Merge pull request #207 from libtom/feature/pkcs1ssl

PKCS #1 v1.5 padding - No ASN.1

Author: karel-m

src/headers/tomcrypt_pkcs.h

@@ -13,7 +13,8 @@ enum ltc_pkcs_1_paddings
 {
   LTC_PKCS_1_V1_5     = 1,        /* PKCS #1 v1.5 padding (\sa ltc_pkcs_1_v1_5_blocks) */
   LTC_PKCS_1_OAEP     = 2,        /* PKCS #1 v2.0 encryption padding */
-  LTC_PKCS_1_PSS      = 3         /* PKCS #1 v2.1 signature padding */
+  LTC_PKCS_1_PSS      = 3,        /* PKCS #1 v2.1 signature padding */
+  LTC_PKCS_1_V1_5_NA1 = 4         /* PKCS #1 v1.5 padding - No ASN.1 (\sa ltc_pkcs_1_v1_5_blocks) */
 };
 
 int pkcs_1_mgf1(      int            hash_idx,

src/pk/rsa/rsa_sign_hash.c

@@ -23,7 +23,7 @@
   @param inlen     The length of the hash to sign (octets)
   @param out       [out] The signature
   @param outlen    [in/out] The max size and resulting size of the signature
-  @param padding   Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5)
+  @param padding   Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
   @param prng      An active PRNG state
   @param prng_idx  The index of the PRNG desired
   @param hash_idx  The index of the hash desired
@@ -47,15 +47,21 @@ int rsa_sign_hash_ex(const unsigned char *in,       unsigned long  inlen,
    LTC_ARGCHK(key      != NULL);
 
    /* valid padding? */
-   if ((padding != LTC_PKCS_1_V1_5) && (padding != LTC_PKCS_1_PSS)) {
+   if ((padding != LTC_PKCS_1_V1_5) &&
+       (padding != LTC_PKCS_1_PSS) &&
+       (padding != LTC_PKCS_1_V1_5_NA1)) {
      return CRYPT_PK_INVALID_PADDING;
    }
 
    if (padding == LTC_PKCS_1_PSS) {
-     /* valid prng and hash ? */
+     /* valid prng ? */
      if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) {
         return err;
      }
+   }
+
+   if (padding != LTC_PKCS_1_V1_5_NA1) {
+     /* valid hash ? */
      if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
         return err;
      }
@@ -81,46 +87,54 @@ int rsa_sign_hash_ex(const unsigned char *in,       unsigned long  inlen,
   } else {
     /* PKCS #1 v1.5 pad the hash */
     unsigned char *tmpin;
-    ltc_asn1_list digestinfo[2], siginfo[2];
 
-    /* not all hashes have OIDs... so sad */
-    if (hash_descriptor[hash_idx].OIDlen == 0) {
-       return CRYPT_INVALID_ARG;
-    }
+    if (padding == LTC_PKCS_1_V1_5) {
+      ltc_asn1_list digestinfo[2], siginfo[2];
+      /* not all hashes have OIDs... so sad */
+      if (hash_descriptor[hash_idx].OIDlen == 0) {
+         return CRYPT_INVALID_ARG;
+      }
 
     /* construct the SEQUENCE
-      SEQUENCE {
-         SEQUENCE {hashoid OID
-                   blah    NULL
-         }
+        SEQUENCE {
+           SEQUENCE {hashoid OID
+                     blah    NULL
+           }
          hash    OCTET STRING
+        }
+     */
+      LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen);
+      LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL,              NULL,                          0);
+      LTC_SET_ASN1(siginfo,    0, LTC_ASN1_SEQUENCE,          digestinfo,                    2);
+      LTC_SET_ASN1(siginfo,    1, LTC_ASN1_OCTET_STRING,      in,                            inlen);
+
+      /* allocate memory for the encoding */
+      y = mp_unsigned_bin_size(key->N);
+      tmpin = XMALLOC(y);
+      if (tmpin == NULL) {
+         return CRYPT_MEM;
       }
-   */
-    LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen);
-    LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL,              NULL,                          0);
-    LTC_SET_ASN1(siginfo,    0, LTC_ASN1_SEQUENCE,          digestinfo,                    2);
-    LTC_SET_ASN1(siginfo,    1, LTC_ASN1_OCTET_STRING,      in,                            inlen);
-
-    /* allocate memory for the encoding */
-    y = mp_unsigned_bin_size(key->N);
-    tmpin = XMALLOC(y);
-    if (tmpin == NULL) {
-       return CRYPT_MEM;
-    }
 
