From 64815335199d6243f6b05242796bd6789d3ea2d2 Mon Sep 17 00:00:00 2001
From: dignifiedquire <me@dignifiedquire.com>
Date: Thu, 30 Nov 2023 22:55:38 +0100
Subject: [PATCH] convert hazmt decrypt interface

---
 src/algorithms/rsa.rs | 17 ++++++++---------
 src/key.rs            |  2 ++
 src/oaep.rs           | 14 +++++++++++---
 src/pkcs1v15.rs       | 17 +++++++++++------
 src/pss.rs            | 13 +++++++++++--
 5 files changed, 43 insertions(+), 20 deletions(-)

diff --git a/src/algorithms/rsa.rs b/src/algorithms/rsa.rs
index b24fc042..ca53b243 100644
--- a/src/algorithms/rsa.rs
+++ b/src/algorithms/rsa.rs
@@ -1,5 +1,6 @@
 //! Generic RSA implementation
 
+use alloc::borrow::Cow;
 use crypto_bigint::modular::{BoxedResidue, BoxedResidueParams};
 use crypto_bigint::{BoxedUint, RandomMod};
 use num_bigint::{BigUint, ModInverse};
@@ -9,7 +10,7 @@ use rand_core::CryptoRngCore;
 use zeroize::{Zeroize, Zeroizing};
 
 use crate::errors::{Error, Result};
-use crate::key::{reduce, to_biguint, to_uint_exact};
+use crate::key::{reduce, to_biguint};
 use crate::traits::keys::{PrivateKeyPartsNew, PublicKeyPartsNew};
 use crate::traits::PublicKeyParts;
 
@@ -36,14 +37,12 @@ pub fn rsa_encrypt<K: PublicKeyParts>(key: &K, m: &BigUint) -> Result<BigUint> {
 pub fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
     mut rng: Option<&mut R>,
     priv_key: &impl PrivateKeyPartsNew,
-    c_orig: &BigUint,
+    c: &BoxedUint,
 ) -> Result<BigUint> {
     let n = priv_key.n();
-    let nbits = n.bits_precision();
-    let c = to_uint_exact(c_orig.clone(), nbits);
     let d = priv_key.d();
 
-    if c >= **n {
+    if c >= n {
         return Err(Error::Decryption);
     }
 
@@ -62,9 +61,9 @@ pub fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
     let c = if let Some(ref mut rng) = rng {
         let (blinded, unblinder) = blind(rng, priv_key, &c, &n_params);
         ir = Some(unblinder);
-        blinded
+        Cow::Owned(blinded)
     } else {
-        c
+        Cow::Borrowed(c)
     };
 
     let has_precomputes = priv_key.dp().is_some();
@@ -126,7 +125,7 @@ pub fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
 pub fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
     priv_key: &impl PrivateKeyPartsNew,
     rng: Option<&mut R>,
-    c: &BigUint,
+    c: &BoxedUint,
 ) -> Result<BigUint> {
     let m = rsa_decrypt(rng, priv_key, c)?;
 
@@ -134,7 +133,7 @@ pub fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
     // calculated, which should match the original ciphertext.
     let check = rsa_encrypt(priv_key, &m)?;
 
-    if c != &check {
+    if to_biguint(c) != check {
         return Err(Error::Internal);
     }
 
diff --git a/src/key.rs b/src/key.rs
index 452d6954..215bf991 100644
--- a/src/key.rs
+++ b/src/key.rs
@@ -674,6 +674,8 @@ mod tests {
         let pub_key: RsaPublicKey = private_key.clone().into();
         let m = BigUint::from_u64(42).expect("invalid 42");
         let c = rsa_encrypt(&pub_key, &m).expect("encryption successfull");
+        let c = to_uint_exact(c, PublicKeyPartsNew::n(&pub_key).bits_precision());
+
         let m2 = rsa_decrypt_and_check::<ChaCha8Rng>(private_key, None, &c)
             .expect("unable to decrypt without blinding");
         assert_eq!(m, m2);
diff --git a/src/oaep.rs b/src/oaep.rs
index 0cbd1e3b..959a22df 100644
--- a/src/oaep.rs
+++ b/src/oaep.rs
@@ -23,7 +23,7 @@ use crate::algorithms::oaep::*;
 use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
 use crate::algorithms::rsa::{rsa_decrypt_and_check, rsa_encrypt};
 use crate::errors::{Error, Result};
-use crate::key::{self, RsaPrivateKey, RsaPublicKey};
+use crate::key::{self, to_uint_exact, RsaPrivateKey, RsaPublicKey};
 use crate::traits::{PaddingScheme, PublicKeyParts};
 
 /// Encryption and Decryption using [OAEP padding](https://datatracker.ietf.org/doc/html/rfc8017#section-7.1).
@@ -246,7 +246,11 @@ fn decrypt<R: CryptoRngCore + ?Sized>(
         return Err(Error::Decryption);
     }
 
