diff options
Diffstat (limited to 'libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c')
-rw-r--r-- | libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c | 250 |
1 files changed, 128 insertions, 122 deletions
diff --git a/libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c b/libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c index 789d12d..2a2b980 100644 --- a/libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c +++ b/libtomcrypt/pk/pkcs1/pkcs_1_pss_decode.c @@ -11,7 +11,6 @@ #include "tomcrypt.h" #include <ncr-int.h> - /** @file pkcs_1_pss_decode.c LTC_PKCS #1 PSS Signature Padding, Tom St Denis @@ -32,133 +31,140 @@ @return CRYPT_OK if successful (even if the comparison failed) */ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen, - const unsigned char *sig, unsigned long siglen, - unsigned long saltlen, const struct algo_properties_st *hash_algo, - unsigned long modulus_bitlen, int *res) + const unsigned char *sig, unsigned long siglen, + unsigned long saltlen, + const struct algo_properties_st *hash_algo, + unsigned long modulus_bitlen, int *res) { - unsigned char *DB, *mask, *salt, *hash; - unsigned long x, y, hLen, modulus_len; - int err; - - LTC_ARGCHK(msghash != NULL); - LTC_ARGCHK(res != NULL); - - /* default to invalid */ - *res = 0; - - /* ensure hash is valid */ - if ((err = hash_is_valid(hash_algo)) != CRYPT_OK) { - return err; - } - - hLen = hash_algo->digest_size; - modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0); - - /* check sizes */ - if ((saltlen > modulus_len) || - (modulus_len < hLen + saltlen + 2) || (siglen != modulus_len)) { - return CRYPT_PK_INVALID_SIZE; - } - - /* allocate ram for DB/mask/salt/hash of size modulus_len */ - DB = XMALLOC(modulus_len); - mask = XMALLOC(modulus_len); - salt = XMALLOC(modulus_len); - hash = XMALLOC(modulus_len); - if (DB == NULL || mask == NULL || salt == NULL || hash == NULL) { - if (DB != NULL) { - XFREE(DB); - } - if (mask != NULL) { - XFREE(mask); - } - if (salt != NULL) { - XFREE(salt); - } - if (hash != NULL) { - XFREE(hash); - } - return CRYPT_MEM; - } - - /* ensure the 0xBC byte */ - if (sig[siglen-1] != 0xBC) { - err = CRYPT_INVALID_PACKET; - goto LBL_ERR; - } - - /* copy out the DB */ - x = 0; - XMEMCPY(DB, sig + x, modulus_len - hLen - 1); - x += modulus_len - hLen - 1; - - /* copy out the hash */ - XMEMCPY(hash, sig + x, hLen); - x += hLen; - - /* check the MSB */ - if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen-1)))) != 0) { - err = CRYPT_INVALID_PACKET; - goto LBL_ERR; - } - - /* generate mask of length modulus_len - hLen - 1 from hash */ - if ((err = pkcs_1_mgf1(hash_algo, hash, hLen, mask, modulus_len - hLen - 1)) != CRYPT_OK) { - goto LBL_ERR; - } - - /* xor against DB */ - for (y = 0; y < (modulus_len - hLen - 1); y++) { - DB[y] ^= mask[y]; - } - - /* now clear the first byte [make sure smaller than modulus] */ - DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1)); - - /* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */ - - /* check for zeroes and 0x01 */ - for (x = 0; x < modulus_len - saltlen - hLen - 2; x++) { - if (DB[x] != 0x00) { - err = CRYPT_INVALID_PACKET; - goto LBL_ERR; - } - } - - /* check for the 0x01 */ - if (DB[x++] != 0x01) { - err = CRYPT_INVALID_PACKET; - goto LBL_ERR; - } - - zeromem(mask, 8); - - /* M = (eight) 0x00 || msghash || salt, mask = H(M) */ - err = hash_memory_multi(hash_algo, mask, &hLen, mask, (unsigned long)8, msghash, (unsigned long)msghashlen, DB+x, (unsigned long)saltlen, NULL, 0); - if (err != CRYPT_OK) { - goto LBL_ERR; - } - - /* mask == hash means valid signature */ - if (XMEMCMP(mask, hash, hLen) == 0) { - *res = 1; - } - - err = CRYPT_OK; + unsigned char *DB, *mask, *salt, *hash; + unsigned long x, y, hLen, modulus_len; + int err; + + LTC_ARGCHK(msghash != NULL); + LTC_ARGCHK(res != NULL); + + /* default to invalid */ + *res = 0; + + /* ensure hash is valid */ + if ((err = hash_is_valid(hash_algo)) != CRYPT_OK) { + return err; + } + + hLen = hash_algo->digest_size; + modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); + + /* check sizes */ + if ((saltlen > modulus_len) || + (modulus_len < hLen + saltlen + 2) || (siglen != modulus_len)) { + return CRYPT_PK_INVALID_SIZE; + } + + /* allocate ram for DB/mask/salt/hash of size modulus_len */ + DB = XMALLOC(modulus_len); + mask = XMALLOC(modulus_len); + salt = XMALLOC(modulus_len); + hash = XMALLOC(modulus_len); + if (DB == NULL || mask == NULL || salt == NULL || hash == NULL) { + if (DB != NULL) { + XFREE(DB); + } + if (mask != NULL) { + XFREE(mask); + } + if (salt != NULL) { + XFREE(salt); + } + if (hash != NULL) { + XFREE(hash); + } + return CRYPT_MEM; + } + + /* ensure the 0xBC byte */ + if (sig[siglen - 1] != 0xBC) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + + /* copy out the DB */ + x = 0; + XMEMCPY(DB, sig + x, modulus_len - hLen - 1); + x += modulus_len - hLen - 1; + + /* copy out the hash */ + XMEMCPY(hash, sig + x, hLen); + x += hLen; + + /* check the MSB */ + if ((sig[0] & ~(0xFF >> ((modulus_len << 3) - (modulus_bitlen - 1)))) != + 0) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + + /* generate mask of length modulus_len - hLen - 1 from hash */ + if ((err = + pkcs_1_mgf1(hash_algo, hash, hLen, mask, + modulus_len - hLen - 1)) != CRYPT_OK) { + goto LBL_ERR; + } + + /* xor against DB */ + for (y = 0; y < (modulus_len - hLen - 1); y++) { + DB[y] ^= mask[y]; + } + + /* now clear the first byte [make sure smaller than modulus] */ + DB[0] &= 0xFF >> ((modulus_len << 3) - (modulus_bitlen - 1)); + + /* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */ + + /* check for zeroes and 0x01 */ + for (x = 0; x < modulus_len - saltlen - hLen - 2; x++) { + if (DB[x] != 0x00) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + } + + /* check for the 0x01 */ + if (DB[x++] != 0x01) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + + zeromem(mask, 8); + + /* M = (eight) 0x00 || msghash || salt, mask = H(M) */ + err = + hash_memory_multi(hash_algo, mask, &hLen, mask, (unsigned long)8, + msghash, (unsigned long)msghashlen, DB + x, + (unsigned long)saltlen, NULL, 0); + if (err != CRYPT_OK) { + goto LBL_ERR; + } + + /* mask == hash means valid signature */ + if (XMEMCMP(mask, hash, hLen) == 0) { + *res = 1; + } + + err = CRYPT_OK; LBL_ERR: #ifdef LTC_CLEAN_STACK - zeromem(DB, modulus_len); - zeromem(mask, modulus_len); - zeromem(salt, modulus_len); - zeromem(hash, modulus_len); + zeromem(DB, modulus_len); + zeromem(mask, modulus_len); + zeromem(salt, modulus_len); + zeromem(hash, modulus_len); #endif - XFREE(hash); - XFREE(salt); - XFREE(mask); - XFREE(DB); + XFREE(hash); + XFREE(salt); + XFREE(mask); + XFREE(DB); - return err; + return err; } #endif /* LTC_PKCS_1 */ |