gcrypt: Support RSA OAEP SHA1 encryption/decryption

[people/ms/strongswan.git] / src / libstrongswan / plugins / gcrypt / gcrypt_rsa_public_key.c

diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 694a969f80e099cf5132e1f922a5c019a96c6c11..2200a21187bfc26f61f17b19f76eb15220c37767 100644 (file)
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -239,36 +239,55 @@ METHOD(public_key_t, encrypt_, bool,
        private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme,
        void *params, chunk_t plain, chunk_t *encrypted)
 {
-       gcry_sexp_t in, out;
        gcry_error_t err;
+       gcry_sexp_t in, out;
+       chunk_t label = chunk_empty;
+       u_char *sexp;
 
-       if (scheme != ENCRYPT_RSA_PKCS1)
+       switch (scheme)
        {
-               DBG1(DBG_LIB, "encryption scheme %N not supported",
-                        encryption_scheme_names, scheme);
-               return FALSE;
+               case ENCRYPT_RSA_PKCS1:
+                       sexp = "(data(flags pkcs1)(value %b))";
+                       break;
+               case ENCRYPT_RSA_OAEP_SHA1:
+                       sexp = "(data(flags oaep)(value %b))";
+                       break;
+               default:
+                       DBG1(DBG_LIB, "encryption scheme %N not supported",
+                                encryption_scheme_names, scheme);
+                       return FALSE;
        }
-       /* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
-        * 00 | 02 | RANDOM | 00 | DATA */
-       err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
-                                                 plain.len, plain.ptr);
+
+       if (scheme == ENCRYPT_RSA_OAEP_SHA1 && params != NULL)
+       {
+               label = *(chunk_t *)params;
+               if (label.len > 0)
+               {
+                       DBG1(DBG_LIB, "RSA OAEP encryption with a label not supported");
+                       return FALSE;
+               }
+       }
+
+       err = gcry_sexp_build(&in, NULL, sexp, plain.len, plain.ptr);
        if (err)
        {
                DBG1(DBG_LIB, "building encryption S-expression failed: %s",
                         gpg_strerror(err));
                return FALSE;
        }
+
        err = gcry_pk_encrypt(&out, in, this->key);
        gcry_sexp_release(in);
        if (err)
        {
-               DBG1(DBG_LIB, "encrypting data using pkcs1 failed: %s",
-                        gpg_strerror(err));
+               DBG1(DBG_LIB, "RSA encryption failed: %s", gpg_strerror(err));
                return FALSE;
        }
+
        *encrypted = gcrypt_rsa_find_token(out, "a", this->key);
        gcry_sexp_release(out);
-       return !!encrypted->len;
+
+       return encrypted->len > 0;
 }
 
 METHOD(public_key_t, get_keysize, int,