Mercurial > dropbear

comparison libtomcrypt/src/pk/pkcs1/pkcs_1_pss_decode.c @ 285:1b9e69c058d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3) to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author Matt Johnston <matt@ucc.asn.au>
date Wed, 08 Mar 2006 13:23:58 +0000
parents
children 0cbe8f6dbf9e
comparison
equal deleted inserted replaced
281:997e6f7dc01e 285:1b9e69c058d2
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, [email protected], http://libtomcrypt.org
10 */
11 #include "tomcrypt.h"
12
13 /**
14 @file pkcs_1_pss_decode.c
15 PKCS #1 PSS Signature Padding, Tom St Denis
16 */
17
18 #ifdef PKCS_1
19
20 /**
21 PKCS #1 v2.00 PSS decode
22 @param msghash The hash to verify
23 @param msghashlen The length of the hash (octets)
24 @param sig The signature data (encoded data)
25 @param siglen The length of the signature data (octets)
26 @param saltlen The length of the salt used (octets)
27 @param hash_idx The index of the hash desired
28 @param modulus_bitlen The bit length of the RSA modulus
29 @param res [out] The result of the comparison, 1==valid, 0==invalid
30 @return CRYPT_OK if successful (even if the comparison failed)
31 */
32 int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
33 const unsigned char *sig, unsigned long siglen,
34 unsigned long saltlen, int hash_idx,
35 unsigned long modulus_bitlen, int *res)
36 {
37 unsigned char *DB, *mask, *salt, *hash;
38 unsigned long x, y, hLen, modulus_len;
39 int err;
40 hash_state md;
41
42 LTC_ARGCHK(msghash != NULL);
43 LTC_ARGCHK(res != NULL);
44
45 /* default to invalid */
46 *res = 0;
47
48 /* ensure hash is valid */
49 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
50 return err;
51 }
52
53 hLen = hash_descriptor[hash_idx].hashsize;
54 modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);
55
56 /* check sizes */
57 if ((saltlen > modulus_len) ||
58 (modulus_len < hLen + saltlen + 2) || (siglen != modulus_len)) {
59 return CRYPT_PK_INVALID_SIZE;
60 }
61
62 /* allocate ram for DB/mask/salt/hash of size modulus_len */
63 DB = XMALLOC(modulus_len);
64 mask = XMALLOC(modulus_len);
65 salt = XMALLOC(modulus_len);
66 hash = XMALLOC(modulus_len);
67 if (DB == NULL || mask == NULL || salt == NULL || hash == NULL) {
68 if (DB != NULL) {
69 XFREE(DB);
70 }
71 if (mask != NULL) {
72 XFREE(mask);
73 }
74 if (salt != NULL) {
75 XFREE(salt);
76 }
77 if (hash != NULL) {
78 XFREE(hash);
79 }
80 return CRYPT_MEM;
81 }
82
83 /* ensure the 0xBC byte */
84 if (sig[siglen-1] != 0xBC) {
85 err = CRYPT_OK;
86 goto LBL_ERR;
87 }
88
89 /* copy out the DB */
90 x = 0;
91 XMEMCPY(DB, sig + x, modulus_len - hLen - 1);
92 x += modulus_len - hLen - 1;
93
94 /* copy out the hash */
95 XMEMCPY(hash, sig + x, hLen);
96 x += hLen;
97
98 /* check the MSB */
99 if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen-1)))) != 0) {
100 err = CRYPT_OK;
101 goto LBL_ERR;
102 }
103
104 /* generate mask of length modulus_len - hLen - 1 from hash */
105 if ((err = pkcs_1_mgf1(hash, hLen, hash_idx, mask, modulus_len - hLen - 1)) != CRYPT_OK) {
106 goto LBL_ERR;
107 }
108
109 /* xor against DB */
110 for (y = 0; y < (modulus_len - hLen - 1); y++) {
111 DB[y] ^= mask[y];
112 }
113
114 /* now clear the first byte [make sure smaller than modulus] */
115 DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1));
116
117 /* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */
118
119 /* check for zeroes and 0x01 */
120 for (x = 0; x < modulus_len - saltlen - hLen - 2; x++) {
121 if (DB[x] != 0x00) {
122 err = CRYPT_OK;
123 goto LBL_ERR;
124 }
125 }
126
127 /* check for the 0x01 */
128 if (DB[x++] != 0x01) {
129 err = CRYPT_OK;
130 goto LBL_ERR;
131 }
132
133 /* M = (eight) 0x00 || msghash || salt, mask = H(M) */
134 if ((err = hash_descriptor[hash_idx].init(&md)) != CRYPT_OK) {
135 goto LBL_ERR;
136 }
137 zeromem(mask, 8);
138 if ((err = hash_descriptor[hash_idx].process(&md, mask, 8)) != CRYPT_OK) {
139 goto LBL_ERR;
140 }
141 if ((err = hash_descriptor[hash_idx].process(&md, msghash, msghashlen)) != CRYPT_OK) {
142 goto LBL_ERR;
143 }
144 if ((err = hash_descriptor[hash_idx].process(&md, DB+x, saltlen)) != CRYPT_OK) {
145 goto LBL_ERR;
146 }
147 if ((err = hash_descriptor[hash_idx].done(&md, mask)) != CRYPT_OK) {
148 goto LBL_ERR;
149 }
150
151 /* mask == hash means valid signature */
152 if (memcmp(mask, hash, hLen) == 0) {
153 *res = 1;
154 }
155
156 err = CRYPT_OK;
157 LBL_ERR:
158 #ifdef LTC_CLEAN_STACK
159 zeromem(DB, modulus_len);
160 zeromem(mask, modulus_len);
161 zeromem(salt, modulus_len);
162 zeromem(hash, modulus_len);
163 #endif
164
165 XFREE(hash);
166 XFREE(salt);
167 XFREE(mask);
168 XFREE(DB);
169
170 return err;
171 }
172
173 #endif /* PKCS_1 */
174
175 /* $Source: /cvs/libtom/libtomcrypt/src/pk/pkcs1/pkcs_1_pss_decode.c,v $ */
176 /* $Revision: 1.4 $ */
177 /* $Date: 2005/05/05 14:35:59 $ */