ni...@lysator.liu.se (Niels Möller) writes:
Thank you for the detailed comments. Please find attached the updated
patches.
>> + mgf1.h \
>
> mgf1.h is intended as a public, rather than internal, header? Maybe
> rename to pss-mgf1.h, unless you foresee some non-pss use for it.
RSA-OAEP could also use it, though I am not sure if it is worth being
supported.
>> index 0000000..11e908c
>> --- /dev/null
>> +++ b/mgf1-sha256.c
>> +int
>> +mgf1_sha256(const struct sha256_ctx *hash, size_t mask_length, uint8_t
>> *mask)
>
> Rename first argument "seed", for consistency with the mgf1 function.
> "hash" is generally used for struct nettle_hash, using it for a context
> struct is a bit confusing. (And similarly for the other functions
> mgf1_sha* functions).
I removed mgf1_sha* functions and made the mgf1 function more generic,
based on the suggestion below for pss_sha*_encode. The interface now
looks like:
void
mgf1(const void *seed, const struct nettle_hash *hash,
size_t length, uint8_t *mask);
>> --- /dev/null
>> +++ b/mgf1.c
>> @@ -0,0 +1,72 @@
>> +/* mgf1.c
>
>> +#define MGF1_MIN(a,b) ((a) < (b) ? (a) : (b))
>
> Could consider moving the definition to macros.h or nettle-internal.h
> (I'm a bit surprised a macro like this isn't defined already, from a
> quick search, there's only GMP_MIN in mini-gmp.c, which isn't visible
> here).
After rewriting the loop, the macro is no longer necessary. I just
removed it.
>> +
>> +int
>> +mgf1(void *seed, void *state, const struct nettle_hash *hash,
>
> I think seed should be declared as const void *.
Sure, fixed.
>> + c[0] = (i >> 24) & 0xFF;
>> + c[1] = (i >> 16) & 0xFF;
>> + c[2] = (i >> 8) & 0xFF;
>> + c[3] = i & 0xFF;
>
> Use the WRITE_UINT32 macro.
Done.
>> + memcpy(state, seed, hash->context_size);
>> + hash->update(state, 4, c);
>> + hash->digest(state, hash->digest_size, h);
>> + memcpy(p, h, MGF1_MIN(hash->digest_size, mask_length - (p - mask)));
>
> No need for the second memcpy, just pass the desired length to hash->digest.
Done.
> Also, I'd consider rewriting the loop to decrement mask_length as you go
> (and rename it to just length). Then you may also be able to eliminate
> the blocks variable. You might also want to handle the final iteration
> specially (there are a couple of ways to do that, not sure what's
> cleanest), then you get rid of the MIN conditional. You might be able to
> get some ideas from the pbkdf2 function.
>
> And unless you really need the original value of mask around, I think it
> makes the code simpler to update it throughout the loop too, and
> eliminate the extra loop variable p.
Thank you, those changes made the code much simpler.
>> --- /dev/null
>> +++ b/pss-sha256.c
>> @@ -0,0 +1,64 @@
>> +/* pss.c
>
> I admit filenames in this place are of questionable utility. But this
> one is not correct.
I removed pss-sha*.c, in favor of consolidating them into
the generic pss_{encode,verify}_mgf1 functions.
>> +int
>> +pss_sha256_encode(mpz_t m, size_t bits,
>> + size_t salt_length, const uint8_t *salt,
>> + const uint8_t *digest)
>> +{
>> + struct sha256_ctx state;
>> + return pss_encode(m, bits,
>> + &state, &nettle_sha256,
>> + (nettle_mgf_func *) mgf1_sha256,
>
> Since you pass &nettle_sha256 as an argument here, do you really need
> the specialized function mgf1_sha256 at all? Couldn't pss_encode use
> the generic mgf1 directly? If this loss of generality seems like a
> problem, pss_encode could be renamed to pss_encode_mgf1.
Done.
>> --- /dev/null
>> +++ b/pss.c
>> +int
>> +pss_encode(mpz_t m, size_t bits,
>> + void *state, const struct nettle_hash *hash,
>
> Is state needed by the callers? If not, allocate it locally here (using
> TMP_ALLOC and hash->context_size. If we need a NETTLE_MAX_HASH_CONTEXT_SIZE,
> we could add that in some way, preferably as a separate patch with some
> sanity check which could go in testsuite/meta-hash-test).
I am attaching a separate patch for this.
> It would be nice with some comments summarizing how pss_encode and
> pss_verify relate.
Done.
>> + /* Check if H' = H. */
>> + if (memcmp(h2, h, hash->digest_size) != 0)
>> + {
>> + TMP_GMP_FREE(em);
>> + return 0;
>> + }
>
> You could add a fail: label and use goto, to avoid repeating this block
> lots of times. Also there are lots of different ways this function can
> fail. What are the consequences if one of the falure cases is handled
> incorrectly, do we need tests for them all?
>
>> --- /dev/null
>> +++ b/testsuite/pss-test.c
>> @@ -0,0 +1,35 @@
>> +#include "testutils.h"
>> +
>> +#include "pss.h"
>> +
>> +void
>> +test_main(void)
>> +{
>> + struct tstring *salt;
>> + struct tstring *digest;
>> + mpz_t m;
>> + mpz_t expected;
>> + int ret;
>> +
>> + mpz_init(m);
>> + mpz_init(expected);
>> +
>> + salt = SHEX("11223344556677889900");
>> + /* From sha256-test.c */
>> + digest = SHEX("ba7816bf8f01cfea 414140de5dae2223"
>> + "b00361a396177a9c b410ff61f20015ad");
>> + ret = pss_sha256_encode(m, 1024, salt->length, salt->data, digest->data);
>> + ASSERT(ret == 1);
>> +
>> + mpz_set_str(expected,
>> + "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8"
>> + "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8"
>> + "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f"
>> + "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1"
>> + "d7788826a63af767f301bcc05dd65b00da862cbc", 16);
>
> Nice with unit tests for this function too. Thanks! Are there any
> official test vectors?
