3 * $Id: pss.c,v 1.2 2004/04/08 01:36:15 mdw Exp $
5 * Probabistic signature scheme
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/alloc.h>
35 #include <mLib/bits.h>
36 #include <mLib/dstr.h>
43 /*----- Magic statics -----------------------------------------------------*/
45 static const octet z8
[8] = { 0 };
47 /*----- Main code ---------------------------------------------------------*/
49 /* --- @pss_encode@ --- *
51 * Arguments: @mp *d@ = where to put the answer
52 * @const void *m@ = pointer to the message hash
53 * @size_t msz@ = the size of the message hash
54 * @octet *b@ = scratch buffer
55 * @size_t sz@ = sizeo of the buffer (large enough)
56 * @unsigned long nbits@ = size in bits of @n@
57 * @void *p@ = pointer to the PSS parameters
59 * Returns: Encoded message representative, or null on error.
61 * Use: Implements the operation @EMSA-PSS-ENCODE@, as defined in
62 * PKCS#1 v. 2.1 (RFC3447).
65 mp
*pss_encode(mp
*d
, const void *m
, size_t msz
, octet
*b
, size_t sz
,
66 unsigned long nbits
, void *p
)
73 size_t pssz
, hsz
= pp
->ch
->hashsz
;
75 /* --- Check the message length --- */
79 mask
= (1 << nbits
%8) - 1;
80 if (!mask
) mask
= 0xff;
81 if (hsz
+ pp
->ssz
+ 2 > sz
)
84 /* --- Generate a random salt --- */
86 pssz
= sz
- pp
->ssz
- hsz
- 2;
91 GR_FILL(pp
->r
, s
, pp
->ssz
);
93 /* --- Compute the salted hash --- */
98 GH_HASH(h
, s
, pp
->ssz
);
102 /* --- Do the masking --- */
104 c
= GC_INIT(pp
->cc
, r
, hsz
);
105 GC_ENCRYPT(c
, b
, b
, pssz
+ pp
->ssz
+ 1);
108 return (mp_loadb(d
, b
, sz
));
111 /* --- @pss_decode@ --- *
113 * Arguments: @mp *s@ = the message representative
114 * @const void *m@ = the original message
115 * @size_t msz@ = the message size
116 * @octet *b@ = a scratch buffer
117 * @size_t sz@ = size of the buffer (large enough)
118 * @unsigned long nbits@ = number of bits in @n@
119 * @void *p@ = pointer to PKCS1 parameters
121 * Returns: The length of the output string if successful, negative on
124 * Use: Implements the operation @EMSA_PSS_VERIFY@, as defined in
125 * PCSK#1 v. 2.1 (RFC3447).
128 int pss_decode(mp
*mi
, const void *m
, size_t msz
, octet
*b
, size_t sz
,
129 unsigned long nbits
, void *p
)
136 size_t pssz
, hsz
= pp
->ch
->hashsz
, i
;
139 /* --- Check the message length --- */
143 if (mp_octets(mi
) > sz
)
145 mask
= (1 << nbits
%8) - 1;
146 if (!mask
) mask
= 0xff;
147 if (hsz
+ pp
->ssz
+ 2 > sz
)
149 mp_storeb(mi
, b
, sz
);
151 /* --- Split up the buffer --- */
153 pssz
= sz
- hsz
- pp
->ssz
- 2;
159 /* --- Decode the seed --- */
163 c
= GC_INIT(pp
->cc
, r
, hsz
);
164 GC_DECRYPT(c
, b
, b
, pssz
+ pp
->ssz
+ 1);
167 for (i
= 0; i
< pssz
; i
++)
168 if (b
[i
]) return (-1);
172 /* --- Hash the message --- */
177 GH_HASH(h
, s
, pp
->ssz
);
179 rc
= !memcmp(s
, r
, hsz
);
181 if (!rc
) return (-1);
188 /*----- That's all, folks -------------------------------------------------*/