-    if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) {
-       XFREE(tmpin);
-       return err;
+      if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) {
+         XFREE(tmpin);
+         return err;
+      }
+    } else {
+      /* set the pointer and data-length to the input values */
+      tmpin = (unsigned char *)in;
+      y = inlen;
     }
 
     x = *outlen;
-    if ((err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA,
-                                  modulus_bitlen, NULL, 0,
-                                  out, &x)) != CRYPT_OK) {
+    err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, modulus_bitlen, NULL, 0, out, &x);
+
+    if (padding == LTC_PKCS_1_V1_5) {
       XFREE(tmpin);
+    }
+
+    if (err != CRYPT_OK) {
       return err;
     }
-    XFREE(tmpin);
   }
 
   /* RSA encode it */

src/pk/rsa/rsa_verify_hash.c

@@ -23,7 +23,7 @@
   @param siglen           The length of the signature data (octets)
   @param hash             The hash of the message that was signed
   @param hashlen          The length of the hash of the message that was signed (octets)
-  @param padding          Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5)
+  @param padding          Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
   @param hash_idx         The index of the desired hash
   @param saltlen          The length of the salt used during signature
   @param stat             [out] The result of the signature comparison, 1==valid, 0==invalid
@@ -51,11 +51,12 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
   /* valid padding? */
 
   if ((padding != LTC_PKCS_1_V1_5) &&
-      (padding != LTC_PKCS_1_PSS)) {
+      (padding != LTC_PKCS_1_PSS) &&
+      (padding != LTC_PKCS_1_V1_5_NA1)) {
     return CRYPT_PK_INVALID_PADDING;
   }
 
-  if (padding == LTC_PKCS_1_PSS) {
+  if (padding != LTC_PKCS_1_V1_5_NA1) {
     /* valid hash ? */
     if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
        return err;
@@ -103,15 +104,8 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
   } else {
     /* PKCS #1 v1.5 decode it */
     unsigned char *out;
-    unsigned long outlen, loid[16], reallen;
+    unsigned long outlen;
     int           decoded;
-    ltc_asn1_list digestinfo[2], siginfo[2];
-
-    /* not all hashes have OIDs... so sad */
-    if (hash_descriptor[hash_idx].OIDlen == 0) {
-       err = CRYPT_INVALID_ARG;
-       goto bail_2;
-    }
 
     /* allocate temp buffer for decoded hash */
     outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3;
@@ -126,37 +120,54 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
       goto bail_2;
     }
 
-    /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
-    /* construct the SEQUENCE
-      SEQUENCE {
-         SEQUENCE {hashoid OID
-                   blah    NULL
-         }
-         hash    OCTET STRING
+    if (padding == LTC_PKCS_1_V1_5) {
+      unsigned long loid[16], reallen;
+      ltc_asn1_list digestinfo[2], siginfo[2];
+
+      /* not all hashes have OIDs... so sad */
+      if (hash_descriptor[hash_idx].OIDlen == 0) {
+         err = CRYPT_INVALID_ARG;
+         goto bail_2;
       }
-   */
-    LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
-    LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL,              NULL,                          0);
-    LTC_SET_ASN1(siginfo,    0, LTC_ASN1_SEQUENCE,          digestinfo,                    2);
-    LTC_SET_ASN1(siginfo,    1, LTC_ASN1_OCTET_STRING,      tmpbuf,                        siglen);
-
-    if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
-       XFREE(out);
-       goto bail_2;
-    }
 
-    if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
-       XFREE(out);
-       goto bail_2;
-    }
+      /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
+      /* construct the SEQUENCE
+        SEQUENCE {
+           SEQUENCE {hashoid OID
+                     blah    NULL
+           }
+           hash    OCTET STRING
+        }
+     */
+      LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
+      LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL,              NULL,                          0);
+      LTC_SET_ASN1(siginfo,    0, LTC_ASN1_SEQUENCE,          digestinfo,                    2);
+      LTC_SET_ASN1(siginfo,    1, LTC_ASN1_OCTET_STRING,      tmpbuf,                        siglen);
+
+      if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
+         XFREE(out);
+         goto bail_2;
+      }
+
+      if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
+         XFREE(out);
+         goto bail_2;
+      }
 
-    /* test OID */
-    if ((reallen == outlen) &&
-        (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
+      /* test OID */
+      if ((reallen == outlen) &&
+          (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
         (XMEM_NEQ(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
-        (siginfo[1].size == hashlen) &&
+          (siginfo[1].size == hashlen) &&
         (XMEM_NEQ(siginfo[1].data, hash, hashlen) == 0)) {
-       *stat = 1;
+         *stat = 1;
+      }
+    } else {
+      /* only check if the hash is equal */
+      if ((hashlen == outlen) &&
+          (XMEMCMP(out, hash, hashlen) == 0)) {
+        *stat = 1;
+      }
     }
 
