Re: Adding MD5/SHA1 support to RSA OAEP

2024-03-25 Thread Hans Leidekker 
On Mon, 2024-03-25 at 11:12 +0100, Niels Möller wrote:
> Hans Leidekker  writes:
> 
> > I noticed the arrival of an RSA OAEP implementation in GnuTLS and wanted to 
> > use
> > that to support the algorithm in Wine. Windows supports it using the old 
> > MD5 and
> > SHA1 hash functions, so my question is: would you accept a patch like below 
> > that
> > adds these hashes?
> 
> Hi, 
> 
> I'm fine accepting patches for interop with various legacy systems, if
> there's a reasonable usecase, but I don't want to add anything with md5
> in it merely for completeness. Can you give a bit more details on your
> usecase? Which windows functions do you want to support or interop with?
> What will break if you support only the sha2-variants of RSA-OAEP?

This is for BCryptEncrypt/BCryptDecrypt when a BCRYPT_OAEP_PADDING_INFO
structure is passed specifying hash and label. It doesn't look like Windows
supports sha2 variants here; I get a STATUS_INVALID_PARAMETER error.

This was prompted by the DayZ game. I don't know if it uses md5 or sha1, I
should ask, but I think it's reasonable to wait and see if md5 is still used.

> Despite md5 and sha1 being generally deprecated, I'm not sure about
> whether they're considered insecure when used for RSA-OAEP (via
> wikipedia, I found this old paper that seems to imply that the
> underlying hash function doesn't need to be that strong:
> https://eprint.iacr.org/2006/223).

That's my understanding as well. 


___
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se
To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se

Re: Adding MD5/SHA1 support to RSA OAEP

2024-03-25 Thread Niels Möller 
Hans Leidekker  writes:

> I noticed the arrival of an RSA OAEP implementation in GnuTLS and wanted to 
> use
> that to support the algorithm in Wine. Windows supports it using the old MD5 
> and
> SHA1 hash functions, so my question is: would you accept a patch like below 
> that
> adds these hashes?

Hi, 

I'm fine accepting patches for interop with various legacy systems, if
there's a reasonable usecase, but I don't want to add anything with md5
in it merely for completeness. Can you give a bit more details on your
usecase? Which windows functions do you want to support or interop with?
What will break if you support only the sha2-variants of RSA-OAEP?

Despite md5 and sha1 being generally deprecated, I'm not sure about
whether they're considered insecure when used for RSA-OAEP (via
wikipedia, I found this old paper that seems to imply that the
underlying hash function doesn't need to be that strong:
https://eprint.iacr.org/2006/223).

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se
To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se

Adding MD5/SHA1 support to RSA OAEP

2024-03-25 Thread Hans Leidekker 
Hello,

I noticed the arrival of an RSA OAEP implementation in GnuTLS and wanted to use
that to support the algorithm in Wine. Windows supports it using the old MD5 and
SHA1 hash functions, so my question is: would you accept a patch like below that
adds these hashes?

diff --git a/rsa-oaep-decrypt.c b/rsa-oaep-decrypt.c
index 4006a021..30e4cbae 100644
--- a/rsa-oaep-decrypt.c
+++ b/rsa-oaep-decrypt.c
@@ -81,6 +81,40 @@ _rsa_oaep_decrypt (const struct rsa_public_key *pub,
   return res;
 }
 
+int
+rsa_oaep_md5_decrypt (const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t *length, uint8_t *message,
+			 const uint8_t *ciphertext)
+{
+  struct md5_ctx ctx;
+
+  md5_init ();
+
+  return _rsa_oaep_decrypt (pub, key, random_ctx, random,
+			, _md5, label_length, label,
+			length, message, ciphertext);
+}
+
+int
+rsa_oaep_sha1_decrypt (const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t *length, uint8_t *message,
+			 const uint8_t *ciphertext)
+{
+  struct sha1_ctx ctx;
+
+  sha1_init ();
+
+  return _rsa_oaep_decrypt (pub, key, random_ctx, random,
+			, _sha1, label_length, label,
+			length, message, ciphertext);
+}
+
 int
 rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub,
 			 const struct rsa_private_key *key,
diff --git a/rsa-oaep-encrypt.c b/rsa-oaep-encrypt.c
index 488821f0..26ee6a18 100644
--- a/rsa-oaep-encrypt.c
+++ b/rsa-oaep-encrypt.c
@@ -70,6 +70,44 @@ _rsa_oaep_encrypt (const struct rsa_public_key *key,
   return 0;
 }
 
