From: Daiki Ueno dueno@redhat.com
Hello,
This series of patches implements the RSA-PSS signature scheme, as specified in RFC 3447. To keep the interface minimal but to allow TLS 1.3 implementations on top of this, only SHA256/384/512 variants are provided.
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
int rsa_pss_shaXXX_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature);
For MGF, "mask generation function 1" backed by the same hash algorithm is always used, as indicated in [1]. I thought it might make sense to provide more flexible variants, such as rsa_pss_{sign_tr,verify} analogous to rsa_pkcs1_*, but realized that parsing ASN.1 encoded parameters would require extra complexity.
Suggestions appreciated.
Daiki Ueno (2): Implement PSS encoding functions Add PSS variants for RSA sign/verify functions
Makefile.in | 7 +- mgf1-sha256.c | 47 +++++++ mgf1-sha384.c | 47 +++++++ mgf1-sha512.c | 47 +++++++ mgf1.c | 72 +++++++++++ mgf1.h | 70 ++++++++++ nettle-types.h | 3 + nettle.texinfo | 30 +++++ pss-sha256.c | 64 ++++++++++ pss-sha512.c | 90 +++++++++++++ pss.c | 195 ++++++++++++++++++++++++++++ pss.h | 105 +++++++++++++++ rsa-pss-sha256-sign-tr.c | 64 ++++++++++ rsa-pss-sha256-verify.c | 60 +++++++++ rsa-pss-sha512-sign-tr.c | 87 +++++++++++++ rsa-pss-sha512-verify.c | 79 ++++++++++++ rsa-verify.c | 14 ++ rsa.h | 55 ++++++++ testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 5 +- testsuite/mgf1-test.c | 23 ++++ testsuite/pss-test.c | 35 +++++ testsuite/rsa-pss-sign-tr-test.c | 268 +++++++++++++++++++++++++++++++++++++++ 23 files changed, 1473 insertions(+), 3 deletions(-) create mode 100644 mgf1-sha256.c create mode 100644 mgf1-sha384.c create mode 100644 mgf1-sha512.c create mode 100644 mgf1.c create mode 100644 mgf1.h create mode 100644 pss-sha256.c create mode 100644 pss-sha512.c create mode 100644 pss.c create mode 100644 pss.h create mode 100644 rsa-pss-sha256-sign-tr.c create mode 100644 rsa-pss-sha256-verify.c create mode 100644 rsa-pss-sha512-sign-tr.c create mode 100644 rsa-pss-sha512-verify.c create mode 100644 testsuite/mgf1-test.c create mode 100644 testsuite/pss-test.c create mode 100644 testsuite/rsa-pss-sign-tr-test.c
Footnotes: [1] https://tlswg.github.io/tls13-spec/#signature-algorithms
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 5 +- mgf1-sha256.c | 47 +++++++++++ mgf1-sha384.c | 47 +++++++++++ mgf1-sha512.c | 47 +++++++++++ mgf1.c | 72 +++++++++++++++++ mgf1.h | 70 ++++++++++++++++ nettle-types.h | 3 + pss-sha256.c | 64 +++++++++++++++ pss-sha512.c | 90 +++++++++++++++++++++ pss.c | 195 +++++++++++++++++++++++++++++++++++++++++++++ pss.h | 105 ++++++++++++++++++++++++ testsuite/.test-rules.make | 6 ++ testsuite/Makefile.in | 4 +- testsuite/mgf1-test.c | 23 ++++++ testsuite/pss-test.c | 35 ++++++++ 15 files changed, 810 insertions(+), 3 deletions(-) create mode 100644 mgf1-sha256.c create mode 100644 mgf1-sha384.c create mode 100644 mgf1-sha512.c create mode 100644 mgf1.c create mode 100644 mgf1.h create mode 100644 pss-sha256.c create mode 100644 pss-sha512.c create mode 100644 pss.c create mode 100644 pss.h create mode 100644 testsuite/mgf1-test.c create mode 100644 testsuite/pss-test.c
diff --git a/Makefile.in b/Makefile.in index 135542f..035074c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -110,6 +110,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ + mgf1.c mgf1-sha256.c mgf1-sha384.c mgf1-sha512.c \ nettle-meta-aeads.c nettle-meta-armors.c \ nettle-meta-ciphers.c nettle-meta-hashes.c \ pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ @@ -144,6 +145,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ + pss.c pss-sha256.c pss-sha512.c \ rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ @@ -194,9 +196,10 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ md2.h md4.h \ md5.h md5-compat.h \ memops.h memxor.h \ + mgf1.h \ nettle-meta.h nettle-types.h \ pbkdf2.h \ - pgp.h pkcs1.h realloc.h ripemd160.h rsa.h \ + pgp.h pkcs1.h pss.