1 /*
2  * Pidgin-Encryption PSS signature routines, from PKCS#1 v2.1
3  *
4  * Copyright (C) 2003 William Tompkins
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
19  *
20  */
21 
22 #include "pk11func.h"
23 #include "keyhi.h"
24 
25 /* for g_assert; PORT_Assert seems disabled... */
26 #include <glib.h>
27 #include <debug.h>
28 
29 #include "nss_mgf1.h"
30 #include "nss_pss.h"
31 
32 static const SECOidTag Hash_OID = SEC_OID_SHA1;
33 static const unsigned int hlen = 20;  /* SHA1 hash length */
34 
35 
36 /* Generate a signature block (not including the msg) in the specified space */
37 /* salt_len is typically = hlen, or 0                                        */
pss_generate_sig(unsigned char * sig,unsigned int sig_len,const unsigned char * msg,unsigned int msg_len,int salt_len)38 int pss_generate_sig(unsigned char* sig, unsigned int sig_len,
39                      const unsigned char* msg, unsigned int msg_len, int salt_len) {
40 
41    /* see PKCS#1 v2.1 for a pretty picture.  We construct the signature   */
42    /* left to right, in a very straightforward way.                       */
43    /* Since the (variably sized) padding is on the left, we first figure  */
44    /* out where everything is, going right to left.                       */
45 
46    unsigned char* bc_pos = sig + sig_len - 1;
47    unsigned char* final_hash_pos = bc_pos - hlen;
48    unsigned char* salt_pos = final_hash_pos - salt_len;
49 
50    int padding2_size = (salt_pos - sig);
51 
52    unsigned char* m_prime;
53 
54    SECStatus rv;
55 
56    /* assuming a modulus size that is a multiple of 8 bits, PS must have at */
57    /* least one 0 starting off, plus the 1 that denotes the end of PS       */
58 
59    if (padding2_size <= 1) return 0;
60 
61    /* Construct PS */
62    PORT_Memset(sig, 0, padding2_size - 1);
63    sig[padding2_size - 1] = 1;
64 
65    /* Construct Salt */
66    rv = PK11_GenerateRandom(salt_pos, salt_len);
67    g_assert(rv == SECSuccess);
68 
69    /* Construct M': */
70    /*   If we were clever and had an easy way to incrementally hash things, */
71    /*   we could avoid actually making M' and just use the pieces parts     */
72    /*   where they lie.  Oh well.                                           */
73 
74    m_prime = PORT_Alloc(8 + hlen + salt_len);
75    g_assert(m_prime != 0);
76 
77    /*     Padding1 inside M' */
78    PORT_Memset(m_prime, 0, 8);
79 
80    /*     mHash inside M'    */
81    rv = PK11_HashBuf(Hash_OID, m_prime + 8, (unsigned char*)msg, msg_len);
82    g_assert(rv == SECSuccess);
83 
84    /*     salt inside M'     */
85    PORT_Memcpy(m_prime + 8 + hlen, salt_pos, salt_len);
86 
87    /* Hash M' into final_hash_pos */
88    rv = PK11_HashBuf(Hash_OID, final_hash_pos, m_prime, 8 + hlen + salt_len);
89    g_assert(rv == SECSuccess);
90 
91    PORT_Free(m_prime);
92    /* Why 0xbc?  One of the great mysteries...*/
93    *bc_pos = 0xbc;
94 
95    /* Almost done: mask everything before the hash with the hash */
96    mgf1(sig, final_hash_pos - sig, final_hash_pos, hlen);
97 
98    /* Mask probably screwed up our starting zero byte, zero it */
99    sig[0] = 0;
100 
101    return 1;
102 }
103 
104 /* Destructively verify that the the signature block corresponds to    */
105 /* the given message                                                   */
pss_check_sig(unsigned char * sig,unsigned int sig_len,const unsigned char * msg,unsigned int msg_len)106 int pss_check_sig(unsigned char* sig, unsigned int sig_len,
107                   const unsigned char* msg, unsigned int msg_len) {
108 
109    unsigned char* bc_pos = sig + sig_len - 1;
110    unsigned char* final_hash_pos = bc_pos - hlen;
111    unsigned char* salt_pos;
112    int salt_len;
113 
114    unsigned char* m_prime;
115    unsigned char* check_hash;
116    int hashcmp;
117 
118    SECStatus rv;
119 
120    if (sig[sig_len - 1] != 0xbc) {
121       purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "No 0xBC in sig\n");
122       return 0;
123    }
124 
125    if (sig[0] != 0) {
126       purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "First byte of sig nonzero\n");
127       return 0;
128    }
129 
130    mgf1(sig, final_hash_pos - sig, final_hash_pos, hlen);
131 
132    /* Walk down the padding looking for the 01 that marks the salt */
133    salt_pos = sig+1;
134    while ((salt_pos < final_hash_pos) && (*salt_pos == 0)) {
135       ++salt_pos;
136    }
137    if (salt_pos == final_hash_pos) {
138       purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "no 0x01 for salt\n");
139       return 0;
140    }
141 
142    if (*salt_pos != 1) {
143       purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "no 0x01 for salt (2)\n");
144       return 0;
145    }
146    ++salt_pos;
147 
148    salt_len = final_hash_pos - salt_pos;
149 
150    /* Construct M' using the salt we just regained */
151    m_prime = PORT_Alloc(8 + hlen + salt_len);
152    g_assert(m_prime != 0);
153 
154    /*     Padding1 inside M' */
155    PORT_Memset(m_prime, 0, 8);
156 
157    /*     mHash inside M'    */
158    rv = PK11_HashBuf(Hash_OID, m_prime + 8, (unsigned char*)msg, msg_len);
159    g_assert(rv == SECSuccess);
160 
161    /*     salt inside M'     */
162    PORT_Memcpy(m_prime + 8 + hlen, salt_pos, salt_len);
163 
164    /* Hash M' into check_hash */
165    check_hash = PORT_Alloc(hlen);
166    g_assert(m_prime != 0);
167 
168    rv = PK11_HashBuf(Hash_OID, check_hash, m_prime, 8 + hlen + salt_len);
169    g_assert(rv == SECSuccess);
170 
171    PORT_Free(m_prime);
172 
173    hashcmp = memcmp(check_hash, final_hash_pos, hlen);
174 
175    PORT_Free(check_hash);
176 
177    if (hashcmp != 0) {
178       purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "bad hash in sig\n");
179       return 0;
180    }
181 
182    return 1;
183 }
184 
pss_test()185 void pss_test() {
186       int mod_size = 512/8;
187 
188    unsigned char data[4096/8];
189    unsigned char sig[4096/8];
190    int data_size;
191    SECStatus rv;
192 
193    /* overkill, but what the hey.  */
194 
195    while (mod_size <= 4096/8) {
196       rv = PK11_GenerateRandom(data, sizeof(data));
197       g_assert(rv == SECSuccess);
198 
199       for (data_size = 0; data_size <= 1000; ++data_size) {
200          g_assert( pss_generate_sig(sig, mod_size, data, data_size, hlen) );
201          g_assert( pss_check_sig(sig, mod_size, data, data_size) );
202 
203          g_assert( pss_generate_sig(sig, mod_size, data, data_size, 0) );
204          g_assert( pss_check_sig(sig, mod_size, data, data_size) );
205       }
206       mod_size *= 2;
207    }
208 }
209 
210