-    let em = rsa_decrypt_and_check(priv_key, rng, &BigUint::from_bytes_be(ciphertext))?;
+    let ciphertext = to_uint_exact(
+        BigUint::from_bytes_be(ciphertext),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
+    let em = rsa_decrypt_and_check(priv_key, rng, &ciphertext)?;
     let mut em = uint_to_zeroizing_be_pad(em, priv_key.size())?;
 
     oaep_decrypt(&mut em, digest, mgf_digest, label, priv_key.size())
@@ -277,7 +281,11 @@ fn decrypt_digest<R: CryptoRngCore + ?Sized, D: Digest, MGD: Digest + FixedOutpu
         return Err(Error::Decryption);
     }
 
-    let em = rsa_decrypt_and_check(priv_key, rng, &BigUint::from_bytes_be(ciphertext))?;
+    let ciphertext = to_uint_exact(
+        BigUint::from_bytes_be(ciphertext),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
+    let em = rsa_decrypt_and_check(priv_key, rng, &ciphertext)?;
     let mut em = uint_to_zeroizing_be_pad(em, priv_key.size())?;
 
     oaep_decrypt_digest::<D, MGD>(&mut em, label, priv_key.size())
diff --git a/src/pkcs1v15.rs b/src/pkcs1v15.rs
index 2fc3f787..478fa624 100644
--- a/src/pkcs1v15.rs
+++ b/src/pkcs1v15.rs
@@ -29,7 +29,7 @@ use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
 use crate::algorithms::pkcs1v15::*;
 use crate::algorithms::rsa::{rsa_decrypt_and_check, rsa_encrypt};
 use crate::errors::{Error, Result};
-use crate::key::{self, RsaPrivateKey, RsaPublicKey};
+use crate::key::{self, to_uint_exact, RsaPrivateKey, RsaPublicKey};
 use crate::traits::{PaddingScheme, PublicKeyParts, SignatureScheme};
 
 /// Encryption using PKCS#1 v1.5 padding.
@@ -166,7 +166,11 @@ fn decrypt<R: CryptoRngCore + ?Sized>(
 ) -> Result<Vec<u8>> {
     key::check_public(priv_key)?;
 
-    let em = rsa_decrypt_and_check(priv_key, rng, &BigUint::from_bytes_be(ciphertext))?;
+    let ciphertext = to_uint_exact(
+        BigUint::from_bytes_be(ciphertext),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
+    let em = rsa_decrypt_and_check(priv_key, rng, &ciphertext)?;
     let em = uint_to_zeroizing_be_pad(em, priv_key.size())?;
 
     pkcs1v15_encrypt_unpad(em, priv_key.size())
@@ -194,10 +198,11 @@ fn sign<R: CryptoRngCore + ?Sized>(
 ) -> Result<Vec<u8>> {
     let em = pkcs1v15_sign_pad(prefix, hashed, priv_key.size())?;
 
-    uint_to_zeroizing_be_pad(
-        rsa_decrypt_and_check(priv_key, rng, &BigUint::from_bytes_be(&em))?,
-        priv_key.size(),
-    )
+    let em = to_uint_exact(
+        BigUint::from_bytes_be(&em),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
+    uint_to_zeroizing_be_pad(rsa_decrypt_and_check(priv_key, rng, &em)?, priv_key.size())
 }
 
 /// Verifies an RSA PKCS#1 v1.5 signature.
diff --git a/src/pss.rs b/src/pss.rs
index c7535872..43cbc288 100644
--- a/src/pss.rs
+++ b/src/pss.rs
@@ -33,6 +33,7 @@ use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
 use crate::algorithms::pss::*;
 use crate::algorithms::rsa::{rsa_decrypt_and_check, rsa_encrypt};
 use crate::errors::{Error, Result};
+use crate::key::to_uint_exact;
 use crate::traits::PublicKeyParts;
 use crate::traits::SignatureScheme;
 use crate::{RsaPrivateKey, RsaPublicKey};
@@ -206,8 +207,12 @@ fn sign_pss_with_salt<T: CryptoRngCore>(
     let em_bits = priv_key.n().bits() - 1;
     let em = emsa_pss_encode(hashed, em_bits, salt, digest)?;
 
+    let em = to_uint_exact(
+        BigUint::from_bytes_be(&em),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
     uint_to_zeroizing_be_pad(
-        rsa_decrypt_and_check(priv_key, blind_rng, &BigUint::from_bytes_be(&em))?,
+        rsa_decrypt_and_check(priv_key, blind_rng, &em)?,
         priv_key.size(),
     )
 }
@@ -221,8 +226,12 @@ fn sign_pss_with_salt_digest<T: CryptoRngCore + ?Sized, D: Digest + FixedOutputR
     let em_bits = priv_key.n().bits() - 1;
     let em = emsa_pss_encode_digest::<D>(hashed, em_bits, salt)?;
 
+    let em = to_uint_exact(
+        BigUint::from_bytes_be(&em),
+        crate::traits::keys::PublicKeyPartsNew::n(priv_key).bits_precision(),
+    );
     uint_to_zeroizing_be_pad(
-        rsa_decrypt_and_check(priv_key, blind_rng, &BigUint::from_bytes_be(&em))?,
+        rsa_decrypt_and_check(priv_key, blind_rng, &em)?,
         priv_key.size(),
     )
 }