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h \ serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ umac.h yarrow.h poly1305.h diff --git a/mgf1-sha256.c b/mgf1-sha256.c new file mode 100644 index 0000000..11e908c --- /dev/null +++ b/mgf1-sha256.c @@ -0,0 +1,47 @@ +/* mgf1-sha256.c + + PKCS#1 mask generation function 1, based on SHA-256. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha256(const struct sha256_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha256_ctx state; + return mgf1(hash, &state, &nettle_sha256, mask_length, mask); +} diff --git a/mgf1-sha384.c b/mgf1-sha384.c new file mode 100644 index 0000000..5dd2b07 --- /dev/null +++ b/mgf1-sha384.c @@ -0,0 +1,47 @@ +/* mgf1-sha384.c + + PKCS#1 mask generation function 1, based on SHA-384. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha384(const struct sha384_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha384_ctx state; + return mgf1(hash, &state, &nettle_sha384, mask_length, mask); +} diff --git a/mgf1-sha512.c b/mgf1-sha512.c new file mode 100644 index 0000000..d1fba5f --- /dev/null +++ b/mgf1-sha512.c @@ -0,0 +1,47 @@ +/* mgf1-sha512.c + + PKCS#1 mask generation function 1, based on SHA-512. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha512(const struct sha512_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha512_ctx state; + return mgf1(hash, &state, &nettle_sha512, mask_length, mask); +} diff --git a/mgf1.c b/mgf1.c new file mode 100644 index 0000000..a96b086 --- /dev/null +++ b/mgf1.c @@ -0,0 +1,72 @@ +/* mgf1.c + + PKCS#1 mask generation function 1 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include <assert.h> +#include <string.h> + +#include "nettle-internal.h" + +#define MGF1_MIN(a,b) ((a) < (b) ? (a) : (b)) + +int +mgf1(void *seed, void *state, const struct nettle_hash *hash, + size_t mask_length, uint8_t *mask) +{ + TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + size_t i, blocks; + uint8_t c[4], *p; + + TMP_ALLOC(h, hash->digest_size); + + blocks = (mask_length + hash->digest_size - 1) / hash->digest_size; + for (i = 0, p = mask; i < blocks; i++, p += hash->digest_size) + { + c[0] = (i >> 24) & 0xFF; + c[1] = (i >> 16) & 0xFF; + c[2] = (i >> 8) & 0xFF; + c[3] = i & 0xFF; + + memcpy(state, seed, hash->context_size); + hash->update(state, 4, c); + hash->digest(state, hash->digest_size, h); + memcpy(p, h, MGF1_MIN(hash->digest_size, mask_length - (p - mask))); + } + + return 1; +} diff --git a/mgf1.h b/mgf1.h new file mode 100644 index 0000000..bbaffce --- /dev/null +++ b/mgf1.h @@ -0,0 +1,70 @@ +/* mgf1.h + + PKCS#1 mask generation function 1 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_MGF1_H_INCLUDED +#define NETTLE_MGF1_H_INCLUDED + +#include "nettle-meta.h" + +#include "sha1.h" +#include "sha2.h" + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Namespace mangling */ +#define mgf1 nettle_mgf1 +#define mgf1_sha256 nettle_mgf1_sha256 +#define mgf1_sha384 nettle_mgf1_sha384 +#define mgf1_sha512 nettle_mgf1_sha512 + +int +mgf1(void *seed, void *state, const struct nettle_hash *hash, + size_t mask_length, uint8_t *mask); + +int +mgf1_sha256(const struct sha256_ctx *hash, size_t mask_length, uint8_t *mask); + +int +mgf1_sha384(const struct sha384_ctx *hash, size_t mask_length, uint8_t *mask); + +int +mgf1_sha512(const struct sha512_ctx *hash, size_t mask_length, uint8_t *mask); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_MGF1_H_INCLUDED */ diff --git a/nettle-types.h b/nettle-types.h index 475937d..b687958 100644 --- a/nettle-types.h +++ b/nettle-types.h @@ -103,6 +103,9 @@ typedef int nettle_armor_decode_update_func(void *ctx,
typedef int nettle_armor_decode_final_func(void *ctx);