+int
+rsa_oaep_md5_encrypt (const struct rsa_public_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t length, const uint8_t *message,
+			 uint8_t *ciphertext)
+{
+  struct md5_ctx ctx;
+
+  md5_init ();
+
+  return _rsa_oaep_encrypt (key,
+			random_ctx, random,
+			, _md5,
+			label_length, label,
+			length, message,
+			ciphertext);
+}
+
+int
+rsa_oaep_sha1_encrypt (const struct rsa_public_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t length, const uint8_t *message,
+			 uint8_t *ciphertext)
+{
+  struct sha1_ctx ctx;
+
+  sha1_init ();
+
+  return _rsa_oaep_encrypt (key,
+			random_ctx, random,
+			, _sha1,
+			label_length, label,
+			length, message,
+			ciphertext);
+}
+
 int
 rsa_oaep_sha256_encrypt (const struct rsa_public_key *key,
 			 void *random_ctx, nettle_random_func *random,
diff --git a/rsa.h b/rsa.h
index 054b318c..5e931e84 100644
--- a/rsa.h
+++ b/rsa.h
@@ -88,6 +88,10 @@ extern "C" {
 #define rsa_encrypt nettle_rsa_encrypt
 #define rsa_decrypt nettle_rsa_decrypt
 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
+#define rsa_oaep_md5_encrypt nettle_rsa_oaep_md5_encrypt
+#define rsa_oaep_md5_decrypt nettle_rsa_oaep_md5_decrypt
+#define rsa_oaep_sha1_encrypt nettle_rsa_oaep_sha1_encrypt
+#define rsa_oaep_sha1_decrypt nettle_rsa_oaep_sha1_decrypt
 #define rsa_oaep_sha256_encrypt nettle_rsa_oaep_sha256_encrypt
 #define rsa_oaep_sha256_decrypt nettle_rsa_oaep_sha256_decrypt
 #define rsa_oaep_sha384_encrypt nettle_rsa_oaep_sha384_encrypt
@@ -434,6 +438,36 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
 
 /* RSA encryption, using OAEP */
 
+int
+rsa_oaep_md5_encrypt (const struct rsa_public_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t length, const uint8_t * message,
+			 uint8_t *ciphertext);
+
+int
+rsa_oaep_md5_decrypt (const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t *length, uint8_t *message,
+			 const uint8_t *ciphertext);
+
+int
+rsa_oaep_sha1_encrypt (const struct rsa_public_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t length, const uint8_t * message,
+			 uint8_t *ciphertext);
+
+int
+rsa_oaep_sha1_decrypt (const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 size_t label_length, const uint8_t *label,
+			 size_t *length, uint8_t *message,
+			 const uint8_t *ciphertext);
+
 int
 rsa_oaep_sha256_encrypt (const struct rsa_public_key *key,
 			 void *random_ctx, nettle_random_func *random,
diff --git a/testsuite/rsa-oaep-encrypt-test.c b/testsuite/rsa-oaep-encrypt-test.c
index 511c2744..3f4278d1 100644
--- a/testsuite/rsa-oaep-encrypt-test.c
+++ b/testsuite/rsa-oaep-encrypt-test.c
@@ -151,6 +151,18 @@ test_encrypt_decrypt (void)
   test_rsa_set_key_2(, );
 
   /* Test without label */
+  test_rsa_oaep_encrypt_decrypt (, ,
+