raw
smg_comms_rsa_oaep      1 -- S.MG, 2018
smg_comms_rsa_oaep 2
smg_comms_rsa_oaep 3 package body OAEP is
smg_comms_rsa_oaep 4
smg_comms_rsa_oaep 5 -- padding & formatting of maximum MAX_LEN_MSG*8 bits of the given input
smg_comms_rsa_oaep 6 -- uses TMSR's OAEP schema:
smg_comms_rsa_oaep 7 -- 1.format M00 as: [random octet][sz1][sz2]"TMSR-RSA"[random]*Message
smg_comms_rsa_oaep 8 -- where sz1 and sz2 store the length of the message in bits
smg_comms_rsa_oaep 9 -- the random octets before message are padding to make OAEP_LENGTH_OCTETS
smg_comms_rsa_oaep 10 -- 2. R = OAEP_HALF_OCTETS random bits
smg_comms_rsa_oaep 11 -- 3. X = M00 xor hash(R)
smg_comms_rsa_oaep 12 -- 4. Y = R xor hash(X)
smg_comms_rsa_oaep 13 -- 5. Result is X || Y
smg_comms_rsa_oaep 14 -- NB: the Entropy parameter should be random octets from which this method
smg_comms_rsa_oaep 15 -- will use as many as required for the OAEP encryption of given Msg
smg_comms_rsa_oaep 16 -- NB: at MOST MAX_LEN_MSG octets of Msg! (Msg at most 1960 bits)
smg_comms_rsa_oaep 17 procedure OAEP_Encrypt( Msg : in Raw_Types.Octets;
smg_comms_rsa_oaep 18 Entropy : in OAEP_Block;
smg_comms_rsa_oaep 19 Output : out OAEP_Block) is
smg_comms_rsa_oaep 20 M00 : OAEP_HALF;
smg_comms_rsa_oaep 21 R : OAEP_HALF;
smg_comms_rsa_oaep 22 HashR : OAEP_HALF;
smg_comms_rsa_oaep 23 X : OAEP_HALF;
smg_comms_rsa_oaep 24 HashX : OAEP_HALF;
smg_comms_rsa_oaep 25 Y : OAEP_HALF;
smg_comms_rsa_oaep 26 MsgLen : Natural;
smg_comms_rsa_oaep 27 PadLen : Natural;
smg_comms_rsa_oaep 28 begin
smg_comms_rsa_oaep 29 -- calculate maximum length of msg and needed amount of padding
smg_comms_rsa_oaep 30 -- make sure also that only MAX_LEN_MSG octets at most are used from Msg
smg_comms_rsa_oaep 31 MsgLen := Msg'Length; -- real msg length
smg_comms_rsa_oaep 32 if MsgLen > MAX_LEN_MSG then
smg_comms_rsa_oaep 33 MsgLen := MAX_LEN_MSG; --only first MAX_LEN_MSG octets used
smg_comms_rsa_oaep 34 PadLen := 0; --no padding needed
smg_comms_rsa_oaep 35 else
smg_comms_rsa_oaep 36 PadLen := MAX_LEN_MSG - MsgLen; -- add padding as needed
smg_comms_rsa_oaep 37 end if;
smg_comms_rsa_oaep 38
smg_comms_rsa_oaep 39 -- step 1: header and format to obtain M00
smg_comms_rsa_oaep 40 -- first octet is random bits
smg_comms_rsa_oaep 41 M00( M00'First ) := Entropy( Entropy'First );
smg_comms_rsa_oaep 42
smg_comms_rsa_oaep 43 -- next 2 octets hold the used length of Msg (number of octets)
smg_comms_rsa_oaep 44 M00( M00'First + 2) := Unsigned_8( ( MsgLen * 8 ) mod 256 );
smg_comms_rsa_oaep 45 M00( M00'First + 1) := Unsigned_8( ( (MsgLen * 8 ) / 256 ) mod 256 );
smg_comms_rsa_oaep 46
smg_comms_rsa_oaep 47 -- next 8 octets are reserved for later use, currently "TMSR-RSA"
smg_comms_packing... 48 M00( M00'First + 3 .. M00'First + 10 ) := Raw_Types.OAEP_RESERVED;
smg_comms_rsa_oaep 49
smg_comms_rsa_oaep 50 -- random bits for padding, if Msg is less than maximum length
smg_comms_rsa_oaep 51 for I in 1 .. PadLen loop
smg_comms_rsa_oaep 52 M00( M00'First + 10 + I ) := Entropy( Entropy'First + I );
smg_comms_rsa_oaep 53 end loop;