+typedef int nettle_mgf_func(void *ctx, size_t mask_length, uint8_t *mask); + + #ifdef __cplusplus } #endif diff --git a/pss-sha256.c b/pss-sha256.c new file mode 100644 index 0000000..9c12037 --- /dev/null +++ b/pss-sha256.c @@ -0,0 +1,64 @@ +/* pss.c + + PKCS#1 RSA-PSS padding, using SHA-256 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pss.h" + +int +pss_sha256_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha256_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha256, + (nettle_mgf_func *) mgf1_sha256, + salt_length, salt, + digest); +} + +int +pss_sha256_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha256_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha256, + (nettle_mgf_func *) mgf1_sha256, + salt_length, + digest); +} diff --git a/pss-sha512.c b/pss-sha512.c new file mode 100644 index 0000000..e24b45d --- /dev/null +++ b/pss-sha512.c @@ -0,0 +1,90 @@ +/* pss.c + + PKCS#1 RSA-PSS padding, using SHA-384 and SHA-512 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pss.h" + +int +pss_sha384_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha384_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha384, + (nettle_mgf_func *) mgf1_sha384, + salt_length, salt, + digest); +} + +int +pss_sha384_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha384_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha384, + (nettle_mgf_func *) mgf1_sha384, + salt_length, + digest); +} + +int +pss_sha512_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha512_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha512, + (nettle_mgf_func *) mgf1_sha512, + salt_length, salt, + digest); +} + +int +pss_sha512_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha512_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha512, + (nettle_mgf_func *) mgf1_sha512, + salt_length, + digest); +} diff --git a/pss.c b/pss.c new file mode 100644 index 0000000..5dd23a7 --- /dev/null +++ b/pss.c @@ -0,0 +1,195 @@ +/* pss.c + + PKCS#1 RSA-PSS padding (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <string.h> + +#include "pss.h" + +#include "bignum.h" +#include "gmp-glue.h" + +#include "memxor.h" +#include "nettle-internal.h" + +static const uint8_t pss_masks[8] = { + 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1 +}; + +int +pss_encode(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + TMP_GMP_DECL(em, uint8_t); + uint8_t pad[8]; + size_t key_size = (bits + 7) / 8; + size_t j; + + TMP_GMP_ALLOC(em, key_size); + + if (key_size < hash->digest_size + salt_length + 2) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Compute M'. */ + hash->init(state); + memset(pad, 0, 8); + hash->update(state, 8, pad); + hash->update(state, hash->digest_size, digest); + hash->update(state, salt_length, salt); + + /* Store H in EM, right after maskedDB. */ + hash->digest(state, hash->digest_size, em + key_size - hash->digest_size - 1); + + /* Compute dbMask. */ + hash->init(state); + hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1); + + mgf(state, key_size - hash->digest_size - 1, em); + + /* Compute maskedDB and store it in front of H in EM. */ + for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) + em[j] ^= 0; + em[j++] ^= 1; + memxor(em + j, salt, salt_length); + j += salt_length; + + /* Store the trailer field following H. */ + j += hash->digest_size; + *(em + j) = 0xbc; + + /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */ + *em &= pss_masks[(8 * key_size - bits)]; + + nettle_mpz_set_str_256_u(m, key_size, em); + TMP_GMP_FREE(em); + return 1; +} + +int +pss_verify(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, + const uint8_t *digest) +{ + TMP_GMP_DECL(em, uint8_t); + TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + uint8_t pad[8], *h, *db, *salt; + size_t key_size = (bits + 7) / 8; + size_t j; + + /* Allocate twice the key size to store the intermediate data DB + * following the EM value. */ + TMP_GMP_ALLOC(em, key_size * 2); + + TMP_ALLOC(h2, hash->digest_size); + + if (key_size < hash->digest_size + salt_length + 2) + { + TMP_GMP_FREE(em); + return 0; + } + + nettle_mpz_get_str_256(key_size, em, m); + + /* Check the trailer field. */ + if (em[key_size - 1] != 0xbc) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Extract H. */ + h = em + (key_size - hash->digest_size - 1); + + /* Check if the leftmost 8 * emLen - emBits bits of the leftmost + * octet of EM are all equal to zero. */ + if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Compute