1 /*
2 * Pidgin-Encryption PSS signature routines, from PKCS#1 v2.1
3 *
4 * Copyright (C) 2003 William Tompkins
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include "pk11func.h"
23 #include "keyhi.h"
24
25 /* for g_assert; PORT_Assert seems disabled... */
26 #include <glib.h>
27 #include <debug.h>
28
29 #include "nss_mgf1.h"
30 #include "nss_pss.h"
31
32 static const SECOidTag Hash_OID = SEC_OID_SHA1;
33 static const unsigned int hlen = 20; /* SHA1 hash length */
34
35
36 /* Generate a signature block (not including the msg) in the specified space */
37 /* salt_len is typically = hlen, or 0 */
pss_generate_sig(unsigned char * sig,unsigned int sig_len,const unsigned char * msg,unsigned int msg_len,int salt_len)38 int pss_generate_sig(unsigned char* sig, unsigned int sig_len,
39 const unsigned char* msg, unsigned int msg_len, int salt_len) {
40
41 /* see PKCS#1 v2.1 for a pretty picture. We construct the signature */
42 /* left to right, in a very straightforward way. */
43 /* Since the (variably sized) padding is on the left, we first figure */
44 /* out where everything is, going right to left. */
45
46 unsigned char* bc_pos = sig + sig_len - 1;
47 unsigned char* final_hash_pos = bc_pos - hlen;
48 unsigned char* salt_pos = final_hash_pos - salt_len;
49
50 int padding2_size = (salt_pos - sig);
51
52 unsigned char* m_prime;
53
54 SECStatus rv;
55
56 /* assuming a modulus size that is a multiple of 8 bits, PS must have at */
57 /* least one 0 starting off, plus the 1 that denotes the end of PS */
58
59 if (padding2_size <= 1) return 0;
60
61 /* Construct PS */
62 PORT_Memset(sig, 0, padding2_size - 1);
63 sig[padding2_size - 1] = 1;
64
65 /* Construct Salt */
66 rv = PK11_GenerateRandom(salt_pos, salt_len);
67 g_assert(rv == SECSuccess);
68
69 /* Construct M': */
70 /* If we were clever and had an easy way to incrementally hash things, */
71 /* we could avoid actually making M' and just use the pieces parts */
72 /* where they lie. Oh well. */
73
74 m_prime = PORT_Alloc(8 + hlen + salt_len);
75 g_assert(m_prime != 0);
76
77 /* Padding1 inside M' */
78 PORT_Memset(m_prime, 0, 8);
79
80 /* mHash inside M' */
81 rv = PK11_HashBuf(Hash_OID, m_prime + 8, (unsigned char*)msg, msg_len);
82 g_assert(rv == SECSuccess);
83
84 /* salt inside M' */
85 PORT_Memcpy(m_prime + 8 + hlen, salt_pos, salt_len);
86
87 /* Hash M' into final_hash_pos */
88 rv = PK11_HashBuf(Hash_OID, final_hash_pos, m_prime, 8 + hlen + salt_len);
89 g_assert(rv == SECSuccess);
90
91 PORT_Free(m_prime);
92 /* Why 0xbc? One of the great mysteries...*/
93 *bc_pos = 0xbc;
94
95 /* Almost done: mask everything before the hash with the hash */
96 mgf1(sig, final_hash_pos - sig, final_hash_pos, hlen);
97
98 /* Mask probably screwed up our starting zero byte, zero it */
99 sig[0] = 0;
100
101 return 1;
102 }
103
104 /* Destructively verify that the the signature block corresponds to */
105 /* the given message */
pss_check_sig(unsigned char * sig,unsigned int sig_len,const unsigned char * msg,unsigned int msg_len)106 int pss_check_sig(unsigned char* sig, unsigned int sig_len,
107 const unsigned char* msg, unsigned int msg_len) {
108
109 unsigned char* bc_pos = sig + sig_len - 1;
110 unsigned char* final_hash_pos = bc_pos - hlen;
111 unsigned char* salt_pos;
112 int salt_len;
113
114 unsigned char* m_prime;
115 unsigned char* check_hash;
116 int hashcmp;
117
118 SECStatus rv;
119
120 if (sig[sig_len - 1] != 0xbc) {
121 purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "No 0xBC in sig\n");
122 return 0;
123 }
124
125 if (sig[0] != 0) {
126 purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "First byte of sig nonzero\n");
127 return 0;
128 }
129
130 mgf1(sig, final_hash_pos - sig, final_hash_pos, hlen);
131
132 /* Walk down the padding looking for the 01 that marks the salt */
133 salt_pos = sig+1;
134 while ((salt_pos < final_hash_pos) && (*salt_pos == 0)) {
135 ++salt_pos;
136 }
137 if (salt_pos == final_hash_pos) {
138 purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "no 0x01 for salt\n");
139 return 0;
140 }
141
142 if (*salt_pos != 1) {
143 purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "no 0x01 for salt (2)\n");
144 return 0;
145 }
146 ++salt_pos;
147
148 salt_len = final_hash_pos - salt_pos;
149
150 /* Construct M' using the salt we just regained */
151 m_prime = PORT_Alloc(8 + hlen + salt_len);
152 g_assert(m_prime != 0);
153
154 /* Padding1 inside M' */
155 PORT_Memset(m_prime, 0, 8);
156
157 /* mHash inside M' */
158 rv = PK11_HashBuf(Hash_OID, m_prime + 8, (unsigned char*)msg, msg_len);
159 g_assert(rv == SECSuccess);
160
161 /* salt inside M' */
162 PORT_Memcpy(m_prime + 8 + hlen, salt_pos, salt_len);
163
164 /* Hash M' into check_hash */
165 check_hash = PORT_Alloc(hlen);
166 g_assert(m_prime != 0);
167
168 rv = PK11_HashBuf(Hash_OID, check_hash, m_prime, 8 + hlen + salt_len);
169 g_assert(rv == SECSuccess);
170
171 PORT_Free(m_prime);
172
173 hashcmp = memcmp(check_hash, final_hash_pos, hlen);
174
175 PORT_Free(check_hash);
176
177 if (hashcmp != 0) {
178 purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "bad hash in sig\n");
179 return 0;
180 }
181
182 return 1;
183 }
184
pss_test()185 void pss_test() {
186 int mod_size = 512/8;
187
188 unsigned char data[4096/8];
189 unsigned char sig[4096/8];
190 int data_size;
191 SECStatus rv;
192
193 /* overkill, but what the hey. */
194
195 while (mod_size <= 4096/8) {
196 rv = PK11_GenerateRandom(data, sizeof(data));
197 g_assert(rv == SECSuccess);
198
199 for (data_size = 0; data_size <= 1000; ++data_size) {
200 g_assert( pss_generate_sig(sig, mod_size, data, data_size, hlen) );
201 g_assert( pss_check_sig(sig, mod_size, data, data_size) );
202
203 g_assert( pss_generate_sig(sig, mod_size, data, data_size, 0) );
204 g_assert( pss_check_sig(sig, mod_size, data, data_size) );
205 }
206 mod_size *= 2;
207 }
208 }
209
210