There are (historical?) test vectors from RSA for these intermediate
primitives:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip
The reason I didn't use them was that those test vectors use SHA-1 as
the underlying hash algorithm, while the previous patch only provides
SHA-2 variants of the pss_*_encode() functions.
Now that the generic pss_encode_mgf1() is provided, it is possible to
use SHA-1 in the tests, so I just added them.
>> + ASSERT(mpz_cmp(m, expected) == 0);
>> +
>> + ret = pss_sha256_verify(m, 1024, salt->length, digest->data);
>> + ASSERT(ret == 1);
>
> Simpler with just ASSERT(pss_sha256_verify(...));
Done.
> Some test also for the failure case is desirable. Three reasonably
> simple checks are to try flipping some bit of m, digest or salt and
> check that it returns failure.
Done.
Regards,
--
Daiki Ueno
>From c254abe6d87e2342556f67d8f04dee411090c243 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <du...@redhat.com>
Date: Mon, 13 Mar 2017 16:32:11 +0100
Subject: [PATCH 1/3] New constant NETTLE_MAX_HASH_CONTEXT_SIZE
Signed-off-by: Daiki Ueno <du...@redhat.com>
---
nettle-internal.h | 1 +
testsuite/meta-hash-test.c | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/nettle-internal.h b/nettle-internal.h
index 4e3098b..47b35c2 100644
--- a/nettle-internal.h
+++ b/nettle-internal.h
@@ -54,6 +54,7 @@
/* Arbitrary limits which apply to systems that don't have alloca */
#define NETTLE_MAX_HASH_BLOCK_SIZE 128
#define NETTLE_MAX_HASH_DIGEST_SIZE 64
+#define NETTLE_MAX_HASH_CONTEXT_SIZE 512
#define NETTLE_MAX_SEXP_ASSOC 17
#define NETTLE_MAX_CIPHER_BLOCK_SIZE 32
diff --git a/testsuite/meta-hash-test.c b/testsuite/meta-hash-test.c
index 0dcd1b9..d12b5fd 100644
--- a/testsuite/meta-hash-test.c
+++ b/testsuite/meta-hash-test.c
@@ -35,6 +35,9 @@ test_main(void)
j++;
ASSERT(j == count); /* we are not missing testing any hashes */
for (j = 0; NULL != nettle_hashes[j]; j++)
- ASSERT(nettle_hashes[j]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE);
+ {
+ ASSERT(nettle_hashes[j]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE);
+ ASSERT(nettle_hashes[j]->context_size <= NETTLE_MAX_HASH_CONTEXT_SIZE);
+ }
}
--
2.9.3
>From f31e7146a0cb7f1dec85df86edb1b6669068722a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <du...@redhat.com>
Date: Thu, 23 Feb 2017 11:30:27 +0100
Subject: [PATCH 2/3] Implement PSS encoding functions
Signed-off-by: Daiki Ueno <du...@redhat.com>
---
Makefile.in | 5 +-
mgf1.c | 73 ++++++++++++++++++
mgf1.h | 58 ++++++++++++++
pss.c | 184 +++++++++++++++++++++++++++++++++++++++++++++
pss.h | 67 +++++++++++++++++
testsuite/.test-rules.make | 6 ++
testsuite/Makefile.in | 4 +-
testsuite/mgf1-test.c | 37 +++++++++
testsuite/pss-test.c | 101 +++++++++++++++++++++++++
9 files changed, 532 insertions(+), 3 deletions(-)
create mode 100644 mgf1.c
create mode 100644 mgf1.h
create mode 100644 pss.c
create mode 100644 pss.h
create mode 100644 testsuite/mgf1-test.c
create mode 100644 testsuite/pss-test.c
diff --git a/Makefile.in b/Makefile.in
index 135542f..0ce539b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -110,6 +110,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
md2.c md2-meta.c md4.c md4-meta.c \
md5.c md5-compress.c md5-compat.c md5-meta.c \
memeql-sec.c memxor.c memxor3.c \
+ mgf1.c \
nettle-meta-aeads.c nettle-meta-armors.c \
nettle-meta-ciphers.c nettle-meta-hashes.c \
pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \
@@ -144,6 +145,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \
pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \
pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \
+ pss.c \
rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \
rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \
rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \
@@ -194,9 +196,10 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
md2.h md4.h \
md5.h md5-compat.h \
memops.h memxor.h \
+ mgf1.h \
nettle-meta.h nettle-types.h \
pbkdf2.h \
- pgp.h pkcs1.h realloc.h ripemd160.h rsa.h \
+ pgp.h pkcs1.h pss.h realloc.h ripemd160.h rsa.h \
salsa20.h sexp.h \
serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \
umac.h yarrow.h poly1305.h
diff --git a/mgf1.c b/mgf1.c
new file mode 100644
index 0000000..1669864
--- /dev/null
+++ b/mgf1.c
@@ -0,0 +1,73 @@
+/* mgf1.c
+
+ PKCS#1 mask generation function 1 (RFC-3447).
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "mgf1.h"
+
+#include <assert.h>
+#include <string.h>
+
+#include "nettle-internal.h"
+#include "macros.h"
+
+void
+mgf1(const void *seed, const struct nettle_hash *hash,
+ size_t length, uint8_t *mask)
+{
+ TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+ TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE);
+ size_t i;
+ uint8_t c[4];
+
+ TMP_ALLOC(h, hash->digest_size);
+ TMP_ALLOC(state, hash->context_size);
+
+ for (i = 0;;
+ i++, mask += hash->digest_size, length -= hash->digest_size)
+ {
+ WRITE_UINT32(c, i);
+
+ memcpy(state, seed, hash->context_size);
+ hash->update(state, 4, c);
+
+ if (length <= hash->digest_size)
+ {
+ hash->digest(state, length, mask);
+ return;
+ }
+ hash->digest(state, hash->digest_size, mask);
+ }
+}
diff --git a/mgf1.h b/mgf1.h
new file mode 100644
index 0000000..0eedd58
--- /dev/null
+++ b/mgf1.h
@@ -0,0 +1,58 @@
+/* mgf1.h
+
+ PKCS#1 mask generation function 1 (RFC-3447).
