From c080c887f9304819f3df80195ed3670680e3f05c Mon Sep 17 00:00:00 2001 From: mdw Date: Thu, 20 Jul 2000 20:13:38 +0000 Subject: [PATCH] Added Bellare and Rogaway's PSS encoding for RSA signatures. --- Makefile.m4 | 9 ++- pss.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pss.h | 164 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 406 insertions(+), 3 deletions(-) create mode 100644 pss.c create mode 100644 pss.h diff --git a/Makefile.m4 b/Makefile.m4 index 38989e5..45e60c6 100644 --- a/Makefile.m4 +++ b/Makefile.m4 @@ -1,6 +1,6 @@ ## -*-makefile-*- ## -## $Id: Makefile.m4,v 1.35 2000/07/16 20:00:46 mdw Exp $ +## $Id: Makefile.m4,v 1.36 2000/07/20 20:13:38 mdw Exp $ ## ## Makefile for Catacomb ## @@ -29,6 +29,9 @@ ##----- Revision history ---------------------------------------------------- ## ## $Log: Makefile.m4,v $ +## Revision 1.36 2000/07/20 20:13:38 mdw +## Added Bellare and Rogaway's PSS encoding for RSA signatures. +## ## Revision 1.35 2000/07/16 20:00:46 mdw ## Bug fixes to distribution. ## @@ -242,7 +245,7 @@ pkginclude_HEADERS = \ primetab.h pfilt.h primorial.h rabin.h \ pgen.h prim.h strongprime.h limlee.h \ bbs.h rsa.h dh.h dsarand.h dsa.h \ - oaep.h pkcs1.h \ + oaep.h pkcs1.h pss.h \ gfshare.h share.h \ rho.h \ allwithsuffix(`ciphers', `cipher_modes', `.h') \ @@ -276,7 +279,7 @@ libcatacomb_la_SOURCES = \ limlee.c \ bbs-rand.c bbs-gen.c bbs-jump.c bbs-fetch.c \ rsa-priv.c rsa-pub.c rsa-gen.c rsa-recover.c rsa-fetch.c \ - oaep.c pkcs1.c \ + oaep.c pkcs1.c pss.c \ dh-gen.c dh-fetch.c \ dsarand.c dsa-sign.c dsa-verify.c dsa-gen.c dsa-fetch.c \ gfshare.c share.c \ diff --git a/pss.c b/pss.c new file mode 100644 index 0000000..8bbccca --- /dev/null +++ b/pss.c @@ -0,0 +1,236 @@ +/* -*-c-*- + * + * $Id: pss.c,v 1.1 2000/07/20 20:13:38 mdw Exp $ + * + * Probabistic signature scheme + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: pss.c,v $ + * Revision 1.1 2000/07/20 20:13:38 mdw + * Added Bellare and Rogaway's PSS encoding for RSA signatures. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include + +#include +#include +#include + +#include "gcipher.h" +#include "ghash.h" +#include "grand.h" +#include "pss.h" + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @pss_presign@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: An initialized generic hash context. + * + * Use: Initializes a hash function for signing with PSS. A salt is + * chosen and written into the parameter block. + */ + +ghash *pss_presign(pss *pp) +{ + size_t hsz = pp->ch->hashsz; + octet *salt = xmalloc(hsz); + ghash *h; + + pp->r->ops->fill(pp->r, salt, hsz); + pp->salt = salt; + h = pp->ch->init(); + h->ops->hash(h, salt, hsz); + return (h); +} + +/* --- @pss_encode@ --- * + * + * Arguments: @const void *msg@ = pointer to message (hash) data + * @size_t msz@ = size of message data + * @void *buf@ = pointer to output buffer + * @size_t sz@ = size of the output buffer + * @void *p@ = pointer to PSS parameter block + * + * Returns: Zero of all went well, negative on failure. + * + * Use: Implements the operation @EMSA-PSS-ENCODE@, as defined in + * PKCS#1 v. 2.1 draft 1. + */ + +int pss_encode(const void *msg, size_t msz, void *buf, size_t sz, void *p) +{ + pss *pp = p; + octet *q, *mq, *qq; + gcipher *c; + size_t hsz = pp->ch->hashsz; + size_t n; + + /* --- Ensure that everything is sensibly sized --- */ + + if (hsz + msz + 1 > sz) + return (-1); + + /* --- Fill in the initial buffer --- */ + + q = buf; + *q++ = 0; sz--; + mq = q + msz; + qq = q + sz; + n = sz - msz; + memcpy(q, msg, msz); + if (pp->salt) + memcpy(mq, pp->salt, hsz); + else + memset(mq, 0, hsz); + memset(mq + hsz, 0, n - hsz); + + /* --- Do the encryption --- */ + + c = pp->cc->init(msg, msz); + c->ops->encrypt(c, mq, mq, n); + c->ops->destroy(c); + + /* --- Done --- */ + + return (0); +} + +/* --- @pss_decode@ --- * + * + * Arguments: @const void *buf@ = pointer to encoded buffer + * @size_t sz@ = size of the encoded byffer + * @dstr *d@ = pointer to destination string + * @void *p@ = pointer to PSS parameter block + * + * Returns: The length of the output string (hash) if successful, + * negative on failure. + * + * Use: Implements most of the operation @EMSA_PSS_VERIFY@, as + * defined in PCSK#1 v. 2.1 draft 1. The salt value is filled + * in ready for hashing of the data to start. + */ + +int pss_decode(const void *buf, size_t sz, dstr *d, void *p) +{ + pss *pp = p; + gcipher *c; + octet *q, *mq, *qq; + octet *ppp; + size_t n; + size_t hsz = pp->ch->hashsz; + int rc = -1; + + /* --- Ensure that the block is large enough --- */ + + if (sz < 2 * hsz + 1) + return (-1); + + q = x_alloc(d->a, sz); + memcpy(q, buf, sz); + + /* --- Recover the salt --- */ + + if (*q++ != 0) + goto fail; + sz--; + mq = q + hsz; + qq = q + sz; + n = sz - hsz; + c = pp->cc->init(q, hsz); + c->ops->decrypt(c, mq, mq, n); + c->ops->destroy(c); + + /* --- Now check the recovery --- */ + + ppp = mq + hsz; + while (ppp < qq) { + if (*ppp) + goto fail; + ppp++; + } + + /* --- Done --- */ + + if (pp->salt) { + if (memcmp(pp->salt, mq, hsz) != 0) + goto fail; + } else { + qq = xmalloc(hsz); + memcpy(qq, mq, hsz); + pp->salt = qq; + } + dstr_putm(d, q, hsz); + rc = hsz; + +fail: + x_free(d->a, q - 1); + return (rc); +} + +/* --- @pss_preverify@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: An initialized generic hash context. + * + * Use: Initializes a hash function for use with PSS. A salt is + * read from the parameter block, where @pss_decode@ should have + * left it. + */ + +ghash *pss_preverify(pss *pp) +{ + size_t hsz = pp->ch->hashsz; + ghash *h = pp->ch->init(); + h->ops->hash(h, pp->salt, hsz); + return (h); +} + +/* --- @pss_done@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: --- + * + * Use: Disposes of a PSS parameter block once it's finished with. + */ + +void pss_done(pss *pp) +{ + if (pp->salt) { + xfree(pp->salt); + pp->salt = 0; + } +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/pss.h b/pss.h new file mode 100644 index 0000000..426db3e --- /dev/null +++ b/pss.h @@ -0,0 +1,164 @@ +/* -*-c-*- + * + * $Id: pss.h,v 1.1 2000/07/20 20:13:38 mdw Exp $ + * + * Probabistic signature scheme + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: pss.h,v $ + * Revision 1.1 2000/07/20 20:13:38 mdw + * Added Bellare and Rogaway's PSS encoding for RSA signatures. + * + */ + +/*----- Notes on PSS ------------------------------------------------------* + * + * Applying PSS before RSA signing renders the construction provably secure, + * in that the difficulty of forging a signature is directly related to the + * difficulty of inverting the RSA function, in the random oracle model. + * This is a good thing. PSS was designed by Bellare and Rogaway. This + * particular variant is the one specified in draft 1 of PKCS#1 version 2.1. + * + * Stanford University have a patent claim on PSS, although if (as seems + * likely) PSS is included in IEEE P1363, they'll grant a free world-wide + * licence to use the scheme for signatures with appendix (rather than + * signatures with message recovery). + */ + +#ifndef CATACOMB_PSS_H +#define CATACOMB_PSS_H + +#ifdef __cplusplus + extern "C" { +#endif + +/*----- Header files ------------------------------------------------------*/ + +#include +#include + +#ifndef CATACOMB_GCIPHER_H +# include "gcipher.h" +#endif + +#ifndef CATACOMB_GHASH_H +# include "ghash.h" +#endif + +#ifndef CATACOMB_GRAND_H +# include "grand.h" +#endif + +/*----- Data structures ---------------------------------------------------*/ + +typedef struct pss { + const gccipher *cc; /* Cipher class for masking */ + const gchash *ch; /* Hash class for choosing a seed */ + grand *r; /* Random number source */ + void *salt; /* Pointer to the salt */ +} pss; + +/*----- Functions provided ------------------------------------------------*/ + +/* --- @pss_presign@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: An initialized generic hash context. + * + * Use: Initializes a hash function for signing with PSS. A salt is + * chosen and written into the parameter block. + */ + +extern ghash *pss_presign(pss */*pp*/); + +/* --- @pss_encode@ --- * + * + * Arguments: @const void *msg@ = pointer to message (hash) data + * @size_t msz@ = size of message data + * @void *buf@ = pointer to output buffer + * @size_t sz@ = size of the output buffer + * @void *p@ = pointer to PSS parameter block + * + * Returns: Zero of all went well, negative on failure. + * + * Use: Implements the operation @EMSA-PSS-ENCODE@, as defined in + * PKCS#1 v. 2.1 draft 1. + */ + +extern int pss_encode(const void */*msg*/, size_t /*msz*/, + void */*buf*/, size_t /*sz*/, void */*p*/); + +/* --- @pss_decode@ --- * + * + * Arguments: @const void *buf@ = pointer to encoded buffer + * @size_t sz@ = size of the encoded byffer + * @dstr *d@ = pointer to destination string + * @void *p@ = pointer to PSS parameter block + * + * Returns: The length of the output string (hash) if successful, + * negative on failure. + * + * Use: Implements most of the operation @EMSA_PSS_VERIFY@, as + * defined in PCSK#1 v. 2.1 draft 1. The salt value is filled + * in ready for hashing of the data to start. + */ + +extern int pss_decode(const void */*buf*/, size_t /*sz*/, + dstr */*d*/, void */*p*/); + +/* --- @pss_preverify@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: An initialized generic hash context. + * + * Use: Initializes a hash function for use with PSS. A salt is + * read from the parameter block, where @pss_decode@ should have + * left it. + */ + +extern ghash *pss_presign(pss */*pp*/); + +/* --- @pss_done@ --- * + * + * Arguments: @pss *pp@ = pointer to PSS parameter block + * + * Returns: --- + * + * Use: Disposes of a PSS parameter block once it's finished with. + */ + +extern void pss_done(pss */*pp*/); + +/*----- That's all, folks -------------------------------------------------*/ + +#ifdef __cplusplus + } +#endif + +#endif -- 2.11.0