smg_comms_rsa_oaep 54
smg_comms_rsa_oaep 55 -- the message itself
smg_comms_rsa_oaep 56 M00( M00'Last - MsgLen + 1 .. M00'Last ) :=
smg_comms_rsa_oaep 57 Msg( Msg'First .. Msg'First + MsgLen - 1 );
smg_comms_rsa_oaep 58
smg_comms_rsa_oaep 59 -- step 2: R = Raw_Types.OAEP_HALF_OCTETS random octets
smg_comms_rsa_oaep 60 -- can take LAST octets from given entropy as they are NOT used before
smg_comms_rsa_oaep 61 -- (even if original message was empty, padding uses at most half - 10
smg_comms_rsa_oaep 62 -- while entropy has full block length)
smg_comms_rsa_oaep 63 R := Entropy( Entropy'Last - OAEP_HALF_OCTETS + 1 .. Entropy'Last );
smg_comms_rsa_oaep 64
smg_comms_rsa_oaep 65 -- step 3: X = M00 xor hash(R)
smg_comms_rsa_oaep 66 HashKeccak( R, HashR );
smg_comms_rsa_oaep 67 X := XOR_Octets(M00, HashR);
smg_comms_rsa_oaep 68
smg_comms_rsa_oaep 69 -- step 4: Y = R xor hash(X)
smg_comms_rsa_oaep 70 HashKeccak( X, HashX );
smg_comms_rsa_oaep 71 Y := XOR_Octets(R, HashX);
smg_comms_rsa_oaep 72
smg_comms_rsa_oaep 73 -- step 5: Output is X || Y
smg_comms_rsa_oaep 74 Output( Output'First .. Output'First + X'Length - 1 ) := X;
smg_comms_rsa_oaep 75 Output( Output'Last - Y'Length + 1 .. Output'Last ) := Y;
smg_comms_rsa_oaep 76
smg_comms_rsa_oaep 77 end OAEP_Encrypt;
smg_comms_rsa_oaep 78
smg_comms_rsa_oaep 79 procedure OAEP_Decrypt( Encr : in OAEP_Block;
smg_comms_rsa_oaep 80 Len : out Natural;
smg_comms_rsa_oaep 81 Output : out OAEP_HALF;
smg_comms_rsa_oaep 82 Success : out Boolean ) is
smg_comms_rsa_oaep 83 X, Y, M, R : OAEP_HALF;
smg_comms_rsa_oaep 84 HashX, HashR : OAEP_HALF;
smg_comms_rsa_oaep 85 LenOctets : Natural;
smg_comms_rsa_oaep 86 begin
smg_comms_rsa_oaep 87 -- step 1: separate X and Y
smg_comms_rsa_oaep 88 X := Encr( Encr'First .. Encr'First + X'Length - 1 );
smg_comms_rsa_oaep 89 Y := Encr( Encr'Last - Y'Length + 1 .. Encr'Last );
smg_comms_rsa_oaep 90
smg_comms_rsa_oaep 91 -- step 2: R = Y xor hash(X)
smg_comms_rsa_oaep 92 HashKeccak( X, HashX );
smg_comms_rsa_oaep 93 R := XOR_Octets(Y, HashX);
smg_comms_rsa_oaep 94
smg_comms_rsa_oaep 95 -- step 3: M = X xor hash(R)
smg_comms_rsa_oaep 96 HashKeccak( R, HashR );
smg_comms_rsa_oaep 97 M := XOR_Octets(X, HashR);
smg_comms_rsa_oaep 98
smg_comms_rsa_oaep 99 -- step 4: extract length and message
smg_comms_rsa_oaep 100 Len := Natural(M( M'First + 1 )) * 256 +
smg_comms_rsa_oaep 101 Natural(M( M'First + 2 ));
smg_comms_rsa_oaep 102 LenOctets := Len / 8;
smg_comms_rsa_oaep 103
smg_comms_rsa_oaep 104 if LenOctets > MAX_LEN_MSG or LenOctets < 0 then
smg_comms_rsa_oaep 105 Success := False; -- error, failed to retrieve message
smg_comms_rsa_oaep 106 else
smg_comms_rsa_oaep 107 Success := True;
smg_comms_rsa_oaep 108 Output( Output'First .. Output'First + LenOctets - 1 ) :=
smg_comms_rsa_oaep 109 M( M'Last - LenOctets + 1 .. M'Last );
smg_comms_rsa_oaep 110 end if;
smg_comms_rsa_oaep 111
smg_comms_rsa_oaep 112 end OAEP_Decrypt;
smg_comms_rsa_oaep 113
smg_comms_rsa_oaep 114 -- private, helper methods
smg_comms_rsa_oaep 115 procedure HashKeccak(Input : in Raw_Types.Octets;