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_MGF1_H_INCLUDED
+#define NETTLE_MGF1_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#include "sha1.h"
+#include "sha2.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define mgf1 nettle_mgf1
+
+void
+mgf1(const void *seed, const struct nettle_hash *hash,
+ size_t length, uint8_t *mask);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_MGF1_H_INCLUDED */
diff --git a/pss.c b/pss.c
new file mode 100644
index 0000000..0e21320
--- /dev/null
+++ b/pss.c
@@ -0,0 +1,184 @@
+/* pss.c
+
+ PKCS#1 RSA-PSS padding (RFC-3447).
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <string.h>
+
+#include "pss.h"
+
+#include "bignum.h"
+#include "gmp-glue.h"
+
+#include "memxor.h"
+#include "nettle-internal.h"
+
+static const uint8_t pss_masks[8] = {
+ 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1
+};
+
+int
+pss_encode_mgf1(mpz_t m, size_t bits,
+ const struct nettle_hash *hash,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest)
+{
+ TMP_GMP_DECL(em, uint8_t);
+ TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE);
+ uint8_t pad[8];
+ size_t key_size = (bits + 7) / 8;
+ size_t j;
+
+ TMP_GMP_ALLOC(em, key_size);
+ TMP_ALLOC(state, hash->context_size);
+
+ if (key_size < hash->digest_size + salt_length + 2)
+ {
+ TMP_GMP_FREE(em);
+ return 0;
+ }
+
+ /* Compute M'. */
+ hash->init(state);
+ memset(pad, 0, 8);
+ hash->update(state, 8, pad);
+ hash->update(state, hash->digest_size, digest);
+ hash->update(state, salt_length, salt);
+
+ /* Store H in EM, right after maskedDB. */
+ hash->digest(state, hash->digest_size, em + key_size - hash->digest_size - 1);
+
+ /* Compute dbMask. */
+ hash->init(state);
+ hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1);
+
+ mgf1(state, hash, key_size - hash->digest_size - 1, em);
+
+ /* Compute maskedDB and store it in front of H in EM. */
+ for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++)
+ em[j] ^= 0;
+ em[j++] ^= 1;
+ memxor(em + j, salt, salt_length);
+ j += salt_length;
+
+ /* Store the trailer field following H. */
+ j += hash->digest_size;
+ *(em + j) = 0xbc;
+
+ /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */
+ *em &= pss_masks[(8 * key_size - bits)];
+
+ nettle_mpz_set_str_256_u(m, key_size, em);
+ TMP_GMP_FREE(em);
+ return 1;
+}
+
+int
+pss_verify_mgf1(mpz_t m, size_t bits,
+ const struct nettle_hash *hash,
+ size_t salt_length,
+ const uint8_t *digest)
+{
+ TMP_GMP_DECL(em, uint8_t);
+ TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+ TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE);
+ uint8_t pad[8], *h, *db, *salt;
+ size_t key_size = (bits + 7) / 8;
+ size_t j;
+
+ /* Allocate twice the key size to store the intermediate data DB
+ * following the EM value. */
+ TMP_GMP_ALLOC(em, key_size * 2);
+
+ TMP_ALLOC(h2, hash->digest_size);
+ TMP_ALLOC(state, hash->context_size);
+
+ if (key_size < hash->digest_size + salt_length + 2)
+ goto fail;
+
+ nettle_mpz_get_str_256(key_size, em, m);
+
+ /* Check the trailer field. */
+ if (em[key_size - 1] != 0xbc)
+ goto fail;
+
+ /* Extract H. */
+ h = em + (key_size - hash->digest_size - 1);
+
+ /* Check if the leftmost 8 * emLen - emBits bits of the leftmost
+ * octet of EM are all equal to zero. */
+ if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0)
+ goto fail;
+
+ /* Compute dbMask. */
+ hash->init(state);
+ hash->update(state, hash->digest_size, h);
+
+ db = em + key_size;
+ mgf1(state, hash, key_size - hash->digest_size - 1, db);
+
+ /* Compute DB. */
+ memxor(db, em, key_size - hash->digest_size - 1);
+
+ *db &= pss_masks[(8 * key_size - bits)];
+ for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++)
+ if (db[j] != 0)
+ goto fail;
+
+ /* Check the octet right after PS is 0x1. */
+ if (db[j] != 0x1)
+ goto fail;
+ salt = db + j + 1;
+
+ /* Compute H'. */
+ memset(pad, 0, 8);
+ hash->init(state);
+ hash->update(state, 8, pad);
+ hash->update(state, hash->digest_size, digest);
+ hash->update(state, salt_length, salt);
+ hash->digest(state, hash->digest_size, h2);
+
+ /* Check if H' = H. */
+ if (memcmp(h2, h, hash->digest_size) != 0)
+ goto fail;
+
+ TMP_GMP_FREE(em);
+ return 1;
+
+ fail:
+ TMP_GMP_FREE(em);
+ return 0;
+}
diff --git a/pss.h b/pss.h
new file mode 100644
index 0000000..f0bff1b
--- /dev/null
+++ b/pss.h
@@ -0,0 +1,67 @@
+/* pss.h
+
+ PKCS#1 RSA-PSS (RFC-3447).