dbMask. */ + hash->init(state); + hash->update(state, hash->digest_size, h); + + db = em + key_size; + mgf(state, key_size - hash->digest_size - 1, db); + + /* Compute DB. */ + memxor(db, em, key_size - hash->digest_size - 1); + + *db &= pss_masks[(8 * key_size - bits)]; + for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) + if (db[j] != 0) { + TMP_GMP_FREE(em); + return 0; + } + + /* Check the octet right after PS is 0x1. */ + if (db[j] != 0x1) + { + TMP_GMP_FREE(em); + return 0; + } + salt = db + j + 1; + + /* Compute H'. */ + memset(pad, 0, 8); + hash->init(state); + hash->update(state, 8, pad); + hash->update(state, hash->digest_size, digest); + hash->update(state, salt_length, salt); + hash->digest(state, hash->digest_size, h2); + + /* Check if H' = H. */ + if (memcmp(h2, h, hash->digest_size) != 0) + { + TMP_GMP_FREE(em); + return 0; + } + + TMP_GMP_FREE(em); + return 1; +} diff --git a/pss.h b/pss.h new file mode 100644 index 0000000..1ebe1eb --- /dev/null +++ b/pss.h @@ -0,0 +1,105 @@ +/* pss.h + + PKCS#1 RSA-PSS (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_PSS_H_INCLUDED +#define NETTLE_PSS_H_INCLUDED + +#include "nettle-types.h" +#include "bignum.h" + +#include "mgf1.h" + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Namespace mangling */ +#define pss_encode nettle_pss_encode +#define pss_verify nettle_pss_verify +#define pss_sha256_encode nettle_pss_sha256_encode +#define pss_sha256_verify nettle_pss_sha256_verify +#define pss_sha384_encode nettle_pss_sha384_encode +#define pss_sha384_verify nettle_pss_sha384_verify +#define pss_sha512_encode nettle_pss_sha512_encode +#define pss_sha512_verify nettle_pss_sha512_verify + +int +pss_encode(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_verify(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha256_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha256_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha384_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha384_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha512_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha512_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_PSS_H_INCLUDED */ diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index b263e1f..2b4499f 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -157,6 +157,9 @@ yarrow-test$(EXEEXT): yarrow-test.$(OBJEXT) pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT) $(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT)
+mgf1-test$(EXEEXT): mgf1-test.$(OBJEXT) + $(LINK) mgf1-test.$(OBJEXT) $(TEST_OBJS) -o mgf1-test$(EXEEXT) + sexp-test$(EXEEXT): sexp-test.$(OBJEXT) $(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT)
@@ -178,6 +181,9 @@ random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT) pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT) $(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT)
+pss-test$(EXEEXT): pss-test.$(OBJEXT) + $(LINK) pss-test.$(OBJEXT) $(TEST_OBJS) -o pss-test$(EXEEXT) + rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 689d432..4a9604f 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -30,12 +30,12 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ meta-aead-test.c meta-armor-test.c \ - buffer-test.c yarrow-test.c pbkdf2-test.c + buffer-test.c yarrow-test.c pbkdf2-test.c mgf1-test.c
TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ - pkcs1-test.c rsa-sign-tr-test.c \ + pkcs1-test.c pss-test.c rsa-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c \ diff --git a/testsuite/mgf1-test.c b/testsuite/mgf1-test.c new file mode 100644 index 0000000..7a5dbb2 --- /dev/null +++ b/testsuite/mgf1-test.c @@ -0,0 +1,23 @@ +#include "testutils.h" +#include "mgf1.h" + +void +test_main(void) +{ + struct sha256_ctx hash; + struct tstring *expected; + uint8_t mask[120]; + int ret; + + expected = SHEX("a473d7488b16ba109a76132877f2028c458729440f7d2b83ee1e7d" + "4042981047241a8621136eb1ea6662b9b9f59eb7aa2dc169e76d4e" + "0380db8537b76110cb41520dbc7fb9d2bbea8a182fa1fe9e1f8e68" + "61b80dca42be7b11bb258c26e50450b5c2eea6ff78e787f682fca3" + "ea051b0baefef200d40289cf"); + + sha256_init(&hash); + sha256_update(&hash, SHA256_DIGEST_SIZE, "abc"); + ret = mgf1_sha256(&hash, 120, mask); + ASSERT(ret == 1); + ASSERT(MEMEQ (107, mask, expected->data)); +} diff --git a/testsuite/pss-test.c b/testsuite/pss-test.c new file mode 100644 index 0000000..2d53e03 --- /dev/null +++ b/testsuite/pss-test.c @@ -0,0 +1,35 @@ +#include "testutils.h" + +#include "pss.h" + +void +test_main(void) +{ + struct tstring *salt; + struct tstring *digest; + mpz_t m; + mpz_t expected; + int ret; + + mpz_init(m); + mpz_init(expected); + + salt = SHEX("11223344556677889900"); + /* From sha256-test.c */ + digest = SHEX("ba7816bf8f01cfea 414140de5dae2223" + "b00361a396177a9c b410ff61f20015ad"); + ret = pss_sha256_encode(m, 1024, salt->length, salt->data, digest->data); + ASSERT(ret == 1); + + mpz_set_str(expected, + "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8" + "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8" + "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f" + "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1" + "d7788826a63af767f301bcc05dd65b00da862cbc", 16); + + ASSERT(mpz_cmp(m, expected) == 0); + + ret = pss_sha256_verify(m, 1024, salt->length, digest->data); + ASSERT(ret == 1); +}
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 2 + nettle.texinfo | 30 +++++ rsa-pss-sha256-sign-tr.c | 64 ++++++++++ rsa-pss-sha256-verify.c | 60 +++++++++ rsa-pss-sha512-sign-tr.c | 87 +++++++++++++ rsa-pss-sha512-verify.c | 79 ++++++++++++ rsa-verify.c | 14 ++ rsa.h | 55 ++++++++ testsuite/.test-rules.make | 3 + testsuite/Makefile.in | 1 + testsuite/rsa-pss-sign-tr-test.c | 268 +++++++++++++++++++++++++++++++++++++++ 11 files changed, 663 insertions(+) create mode 100644 rsa-pss-sha256-sign-tr.c create mode 100644 rsa-pss-sha256-verify.c create mode 100644 rsa-pss-sha512-sign-tr.c create mode 100644 rsa-pss-sha512-verify.c create mode 100644 testsuite/rsa-pss-sign-tr-test.c
diff --git a/Makefile.in b/Makefile.in index 035074c..2075390 100644 --- a/Makefile.in +++ b/Makefile.in @@ -152,6 +152,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \ rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ + rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \ + rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ rsa-keygen.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ diff --git a/nettle.texinfo b/nettle.texinfo index 9cfaf43..529a8e6 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -3770,6 +3770,36 @@ of the digest together with an object identifier for the used hash algorithm. @end deftypefun
+While the above functions for the RSA signature operations use the +@cite{PKCS#1} padding scheme, Nettle also provides the variants based on +the PSS padding scheme, specified in @cite{RFC 3447}. + +Creating an RSA signature with the PSS padding scheme is done with one +of the following functions: + +@deftypefun int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) +@deftypefunx int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) +@deftypefunx int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) +Creates a signature using the PSS padding scheme. @var{salt} should +point to a salt string of size @var{salt_length}. @var{digest} should +point to a digest of size @code{SHA256_DIGEST_SIZE}, +@code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The +signature is stored in @var{signature} (which must have been +@code{mpz_init}:ed earlier). +Returns one on success, or zero on failure. +@end deftypefun + +Verifying an RSA signature with the PSS padding scheme is done with one +of the following functions: + +@deftypefun int rsa_pss_sha256_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) +@deftypefunx int rsa_pss_sha384_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) +@deftypefunx int rsa_pss_sha512_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) +Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} +should point to a digest of size @code{SHA256_DIGEST_SIZE}, +@code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. +@end deftypefun + The following function is used to encrypt a clear text message using RSA. @deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. If the message is too long then this diff --git a/rsa-pss-sha256-sign-tr.c b/rsa-pss-sha256-sign-tr.c new file mode 100644 index 0000000..4284fe3 --- /dev/null +++ b/rsa-pss-sha256-sign-tr.c @@ -0,0 +1,64 @@ +/* rsa-pss-sha256-sign-tr.c + + Signatures using RSA and SHA-256, with PSS padding. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" +#include "pss.h" + +int +rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s) +{ + mpz_t m; + int res; + + mpz_init (m); + + res = (pss_sha256_encode(m, mpz_sizeinbase(pub->n, 2) - 1, + salt_length, salt, digest) + && rsa_compute_root_tr (pub, key, + random_ctx, random, + s, m)); + + mpz_clear (m); + return res; +} diff --git a/rsa-pss-sha256-verify.c b/rsa-pss-sha256-verify.c new file mode 100644 index 0000000..4bdc07f --- /dev/null +++ b/rsa-pss-sha256-verify.c @@ -0,0 +1,60 @@ +/* rsa-pss-sha256-verify.c + + Verifying signatures created with RSA and SHA-256, with PSS padding. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" +#include "pss.h" + +int +rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature) +{ + int res; + mpz_t m; + + mpz_init (m); + + res = (_rsa_verify_recover(key, m, signature) && + pss_sha256_verify(m, mpz_sizeinbase(key->n, 2) - 1, + salt_length, digest)); + + mpz_clear (m); + return res; +} diff --git a/rsa-pss-sha512-sign-tr.c b/rsa-pss-sha512-sign-tr.c new file mode 100644 index 0000000..5a0a5c5 --- /dev/null +++ b/rsa-pss-sha512-sign-tr.c @@ -0,0 +1,87 @@ +/* rsa-pss-sha512-sign-tr.c + + Signatures using RSA and SHA-384/SHA-512, with PSS padding. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" +#include "pss.h" + +int +rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s) +{ + mpz_t m; + int res; + + mpz_init (m); + + res = (pss_sha384_encode(m, mpz_sizeinbase(pub->n, 2) - 1, + salt_length, salt, digest) + && rsa_compute_root_tr (pub, key, + random_ctx, random, + s, m)); + + mpz_clear (m); + return res; +} + +int +rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s) +{ + mpz_t m; + int res; + + mpz_init (m); + + res = (pss_sha512_encode(m, mpz_sizeinbase(pub->n, 2) - 1, + salt_length, salt, digest) + && rsa_compute_root_tr (pub, key, + random_ctx, random, + s, m)); + + mpz_clear (m); + return res; +} diff --git a/rsa-pss-sha512-verify.c b/rsa-pss-sha512-verify.c new file mode 100644 index 0000000..cd1d59c --- /dev/null +++ b/rsa-pss-sha512-verify.c @@ -0,0 +1,79 @@ +/* rsa-pss-sha512-verify.c + + Verifying signatures created with RSA and SHA-384/SHA-512, with PSS padding. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" +#include "pss.h" + +int +rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature) +{ + int res; + mpz_t m; + + mpz_init (m); + + res = (_rsa_verify_recover(key, m, signature) && + pss_sha384_verify(m, mpz_sizeinbase(key->n, 2) - 1, + salt_length, digest)); + + mpz_clear (m); + return res; +} + +int +rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature) +{ + int res; + mpz_t m; + + mpz_init (m); + + res = (_rsa_verify_recover(key, m, signature) && + pss_sha512_verify(m, mpz_sizeinbase(key->n, 2) - 1, + salt_length, digest)); + + mpz_clear (m); + return res; +} diff --git a/rsa-verify.c b/rsa-verify.c index 07715e2..43a55d2 100644 --- a/rsa-verify.c +++ b/rsa-verify.c @@ -62,3 +62,17 @@ _rsa_verify(const struct rsa_public_key *key,