 #ifdef LTC_CLEAN_STACK

testprof/rsa_test.c

@@ -109,17 +109,48 @@ static const unsigned char openssl_public_rsa_stripped[] = {
    0x60, 0x3f, 0x8b, 0x54, 0x3a, 0xc3, 0x4d, 0x31, 0xe7, 0x94, 0xa4, 0x44, 0xfd, 0x02, 0x03, 0x01,
    0x00, 0x01,  };
 
+
+/* generated with the private key above as:
+   echo -n 'test' | openssl rsautl -sign -inkey rsa_private.pem -pkcs -hexdump
+ */
+static const unsigned char openssl_rsautl_pkcs[] = {
+   0x24, 0xef, 0x54, 0xea, 0x1a, 0x12, 0x0c, 0xf4, 0x04, 0x0c, 0x48, 0xc8, 0xe8, 0x17, 0xd2, 0x6f,
+   0xc3, 0x41, 0xb3, 0x97, 0x5c, 0xbc, 0xa3, 0x2d, 0x21, 0x00, 0x10, 0x0e, 0xbb, 0xf7, 0x30, 0x21,
+   0x7e, 0x12, 0xd2, 0xdf, 0x26, 0x28, 0xd8, 0x0f, 0x6d, 0x4d, 0xc8, 0x4d, 0xa8, 0x78, 0xe7, 0x03,
+   0xee, 0xbc, 0x68, 0xba, 0x98, 0xea, 0xe9, 0xb6, 0x06, 0x8d, 0x85, 0x5b, 0xdb, 0xa6, 0x49, 0x86,
+   0x6f, 0xc7, 0x3d, 0xe0, 0x53, 0x83, 0xe0, 0xea, 0xb1, 0x08, 0x6a, 0x7b, 0xbd, 0xeb, 0xb5, 0x4a,
+   0xdd, 0xbc, 0x64, 0x97, 0x8c, 0x17, 0x20, 0xa3, 0x5c, 0xd4, 0xb8, 0x87, 0x43, 0xc5, 0x13, 0xad,
+   0x41, 0x6e, 0x45, 0x41, 0x32, 0xd4, 0x09, 0x12, 0x7f, 0xdc, 0x59, 0x1f, 0x28, 0x3f, 0x1e, 0xbc,
+   0xef, 0x57, 0x23, 0x4b, 0x3a, 0xa3, 0x24, 0x91, 0x4d, 0xfb, 0xb2, 0xd4, 0xe7, 0x5e, 0x41, 0x7e,
+};
+
 extern const unsigned char _der_tests_cacert_root_cert[];
 extern const unsigned long _der_tests_cacert_root_cert_size;
 
 static int rsa_compat_test(void)
 {
-   rsa_key key;
+   rsa_key key, pubkey;
+   int stat;
    unsigned char buf[1024];
    unsigned long len;
 
    /* try reading the key */
    DO(rsa_import(openssl_private_rsa, sizeof(openssl_private_rsa), &key));
+   DO(rsa_import(openssl_public_rsa, sizeof(openssl_public_rsa), &pubkey));
+
+   /* sign-verify a message with PKCS #1 v1.5 no ASN.1 */
+   len = sizeof(buf);
+   DO(rsa_sign_hash_ex((unsigned char*)"test", 4, buf, &len, LTC_PKCS_1_V1_5_NA1, NULL, 0, 0, 0, &key));
+   if (len != sizeof(openssl_rsautl_pkcs) || memcmp(buf, openssl_rsautl_pkcs, len)) {
+      fprintf(stderr, "RSA rsa_sign_hash_ex + LTC_PKCS_1_V1_5_NA1 failed\n");
+      return 1;
+   }
+   stat = 0;
+   DO(rsa_verify_hash_ex(openssl_rsautl_pkcs, sizeof(openssl_rsautl_pkcs), (unsigned char*)"test", 4, LTC_PKCS_1_V1_5_NA1, 0, 0, &stat, &pubkey));
+   if (stat != 1) {
+      fprintf(stderr, "RSA rsa_verify_hash_ex + LTC_PKCS_1_V1_5_NA1 failed\n");
+      return 1;
+   }
 
    /* now try to export private/public and compare */
    len = sizeof(buf);