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PSS_H_INCLUDED
+#define NETTLE_PSS_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#include "mgf1.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define pss_encode_mgf1 nettle_pss_encode_mgf1
+#define pss_verify_mgf1 nettle_pss_verify_mgf1
+
+int
+pss_encode_mgf1(mpz_t m, size_t bits,
+ const struct nettle_hash *hash,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest);
+
+int
+pss_verify_mgf1(mpz_t m, size_t bits,
+ const struct nettle_hash *hash,
+ size_t salt_length,
+ const uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PSS_H_INCLUDED */
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index b263e1f..2b4499f 100644
--- a/testsuite/.test-rules.make
+++ b/testsuite/.test-rules.make
@@ -157,6 +157,9 @@ yarrow-test$(EXEEXT): yarrow-test.$(OBJEXT)
pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT)
$(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT)
+mgf1-test$(EXEEXT): mgf1-test.$(OBJEXT)
+ $(LINK) mgf1-test.$(OBJEXT) $(TEST_OBJS) -o mgf1-test$(EXEEXT)
+
sexp-test$(EXEEXT): sexp-test.$(OBJEXT)
$(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT)
@@ -178,6 +181,9 @@ random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT)
pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT)
$(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT)
+pss-test$(EXEEXT): pss-test.$(OBJEXT)
+ $(LINK) pss-test.$(OBJEXT) $(TEST_OBJS) -o pss-test$(EXEEXT)
+
rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT)
$(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index 689d432..4a9604f 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -30,12 +30,12 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
hmac-test.c umac-test.c \
meta-hash-test.c meta-cipher-test.c\
meta-aead-test.c meta-armor-test.c \
- buffer-test.c yarrow-test.c pbkdf2-test.c
+ buffer-test.c yarrow-test.c pbkdf2-test.c mgf1-test.c
TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
rsa2sexp-test.c sexp2rsa-test.c \
bignum-test.c random-prime-test.c \
- pkcs1-test.c rsa-sign-tr-test.c \
+ pkcs1-test.c pss-test.c rsa-sign-tr-test.c \
rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \
dsa-test.c dsa-keygen-test.c \
curve25519-dh-test.c \
diff --git a/testsuite/mgf1-test.c b/testsuite/mgf1-test.c
new file mode 100644
index 0000000..89be4b1
--- /dev/null
+++ b/testsuite/mgf1-test.c
@@ -0,0 +1,37 @@
+#include "testutils.h"
+#include "mgf1.h"
+
+void
+test_main(void)
+{
+ struct sha1_ctx sha1ctx;
+ struct sha256_ctx sha256ctx;
+ const struct tstring *seed, *expected;
+ uint8_t mask[120];
+
+ /* Test vector from:
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */
+ seed = SHEX("df1a896f9d8bc816d97cd7a2c43bad54"
+ "6fbe8cfe");
+ expected = SHEX("66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee"
+ "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd"
+ "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3"
+ "183a311fc89739a96643136e8b0f465e87a4535cd4c59b10028d");
+ sha1_init(&sha1ctx);
+ sha1_update(&sha1ctx, seed->length, seed->data);
+ mgf1(&sha1ctx, &nettle_sha1, expected->length, mask);
+ ASSERT(MEMEQ (expected->length, mask, expected->data));
+
+ /* Test with our own data. */
+ seed = SDATA("abc");
+ expected = SHEX("cf2db1ac9867debdf8ce91f99f141e5544bf26ca36b3fd4f8e4035"
+ "eec42cab0d46c386ebccef82ba0bb0b095aaa5548b03cdff695187"
+ "1c6fb505af68af688332f885d324a47d2145a3d8392c37978d7dc9"
+ "84c95728950c4cf3de6becc59e60ea506951bd40e6de3863095064"
+ "3ab2edbb47dc66cb54beb2d1");
+
+ sha256_init(&sha256ctx);
+ sha256_update(&sha256ctx, seed->length, seed->data);
+ mgf1(&sha256ctx, &nettle_sha256, expected->length, mask);
+ ASSERT(MEMEQ (expected->length, mask, expected->data));
+}
diff --git a/testsuite/pss-test.c b/testsuite/pss-test.c
new file mode 100644
index 0000000..b4cfa0a
--- /dev/null
+++ b/testsuite/pss-test.c
@@ -0,0 +1,101 @@
+#include "testutils.h"
+
+#include "pss.h"
+
+#if HAVE_VALGRIND_MEMCHECK_H
+# include <valgrind/memcheck.h>
+
+static void
+test_unmark_mpz(mpz_t m)
+{
+ VALGRIND_MAKE_MEM_DEFINED (&m->_mp_alloc, sizeof(m->_mp_alloc));
+ VALGRIND_MAKE_MEM_DEFINED (&m->_mp_size, sizeof(m->_mp_size));
+ VALGRIND_MAKE_MEM_DEFINED (&m->_mp_d, sizeof(mp_limb_t) * m->_mp_alloc);
+}
+
+static int
+pss_encode_mgf1_for_test(mpz_t m, size_t bits,
+ const struct nettle_hash *hash,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest)
+{
+ int res;
+
+ /* Makes valgrind trigger on any branches depending on the input
+ data. */
+ VALGRIND_MAKE_MEM_UNDEFINED (salt, salt_length);
+ VALGRIND_MAKE_MEM_UNDEFINED (digest, hash->digest_size);
+
+ res = pss_encode_mgf1 (m, bits, hash, salt_length, salt, digest);
+ VALGRIND_MAKE_MEM_DEFINED (&res, sizeof(res));
+ test_unmark_mpz (m);
+ return res;
+}
+#else
+#define pss_encode_mgf1_for_test pss_encode_mgf1
+#endif
+
+void
+test_main(void)
+{
+ struct tstring *salt;
+ struct tstring *digest;
+ mpz_t m;
+ mpz_t expected;
+ int ret;
+
+ /* Test vector from:
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */
+ mpz_init(m);
+ mpz_init(expected);
+
+ salt = SHEX("e3b5d5d002c1bce50c2b65ef88a188d83bce7e61");
+ digest = SHEX("37b66ae0445843353d47ecb0b4fd14c110e62d6a");
+ ret = pss_encode_mgf1(m, 1024, &nettle_sha1,
+ salt->length, salt->data, digest->data);
+ ASSERT(ret == 1);
+
+ mpz_set_str(expected,
+ "66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee"
+ "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd"
+ "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3"
+ "183a311fc896da1cb39311af37ea4a75e24bdbfd5c1da0de7cecdf"
+ "1a896f9d8bc816d97cd7a2c43bad546fbe8cfebc", 16);
+
+ ASSERT(mpz_cmp(m, expected) == 0);
+
+ ret = pss_verify_mgf1(m, 1024, &nettle_sha1,
+ salt->length, digest->data);
+ ASSERT(ret == 1);
+
+ mpz_clear(m);
+ mpz_clear(expected);
+
