From 3a3d2d8659d33746cb6fbed8a390fdc5d2c66541 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Mon, 11 Feb 2002 18:54:35 +0100
Subject: [PATCH] New files for rsa pkcs#1 encryption.

Rev: src/nettle/rsa-decrypt.c:1.1
Rev: src/nettle/rsa-encrypt.c:1.1
Rev: src/nettle/rsa.h:1.10
---
 rsa-decrypt.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
 rsa-encrypt.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++
 rsa.h         | 37 +++++++++++++++++++++----
 3 files changed, 184 insertions(+), 5 deletions(-)
 create mode 100644 rsa-decrypt.c
 create mode 100644 rsa-encrypt.c

diff --git a/rsa-decrypt.c b/rsa-decrypt.c
new file mode 100644
index 00000000..a4cef7ad
--- /dev/null
+++ b/rsa-decrypt.c
@@ -0,0 +1,75 @@
+/* rsa_decrypt.c
+ *
+ * The RSA publickey algorithm. PKCS#1 encryption.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+rsa_decrypt(struct rsa_private_key *key,
+	    unsigned *length, uint8_t *message,
+	    const mpz_t gibberish)
+{
+  uint8_t *em;
+  uint8_t *terminator;
+  unsigned padding;
+  unsigned message_length;
+  
+  mpz_t m;
+
+  mpz_init(m);
+  rsa_compute_root(key, m, gibberish);
+
+  em = alloca(key->size);
+  nettle_mpz_get_str_256(key->size, em, m);
+  mpz_clear(m);
+
+  /* Check format */
+  if (em[0] || em[1] != 2)
+    return 0;
+
+  terminator = memchr(em + 2, 0, key->size - 2);
+
+  if (!terminator)
+    return 0;
+  
+  padding = terminator - (em + 2);
+  if (padding < 8)
+    return 0;
+
+  message_length = key->size - 3 - padding;
+
+  if (*length < message_length)
+    return 0;
+  
+  memcpy(message, terminator + 1, message_length);
+  *length = message_length;
+
+  return 1;
+}
diff --git a/rsa-encrypt.c b/rsa-encrypt.c
new file mode 100644
index 00000000..162bcd9b
--- /dev/null
+++ b/rsa-encrypt.c
@@ -0,0 +1,77 @@
+/* rsa_encrypt.c
+ *
+ * The RSA publickey algorithm. PKCS#1 encryption.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+rsa_encrypt(struct rsa_public_key *key,
+	    /* For padding */
+	    void *random_ctx, nettle_random_func random,
+	    unsigned length, const uint8_t *message,
+	    mpz_t gibbberish)
+{
+  uint8_t *em;
+  unsigned padding;
+  unsigned i;
+  
+  /* The message is encoded as a string of the same length as the
+   * modulo n, of the form
+   *
+   *   00 02 pad 00 message
+   *
+   * where padding should be at least 8 pseudorandomly generated
+   * *non-zero* octets. */
+     
+  if (length + 11 < key->size)
+    /* Message too long for this key. */
+    return 0;
+
+  /* At least 8 bits of random padding */
+  padding = key->size - length - 3;
+  assert(padding >= 8);
+  
+  em = alloca(key->size - 1);
+  em[0] = 2;
+
+  random(random_ctx, padding, em + 1);
+
+  /* Replace 0-octets with 1 */
+  for (i = 0; i<padding; i++)
+    if (!em[i+1])
+      em[i+1] = 1;
+  
+  memcpy(em + 1 + padding, message, length);
+
+  nettle_mpz_set_str_256(gibbberish, key->size - 1, em);
+  mpz_powm(gibbberish, gibbberish, key->e, key->n);
+
+  return 1;  
+}
diff --git a/rsa.h b/rsa.h
index e480937e..6da8b7bb 100644
--- a/rsa.h
+++ b/rsa.h
@@ -32,6 +32,13 @@
 #include "md5.h"
 #include "sha.h"
 
+/* Randomness function. This typedef doesn't really belong here, but
+ * so far it's used only by rsa functions (encryption and key
+ * generation) */
+typedef void (*nettle_random_func)(void *ctx,
+				   unsigned length, uint8_t *dst);
+
+
 /* For PKCS#1 to make sense, the size of the modulo, in octets, must
  * be at least 11 + the length of the DER-encoded Digest Info.
  *
@@ -144,6 +151,31 @@ rsa_sha1_verify(struct rsa_public_key *key,
                 struct sha1_ctx *hash,
 		const mpz_t signature);
 
+
+/* RSA encryption, using PKCS#1 */
+/* FIXME: These functions uses the v1.5 padding. What should the v2
+ * (OAEP) functions be called? */
+
+/* Returns 1 on success, 0 on failure, which happens if the
+ * message is too long for the key. */
+int
+rsa_encrypt(struct rsa_public_key *key,
+	    /* For padding */
+	    void *random_ctx, nettle_random_func random,
+	    unsigned length, const uint8_t *message,
+	    mpz_t gibbberish);
+
+/* Message must point to a buffer of size *LENGTH. KEY->size is enough
+ * for all valid messages. On success, *LENGTH is updated to reflect
+ * the actual length of the message. Returns 1 on success, 0 on
+ * failure, which happens if decryption failed or if the message
+ * didn't fit. */
+int
+rsa_decrypt(struct rsa_private_key *key,
+	    unsigned *length, uint8_t *message,
+	    const mpz_t gibberish);
+
+
 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
 void
 rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m);
@@ -151,11 +183,6 @@ rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m);
 
 /* Key generation */
 
-/* Randomness function. This typedef doesn't really belong here, but
- * so far it's used only by the rsa key generator. */
-typedef void (*nettle_random_func)(void *ctx,
-				   unsigned length, uint8_t *dst);
-
 /* Progress report function. */
 typedef void (*nettle_progress_func)(void *ctx,
 				     int c);
-- 
GitLab