
/* crypto/rsa/rsa_oaep.c */
/* Written by Ulf Moeller. This software is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
* for problems with the security proof for the
* original OAEP scheme, which EME-OAEP is based on.
*
* A new proof can be found in E. Fujisaki, T. Okamoto,
* D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
* Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
* The new proof has stronger requirements for the
* underlying permutation: "partial-one-wayness" instead
* of one-wayness. For the RSA function, this is
* an equivalent notion.
*/
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
#include <stdio.h>
#include "cryptlib.h"
{
{
return 0;
}
{
return 0;
}
{
return 0;
}
to[0] = 0;
return 0;
#ifdef PKCS_TESTVECT
"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
20);
#endif
for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
for (i = 0; i < SHA_DIGEST_LENGTH; i++)
return 1;
}
{
const unsigned char *maskeddb;
int lzero;
int bad = 0;
/* 'num' is the length of the modulus, i.e. does not depend on the
* particular ciphertext. */
goto decoding_err;
if (lzero < 0)
{
/* lzero == -1 */
/* signalling this error immediately after detection might allow
* for side-channel attacks (e.g. timing if 'plen' is huge
* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
* Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
* so we use a 'bad' flag */
bad = 1;
lzero = 0;
}
{
return -1;
}
for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
for (i = 0; i < dblen; i++)
goto decoding_err;
else
{
for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
if (db[i] != 0x00)
break;
goto decoding_err;
else
{
/* everything looks OK */
{
mlen = -1;
}
else
}
}
return mlen;
/* to avoid chosen ciphertext attacks, the error message should not reveal
* which kind of decoding error happened */
return -1;
}
{
long i, outlen = 0;
unsigned char cnt[4];
EVP_MD_CTX c;
unsigned char md[EVP_MAX_MD_SIZE];
int mdlen;
EVP_MD_CTX_init(&c);
{
{
}
else
{
}
}
EVP_MD_CTX_cleanup(&c);
return 0;
}
{
}
#endif