+ /* Test with our own data. */
+ mpz_init(m);
+ mpz_init(expected);
+
+ salt = SHEX("11223344556677889900");
+ /* From sha256-test.c */
+ digest = SHEX("ba7816bf8f01cfea 414140de5dae2223"
+ "b00361a396177a9c b410ff61f20015ad");
+ ret = pss_encode_mgf1(m, 1024, &nettle_sha256,
+ salt->length, salt->data, digest->data);
+ ASSERT(ret == 1);
+
+ mpz_set_str(expected,
+ "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8"
+ "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8"
+ "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f"
+ "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1"
+ "d7788826a63af767f301bcc05dd65b00da862cbc", 16);
+
+ ASSERT(mpz_cmp(m, expected) == 0);
+
+ ret = pss_verify_mgf1(m, 1024, &nettle_sha256,
+ salt->length, digest->data);
+ ASSERT(ret == 1);
+
+ mpz_clear(m);
+ mpz_clear(expected);
+}
--
2.9.3
>From 24e167c4b32abd228b35050217d05a6bc72092e2 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <du...@redhat.com>
Date: Thu, 2 Mar 2017 14:34:54 +0100
Subject: [PATCH 3/3] Add PSS variants for RSA sign/verify functions
Signed-off-by: Daiki Ueno <du...@redhat.com>
---
Makefile.in | 2 +
nettle.texinfo | 30 ++++
rsa-pss-sha256-sign-tr.c | 64 ++++++++
rsa-pss-sha256-verify.c | 60 +++++++
rsa-pss-sha512-sign-tr.c | 87 +++++++++++
rsa-pss-sha512-verify.c | 79 ++++++++++
rsa-verify.c | 14 ++
rsa.h | 55 +++++++
testsuite/.test-rules.make | 3 +
testsuite/Makefile.in | 1 +
testsuite/rsa-pss-sign-tr-test.c | 327 +++++++++++++++++++++++++++++++++++++++
11 files changed, 722 insertions(+)
create mode 100644 rsa-pss-sha256-sign-tr.c
create mode 100644 rsa-pss-sha256-verify.c
create mode 100644 rsa-pss-sha512-sign-tr.c
create mode 100644 rsa-pss-sha512-verify.c
create mode 100644 testsuite/rsa-pss-sign-tr-test.c
diff --git a/Makefile.in b/Makefile.in
index 0ce539b..9b16f95 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -152,6 +152,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \
rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \
rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \
+ rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \
+ rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \
rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
rsa-keygen.c rsa-blind.c \
rsa2sexp.c sexp2rsa.c \
diff --git a/nettle.texinfo b/nettle.texinfo
index 9cfaf43..529a8e6 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -3770,6 +3770,36 @@ of the digest together with an object identifier for the used hash
algorithm.
@end deftypefun
+While the above functions for the RSA signature operations use the
+@cite{PKCS#1} padding scheme, Nettle also provides the variants based on
+the PSS padding scheme, specified in @cite{RFC 3447}.
+
+Creating an RSA signature with the PSS padding scheme is done with one
+of the following functions:
+
+@deftypefun int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature})
+@deftypefunx int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature})
+@deftypefunx int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature})
+Creates a signature using the PSS padding scheme. @var{salt} should
+point to a salt string of size @var{salt_length}. @var{digest} should
+point to a digest of size @code{SHA256_DIGEST_SIZE},
+@code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The
+signature is stored in @var{signature} (which must have been
+@code{mpz_init}:ed earlier).
+Returns one on success, or zero on failure.
+@end deftypefun
+
+Verifying an RSA signature with the PSS padding scheme is done with one
+of the following functions:
+
+@deftypefun int rsa_pss_sha256_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature})
+@deftypefunx int rsa_pss_sha384_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature})
+@deftypefunx int rsa_pss_sha512_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature})
+Returns 1 if the signature is valid, or 0 if it isn't. @var{digest}
+should point to a digest of size @code{SHA256_DIGEST_SIZE},
+@code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively.
+@end deftypefun
+
The following function is used to encrypt a clear text message using RSA.
@deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext})
Returns 1 on success, 0 on failure. If the message is too long then this
diff --git a/rsa-pss-sha256-sign-tr.c b/rsa-pss-sha256-sign-tr.c
new file mode 100644
index 0000000..b17e40e
--- /dev/null
+++ b/rsa-pss-sha256-sign-tr.c
@@ -0,0 +1,64 @@
+/* rsa-pss-sha256-sign-tr.c
+
+ Signatures using RSA and SHA-256, with PSS padding.
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pss.h"
+
+int
+rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s)
+{
+ mpz_t m;
+ int res;
+
+ mpz_init (m);
+
+ res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha256,
+ salt_length, salt, digest)
+ && rsa_compute_root_tr (pub, key,
+ random_ctx, random,
+ s, m));
+
+ mpz_clear (m);
+ return res;
+}
diff --git a/rsa-pss-sha256-verify.c b/rsa-pss-sha256-verify.c
new file mode 100644
index 0000000..81bc4e6
--- /dev/null
+++ b/rsa-pss-sha256-verify.c
@@ -0,0 +1,60 @@
+/* rsa-pss-sha256-verify.c
+
+ Verifying signatures created with RSA and SHA-256, with PSS padding.
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pss.h"
+
+int
+rsa_pss_sha256_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature)
+{
+ int res;
+ mpz_t m;
+
+ mpz_init (m);
+
+ res = (_rsa_verify_recover(key, m, signature) &&
+ pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha256,
+ salt_length, digest));
+
+ mpz_clear (m);
+ return res;
+}
diff --git a/rsa-pss-sha512-sign-tr.c b/rsa-pss-sha512-sign-tr.c
new file mode 100644
index 0000000..59536d6
--- /dev/null
+++ b/rsa-pss-sha512-sign-tr.c
@@ -0,0 +1,87 @@
+/* rsa-pss-sha512-sign-tr.c
+
+ Signatures using RSA and SHA-384/SHA-512, with PSS padding.