smg_comms_rsa_oaep 116 Output : out Raw_Types.Octets;
smg_comms_rsa_oaep 117 Block_Len : in Keccak.Keccak_Rate :=
smg_comms_rsa_oaep 118 Keccak.Default_Bitrate) is
smg_comms_rsa_oaep 119 BIn : Keccak.Bitstream( 0 .. Input'Length * 8 - 1 );
smg_comms_rsa_oaep 120 BOut : Keccak.Bitstream( 0 .. Output'Length * 8 - 1 );
smg_comms_rsa_oaep 121 begin
smg_comms_rsa_oaep 122 ToBitstream( Input, BIn );
smg_comms_rsa_oaep 123 Keccak.Sponge( BIn, BOut, Block_Len );
smg_comms_rsa_oaep 124 ToOctets( BOut, Output );
smg_comms_rsa_oaep 125 end HashKeccak;
smg_comms_rsa_oaep 126
smg_comms_rsa_oaep 127 function XOR_Octets(A : in OAEP_HALF;
smg_comms_rsa_oaep 128 B : in OAEP_HALF)
smg_comms_rsa_oaep 129 return OAEP_HALF is
smg_comms_rsa_oaep 130 R : OAEP_HALF;
smg_comms_rsa_oaep 131 begin
smg_comms_rsa_oaep 132 for I in R'Range loop
smg_comms_rsa_oaep 133 R(I) := A(I) xor B(I);
smg_comms_rsa_oaep 134 end loop;
smg_comms_rsa_oaep 135 return R;
smg_comms_rsa_oaep 136 end XOR_Octets;
smg_comms_rsa_oaep 137
smg_comms_rsa_oaep 138 -- conversion between types
smg_comms_rsa_oaep 139 procedure ToOctets(B: in Keccak.Bitstream; O: out Raw_Types.Octets ) is
smg_comms_rsa_oaep 140 Pos : Natural;
smg_comms_rsa_oaep 141 begin
smg_comms_rsa_oaep 142 Pos := B'First;
smg_comms_rsa_oaep 143 for I in O'Range loop
smg_comms_rsa_oaep 144 O(I) := Unsigned_8( B( Pos ) ) +
smg_comms_rsa_oaep 145 Unsigned_8( B( Pos + 1 ) ) * 2 +
smg_comms_rsa_oaep 146 Unsigned_8( B( Pos + 2 ) ) * 4 +
smg_comms_rsa_oaep 147 Unsigned_8( B( Pos + 3 ) ) * 8 +
smg_comms_rsa_oaep 148 Unsigned_8( B( Pos + 4 ) ) * 16 +
smg_comms_rsa_oaep 149 Unsigned_8( B( Pos + 5 ) ) * 32 +
smg_comms_rsa_oaep 150 Unsigned_8( B( Pos + 6 ) ) * 64 +
smg_comms_rsa_oaep 151 Unsigned_8( B( Pos + 7 ) ) * 128;
smg_comms_rsa_oaep 152 Pos := Pos + 8;
smg_comms_rsa_oaep 153 end loop;
smg_comms_rsa_oaep 154 end ToOctets;
smg_comms_rsa_oaep 155
smg_comms_rsa_oaep 156 procedure ToBitstream(O: in Raw_Types.Octets; B: out Keccak.Bitstream ) is
smg_comms_rsa_oaep 157 V : Unsigned_8;
smg_comms_rsa_oaep 158 Pos : Natural;
smg_comms_rsa_oaep 159 begin
smg_comms_rsa_oaep 160 Pos := B'First;
smg_comms_rsa_oaep 161 for I in O'Range loop
smg_comms_rsa_oaep 162 V := O( I );
smg_comms_rsa_oaep 163 B( Pos ) := Keccak.Bit( V and 1 );
smg_comms_rsa_oaep 164 B( Pos + 1 ) := Keccak.Bit( Shift_Right( V, 1 ) and 1 );
smg_comms_rsa_oaep 165 B( Pos + 2 ) := Keccak.Bit( Shift_Right( V, 2 ) and 1 );
smg_comms_rsa_oaep 166 B( Pos + 3 ) := Keccak.Bit( Shift_Right( V, 3 ) and 1 );
smg_comms_rsa_oaep 167 B( Pos + 4 ) := Keccak.Bit( Shift_Right( V, 4 ) and 1 );
smg_comms_rsa_oaep 168 B( Pos + 5 ) := Keccak.Bit( Shift_Right( V, 5 ) and 1 );
smg_comms_rsa_oaep 169 B( Pos + 6 ) := Keccak.Bit( Shift_Right( V, 6 ) and 1 );
smg_comms_rsa_oaep 170 B( Pos + 7 ) := Keccak.Bit( Shift_Right( V, 7 ) and 1 );
smg_comms_rsa_oaep 171
smg_comms_rsa_oaep 172 Pos := Pos + 8;
smg_comms_rsa_oaep 173 end loop;
smg_comms_rsa_oaep 174 end ToBitstream;
smg_comms_rsa_oaep 175
smg_comms_rsa_oaep 176 end OAEP;