return res; } + +int +_rsa_verify_recover(const struct rsa_public_key *key, + mpz_t m, + const mpz_t s) +{ + if ( (mpz_sgn(s) <= 0) + || (mpz_cmp(s, key->n) >= 0) ) + return 0; + + mpz_powm(m, s, key->e, key->n); + + return 1; +} diff --git a/rsa.h b/rsa.h index 6d2574b..2143fcd 100644 --- a/rsa.h +++ b/rsa.h @@ -79,6 +79,12 @@ extern "C" { #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest +#define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr +#define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest +#define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr +#define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest +#define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr +#define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt #define rsa_decrypt_tr nettle_rsa_decrypt_tr @@ -93,6 +99,7 @@ extern "C" { #define rsa_keypair_from_der nettle_rsa_keypair_from_der #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp #define _rsa_verify _nettle_rsa_verify +#define _rsa_verify_recover _nettle_rsa_verify_recover #define _rsa_check_size _nettle_rsa_check_size #define _rsa_blind _nettle_rsa_blind #define _rsa_unblind _nettle_rsa_unblind @@ -341,6 +348,49 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature);
+/* PSS style signatures */ +int +rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s); + +int +rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature); + +int +rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s); + +int +rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature); + +int +rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest, + mpz_t s); + +int +rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, + size_t salt_length, + const uint8_t *digest, + const mpz_t signature); +
/* RSA encryption, using PKCS#1 */ /* These functions uses the v1.5 padding. What should the v2 (OAEP) @@ -480,6 +530,11 @@ _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s);
+int +_rsa_verify_recover(const struct rsa_public_key *key, + mpz_t m, + const mpz_t s); + size_t _rsa_check_size(mpz_t n);
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 2b4499f..27c9e00 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -187,6 +187,9 @@ pss-test$(EXEEXT): pss-test.$(OBJEXT) rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT)
+rsa-pss-sign-tr-test$(EXEEXT): rsa-pss-sign-tr-test.$(OBJEXT) + $(LINK) rsa-pss-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-pss-sign-tr-test$(EXEEXT) + rsa-test$(EXEEXT): rsa-test.$(OBJEXT) $(LINK) rsa-test.$(OBJEXT) $(TEST_OBJS) -o rsa-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 4a9604f..09feb09 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -36,6 +36,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ pkcs1-test.c pss-test.c rsa-sign-tr-test.c \ + rsa-pss-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c \ diff --git a/testsuite/rsa-pss-sign-tr-test.c b/testsuite/rsa-pss-sign-tr-test.c new file mode 100644 index 0000000..de6c7b1 --- /dev/null +++ b/testsuite/rsa-pss-sign-tr-test.c @@ -0,0 +1,268 @@ +#include "testutils.h" +#include "knuth-lfib.h" + +#define SALT "This is a magic salt" +#define MSG1 "None so blind as those who will not see" +#define MSG2 "Fortune knocks once at every man's door" + +static void +test_rsa_pss_sign_tr(struct rsa_public_key *pub, + struct rsa_private_key *key, + size_t salt_length, const uint8_t *salt, + size_t length, const uint8_t *message, + mpz_t expected) +{ + mpz_t signature; + struct knuth_lfib_ctx lfib; + uint8_t digest[SHA256_DIGEST_SIZE]; + struct sha256_ctx ctx; + + knuth_lfib_init(&lfib, 1111); + + sha256_init(&ctx); + sha256_update(&ctx, length, message); + sha256_digest(&ctx, SHA256_DIGEST_SIZE, digest); + + mpz_init(signature); + + mpz_set_ui (signature, 17); + /* Try bad private key */ + mpz_add_ui(key->p, key->p, 2); + + ASSERT(!rsa_pss_sha256_sign_digest_tr(pub, key, + &lfib, (nettle_random_func *) knuth_lfib_random, + salt_length, salt, + digest, signature)); + + mpz_sub_ui(key->p, key->p, 2); + + ASSERT(!mpz_cmp_ui(signature, 17)); + + /* Try the good private key */ + ASSERT(rsa_pss_sha256_sign_digest_tr(pub, key, + &lfib, (nettle_random_func *) knuth_lfib_random, + salt_length, salt, + digest, signature)); + + if (verbose) + { + fprintf(stderr, "rsa-pss-tr signature: "); + mpz_out_str(stderr, 16, signature); + fprintf(stderr, "\nrsa-pss-tr expected: "); + mpz_out_str(stderr, 16, expected); + fprintf(stderr, "\n"); + } + + ASSERT (mpz_cmp(signature, expected) == 0); +#if 0 + /* Try bad data */ + ASSERT (!rsa_pss_sha256_verify_digest(pub, + salt_length, + (void*)"The