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pss.h"
+
+int
+rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s)
+{
+ mpz_t m;
+ int res;
+
+ mpz_init (m);
+
+ res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha384,
+ salt_length, salt, digest)
+ && rsa_compute_root_tr (pub, key,
+ random_ctx, random,
+ s, m));
+
+ mpz_clear (m);
+ return res;
+}
+
+int
+rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s)
+{
+ mpz_t m;
+ int res;
+
+ mpz_init (m);
+
+ res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha512,
+ salt_length, salt, digest)
+ && rsa_compute_root_tr (pub, key,
+ random_ctx, random,
+ s, m));
+
+ mpz_clear (m);
+ return res;
+}
diff --git a/rsa-pss-sha512-verify.c b/rsa-pss-sha512-verify.c
new file mode 100644
index 0000000..34f8e81
--- /dev/null
+++ b/rsa-pss-sha512-verify.c
@@ -0,0 +1,79 @@
+/* rsa-pss-sha512-verify.c
+
+ Verifying signatures created with RSA and SHA-384/SHA-512, with PSS padding.
+
+ Copyright (C) 2017 Daiki Ueno
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pss.h"
+
+int
+rsa_pss_sha384_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature)
+{
+ int res;
+ mpz_t m;
+
+ mpz_init (m);
+
+ res = (_rsa_verify_recover(key, m, signature) &&
+ pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha384,
+ salt_length, digest));
+
+ mpz_clear (m);
+ return res;
+}
+
+int
+rsa_pss_sha512_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature)
+{
+ int res;
+ mpz_t m;
+
+ mpz_init (m);
+
+ res = (_rsa_verify_recover(key, m, signature) &&
+ pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha512,
+ salt_length, digest));
+
+ mpz_clear (m);
+ return res;
+}
diff --git a/rsa-verify.c b/rsa-verify.c
index 07715e2..43a55d2 100644
--- a/rsa-verify.c
+++ b/rsa-verify.c
@@ -62,3 +62,17 @@ _rsa_verify(const struct rsa_public_key *key,
return res;
}
+
+int
+_rsa_verify_recover(const struct rsa_public_key *key,
+ mpz_t m,
+ const mpz_t s)
+{
+ if ( (mpz_sgn(s) <= 0)
+ || (mpz_cmp(s, key->n) >= 0) )
+ return 0;
+
+ mpz_powm(m, s, key->e, key->n);
+
+ return 1;
+}
diff --git a/rsa.h b/rsa.h
index 6d2574b..2143fcd 100644
--- a/rsa.h
+++ b/rsa.h
@@ -79,6 +79,12 @@ extern "C" {
#define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
#define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr
#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
+#define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr
+#define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest
+#define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr
+#define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest
+#define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr
+#define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest
#define rsa_encrypt nettle_rsa_encrypt
#define rsa_decrypt nettle_rsa_decrypt
#define rsa_decrypt_tr nettle_rsa_decrypt_tr
@@ -93,6 +99,7 @@ extern "C" {
#define rsa_keypair_from_der nettle_rsa_keypair_from_der
#define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
#define _rsa_verify _nettle_rsa_verify
+#define _rsa_verify_recover _nettle_rsa_verify_recover
#define _rsa_check_size _nettle_rsa_check_size
#define _rsa_blind _nettle_rsa_blind
#define _rsa_unblind _nettle_rsa_unblind
@@ -341,6 +348,49 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
const uint8_t *digest,
const mpz_t signature);
+/* PSS style signatures */
+int
+rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s);
+
+int
+rsa_pss_sha256_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature);
+
+int
+rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s);
+
+int
+rsa_pss_sha384_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature);
+
+int
+rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s);
+
+int
+rsa_pss_sha512_verify_digest(const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature);
+
/* RSA encryption, using PKCS#1 */
/* These functions uses the v1.5 padding. What should the v2 (OAEP)
@@ -480,6 +530,11 @@ _rsa_verify(const struct rsa_public_key *key,
const mpz_t m,
const mpz_t s);
+int
+_rsa_verify_recover(const struct rsa_public_key *key,
+ mpz_t m,
+ const mpz_t s);
+
size_t
_rsa_check_size(mpz_t n);
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index 2b4499f..27c9e00 100644
--- a/testsuite/.test-rules.make
+++ b/testsuite/.test-rules.make
@@ -187,6 +187,9 @@ pss-test$(EXEEXT): pss-test.$(OBJEXT)
rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT)
$(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT)
+rsa-pss-sign-tr-test$(EXEEXT): rsa-pss-sign-tr-test.$(OBJEXT)
+ $(LINK) rsa-pss-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-pss-sign-tr-test$(EXEEXT)
+
rsa-test$(EXEEXT): rsa-test.$(OBJEXT)
$(LINK) rsa-test.$(OBJEXT) $(TEST_OBJS) -o rsa-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index 4a9604f..09feb09 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -36,6 +36,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
rsa2sexp-test.c sexp2rsa-test.c \
bignum-test.c random-prime-test.c \
pkcs1-test.c pss-test.c rsa-sign-tr-test.c \
+ rsa-pss-sign-tr-test.c \
rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \
dsa-test.c dsa-keygen-test.c \
curve25519-dh-test.c \
diff --git a/testsuite/rsa-pss-sign-tr-test.c b/testsuite/rsa-pss-sign-tr-test.c
new file mode 100644
index 0000000..f14c375
--- /dev/null
+++ b/testsuite/rsa-pss-sign-tr-test.c
@@ -0,0 +1,327 @@
+#include "testutils.h"
+#include "knuth-lfib.h"
+#include "nettle-internal.h"
+
+#define SALT "This is a magic salt"
+#define MSG1 "None so blind as those who will not see"
+#define MSG2 "Fortune knocks once at every man's door"
+
+typedef int (*test_pss_sign_tr_func) (const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t salt_length, const uint8_t *salt,
+ const uint8_t *digest,
+ mpz_t s);
+
+typedef int (*test_pss_verify_func) (const struct rsa_public_key *key,
+ size_t salt_length,
+ const uint8_t *digest,
+ const mpz_t signature);
+
+static void
+test_rsa_pss_sign_tr(struct rsa_public_key *pub,
+ struct rsa_private_key *key,
+ test_pss_sign_tr_func sign_tr_func,
+ test_pss_verify_func verify_func,
+ void *ctx, const struct nettle_hash *hash,
+ size_t salt_length, const uint8_t *salt,
+ size_t length, const uint8_t *message,
+ mpz_t expected)
+{
+ mpz_t signature;
+ struct knuth_lfib_ctx lfib;
+ uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE];
+
+ knuth_lfib_init(&lfib, 1111);
+
+ hash->init(ctx);
+ hash->update(ctx, length, message);
+ hash->digest(ctx, hash->digest_size, digest);
+
+ mpz_init(signature);
+
+ mpz_set_ui (signature, 17);
+ /* Try bad private key */
+ mpz_add_ui(key->p, key->p, 2);
+
+ ASSERT(!sign_tr_func(pub, key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ salt_length, salt,
+ digest, signature));
+
+ mpz_sub_ui(key->p, key->p, 2);
+
+ ASSERT(!mpz_cmp_ui(signature, 17));
+
+ /* Try the good private key */
+ ASSERT(sign_tr_func(pub, key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ salt_length, salt,
+ digest, signature));
+
+ if (verbose)
+ {
+ fprintf(stderr, "rsa-pss-tr signature: ");
+ mpz_out_str(stderr, 16, signature);
+ fprintf(stderr, "\nrsa-pss-tr expected: ");
+ mpz_out_str(stderr, 16, expected);
+ fprintf(stderr, "\n");
+ }
+
+ ASSERT (mpz_cmp(signature, expected) == 0);
+
+ /* Try bad data */
+ ASSERT (!verify_func(pub,
+ salt_length, (void*)"The magick words" "The magick words",
+ signature));
+
+ /* Try correct data */
+ ASSERT (verify_func(pub, salt_length, digest, signature));
+
+ /* Try bad signature */
+ mpz_combit(signature, 17);
+ ASSERT (!verify_func(pub, salt_length, digest, signature));
+
+ mpz_clear(signature);
+}
+
+
+void
+test_main(void)
+{
+ struct rsa_public_key pub;
+ struct rsa_private_key key;
+ struct sha256_ctx sha256ctx;
+ struct sha384_ctx sha384ctx;
+ struct sha512_ctx sha512ctx;
+ mpz_t p1;
+ mpz_t q1;
+ struct tstring *salt;
+ struct tstring *msg;
+
+ mpz_t expected;
+
+ mpz_init(expected);
+
+ mpz_init(p1);
+ mpz_init(q1);
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+
+ test_rsa_set_key_1(&pub, &key);
+
+ /* Test signatures */
+ mpz_set_str(expected,
+ "25e6ce0cc00e917e177a09cb4dfd843d104c179b71aded60e68ebc"
+ "ca2cabb1e51502adf28e53fa7ede42619f21a1162755b9658edf88"
+ "a038bb4fea2bb73306fb384d5785c1a8c98a255277c91a4f88ddd3"
+ "52ebdc78f71f7e62b7a870dac4ab25f1004453457e831a1572f7c9"
+ "23fcc48e3b69db582127d14471c7195dce", 16);
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha256_sign_digest_tr,
+ rsa_pss_sha256_verify_digest,
+ &sha256ctx, &nettle_sha256,
+ LDATA(SALT), LDATA(MSG1), expected);
+
+ mpz_set_str(expected,
+ "52f4393ccc92b5672dd3cfd8624765d3a4cdb50c7a92060c33b4663"
+ "fa545b32ce56ec8cd44fe9720df301906ae40921e844b6d80331194"
+ "972f98e309c937c887c53da940778f29d52dd9489e6016a07e9aa16"
+ "b1ea8fefc0860ad69068ad6f94a4b0c8fc8a0797b08c58cf4a8df90"
+ "ee1375feedf7bf73f16ebb2d1cc7e4", 16);
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha256_sign_digest_tr,
+ rsa_pss_sha256_verify_digest,
+ &sha256ctx, &nettle_sha256,
+ LDATA(SALT), LDATA(MSG2), expected);
+
+ /* 777-bit key, generated by
+ *
+ * lsh-keygen -a rsa -l 777 -f advanced-hex
+ *
+ * Interesting because the size of n doesn't equal the sum of the
+ * sizes of p and q.
+ *
+ * (private-key (rsa-pkcs1
+ * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f
+ * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374
+ * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c
+ * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e
+ * f52b#)
+ * (e #3f1a012d#)
+ * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad
+ * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4
+ * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447
+ * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb
+ * 25#)
+ * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326
+ * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506
+ * 8b#)
+ * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf
+ * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f
+ * e1#)
+ * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d
+ * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be
+ * c9#)
+ * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615
+ * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b
+ * 05#)
+ * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4
+ * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8
+ * 06#)))
+ */
+
+ mpz_set_str(pub.n,
+ "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f"
+ "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374"
+ "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c"
+ "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e"
+ "f52b", 16);
+
+ mpz_set_str(pub.e, "3f1a012d", 16);
+
+ ASSERT (rsa_public_key_prepare(&pub));
+
+ mpz_set_str(key.p,
+ "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326"
+ "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506"
+ "8b", 16);
+
+ mpz_set_str(key.q,
+ "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf"
+ "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f"
+ "e1", 16);
+
+ mpz_set_str(key.a,
+ "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d"
+ "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be"
+ "c9", 16);
+
+ mpz_set_str(key.b,
+ "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615"
+ "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b"
+ "05", 16);
+
+ mpz_set_str(key.c,
+ "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4"
+ "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8"
+ "06", 16);
+
+ ASSERT (rsa_private_key_prepare(&key));
+ ASSERT (pub.size == key.size);
+
+ /* Test signatures */
+ mpz_set_str(expected,
+ "1a4d28331341cabf7ac85bc59a58d439b7ec2c607c6a74e35b5909"
+ "1dfa3d9de9fde93e4a431f0f768bec07c39995d253209f86e3dc84"
+ "037ecd5d23d963fab4fa8a001e018d82cb19d743a94ba7dc7a821e"
+ "87b72e67a0fe058f956208f7060dc104", 16);
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha256_sign_digest_tr,
+ rsa_pss_sha256_verify_digest,
+ &sha256ctx, &nettle_sha256,
+ LDATA(SALT), LDATA(MSG1), expected);
+
+ /* From FIPS 186-2 */
+ mpz_set_str(pub.n,
+ "be499b5e7f06c83f" "a0293e31465c8eb6" "b58af920bae52a7b"
+ "5b9bfeb7aa72db12" "64112eb3fd431d31" "a2a7e50941566929"
+ "494a0e891ed56139" "18b4b51b0d1fb977" "83b26acf7d0f384c"
+ "fb35f4d2824f5dd3" "80623a26bf180b63" "961c619dcdb20cae"
+ "406f22f6e276c80a" "37259490cfeb72c1" "a71a84f1846d3308"
+ "77ba3e3101ec9c7b" , 16);
+
+ mpz_set_str(pub.e, "11", 16);
+
+ ASSERT (rsa_public_key_prepare(&pub));
+
+ mpz_set_str(key.p,
+ "e7a80c5d211c06ac" "b900939495f26d36" "5fc2b4825b75e356"
+ "f89003eaa5931e6b" "e5c3f7e6a633ad59" "db6289d06c354c23"
+ "5e739a1e3f3d39fb" "40d1ffb9cb44288f", 16);
+
+ mpz_set_str(key.q,
+ "d248aa248000f720" "258742da67b71194" "0c8f76e1ecd52b67"
+ "a6ffe1e49354d66f" "f84fa601804743f5" "838da2ed4693a5a2"
+ "8658d6528cc1803b" "f6c8dc73c5230b55", 16);
+
+ mpz_set_str(key.d,
+ "0d0f17362bdad181" "db4e1fe03e8de1a3" "208989914e14bf26"
+ "9558826bfa20faf4" "b68dba6bb989a01f" "03a21c44665dc5f6"
+ "48cb5b59b954eb10" "77a80263bd22cdfb" "88d39164b7404f4f"
+ "1106ee01cf60b776" "95748d8fdaf9fd42" "8963fe75144010b1"
+ "934c8e26a8823967" "2cf49b3422a07c4d" "834ba208d570fe40"
+ "8e7095c90547e68d", 16);
+
+ /* a = d % (p-1) */
+ mpz_sub_ui(p1, key.p, 1);
+ mpz_fdiv_r(key.a, key.d, p1);
+ mpz_clear(p1);
+
+ /* b = d % (q-1) */
+ mpz_sub_ui(q1, key.q, 1);
+ mpz_fdiv_r(key.b, key.d, q1);
+ mpz_clear(q1);
+
+ /* c = q^{-1} (mod p) */
+ mpz_invert(key.c, key.q, key.p);
+
+ ASSERT (rsa_private_key_prepare(&key));
+ ASSERT (pub.size == key.size);
+
+ mpz_set_str(expected,
+ "11e169f2fd40b07641b9768a2ab19965fb6c27f10fcf0323fcc6d1"
+ "2eb4f1c06b330ddaa1ea504407afa29de9ebe0374fe9d1e7d0ffbd"
+ "5fc1cf3a3446e4145415d2ab24f789b3464c5c43a256bbc1d692cf"
+ "7f04801dac5bb401a4a03ab7d5728a860c19e1a4dc797ca542c820"
+ "3cec2e601eb0c51f567f2eda022b0b9ebddeeefa", 16);
+
+ salt = SHEX("11223344555432167890");
+ msg = SHEX("c7f5270fca725f9bd19f519a8d7cca3cc5c079024029f3bae510f9"
+ "b02140fe238908e4f6c18f07a89c687c8684669b1f1db2baf9251a"
+ "3c829faccb493084e16ec9e28d58868074a5d6221667dd6e528d16"
+ "fe2c9f3db4cfaf6c4dce8c8439af38ceaaaa9ce2ecae7bc8f4a5a5"
+ "5e3bf96df9cd575c4f9cb327951b8cdfe4087168");
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha256_sign_digest_tr,
+ rsa_pss_sha256_verify_digest,
+ &sha256ctx, &nettle_sha256,
+ salt->length, salt->data, msg->length, msg->data,
+ expected);
+
+ mpz_set_str(expected,
+ "b281ad934b2775c0cba5fb10aa574d2ed85c7f99b942b78e497024"
+ "80069362ed394baded55e56cfcbe7b0b8d2217a05a60e1acd725cb"
+ "09060dfac585bc2132b99b41cdbd530c69d17cdbc84bc6b9830fc7"
+ "dc8e1b2412cfe06dcf8c1a0cc3453f93f25ebf10cb0c90334fac57"
+ "3f449138616e1a194c67f44efac34cc07a526267", 16);
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha384_sign_digest_tr,
+ rsa_pss_sha384_verify_digest,
+ &sha384ctx, &nettle_sha384,
+ salt->length, salt->data, msg->length, msg->data,
+ expected);
+ mpz_set_str(expected,
+ "8ffc38f9b820ef6b080fd2ec7de5626c658d79056f3edf610a295b"
+ "7b0546f73e01ffdf4d0070ebf79c33fd86c2d608be9438b3d420d0"
+ "9535b97cd3d846ecaf8f6551cdf93197e9f8fb048044473ab41a80"
+ "1e9f7fc983c62b324361dade9f71a65952bd35c59faaa4d6ff462f"
+ "68a6c4ec0b428aa47336f2178aeb276136563b7d", 16);
+
+ test_rsa_pss_sign_tr(&pub, &key,
+ rsa_pss_sha512_sign_digest_tr,
+ rsa_pss_sha512_verify_digest,
+ &sha512ctx, &nettle_sha512,
+ salt->length, salt->data, msg->length, msg->data,
+ expected);
+
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(expected);
+}
--
2.9.3
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