magick words" + "The magick words", + signature)); +#endif + /* Try correct data */ + ASSERT (rsa_pss_sha256_verify_digest(pub, salt_length, digest, signature)); + + /* Try bad signature */ + mpz_combit(signature, 17); + ASSERT (!rsa_pss_sha256_verify_digest(pub, salt_length, digest, signature)); + + mpz_clear(signature); +} + + +void +test_main(void) +{ + struct rsa_public_key pub; + struct rsa_private_key key; + mpz_t p1; + mpz_t q1; + struct tstring *salt; + struct tstring *msg; + + mpz_t expected; + + mpz_init(expected); + + mpz_init(p1); + mpz_init(q1); + + rsa_private_key_init(&key); + rsa_public_key_init(&pub); + + test_rsa_set_key_1(&pub, &key); + + /* Test signatures */ + mpz_set_str(expected, + "25e6ce0cc00e917e177a09cb4dfd843d104c179b71aded60e68ebc" + "ca2cabb1e51502adf28e53fa7ede42619f21a1162755b9658edf88" + "a038bb4fea2bb73306fb384d5785c1a8c98a255277c91a4f88ddd3" + "52ebdc78f71f7e62b7a870dac4ab25f1004453457e831a1572f7c9" + "23fcc48e3b69db582127d14471c7195dce", 16); + + test_rsa_pss_sign_tr(&pub, &key, LDATA(SALT), LDATA(MSG1), expected); + + mpz_set_str(expected, + "52f4393ccc92b5672dd3cfd8624765d3a4cdb50c7a92060c33b4663" + "fa545b32ce56ec8cd44fe9720df301906ae40921e844b6d80331194" + "972f98e309c937c887c53da940778f29d52dd9489e6016a07e9aa16" + "b1ea8fefc0860ad69068ad6f94a4b0c8fc8a0797b08c58cf4a8df90" + "ee1375feedf7bf73f16ebb2d1cc7e4", 16); + + test_rsa_pss_sign_tr(&pub, &key, LDATA(SALT), LDATA(MSG2), expected); + + /* 777-bit key, generated by + * + * lsh-keygen -a rsa -l 777 -f advanced-hex + * + * Interesting because the size of n doesn't equal the sum of the + * sizes of p and q. + * + * (private-key (rsa-pkcs1 + * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f + * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 + * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c + * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e + * f52b#) + * (e #3f1a012d#) + * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad + * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 + * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 + * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb + * 25#) + * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 + * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 + * 8b#) + * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf + * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f + * e1#) + * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d + * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be + * c9#) + * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 + * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b + * 05#) + * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 + * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 + * 06#))) + */ + + mpz_set_str(pub.n, + "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" + "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" + "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" + "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" + "f52b", 16); + + mpz_set_str(pub.e, "3f1a012d", 16); + + ASSERT (rsa_public_key_prepare(&pub)); + + mpz_set_str(key.p, + "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" + "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" + "8b", 16); + + mpz_set_str(key.q, + "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" + "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" + "e1", 16); + + mpz_set_str(key.a, + "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" + "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" + "c9", 16); + + mpz_set_str(key.b, + "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" + "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" + "05", 16); + + mpz_set_str(key.c, + "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" + "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" + "06", 16); + + ASSERT (rsa_private_key_prepare(&key)); + ASSERT (pub.size == key.size); + + /* Test signatures */ + mpz_set_str(expected, + "1a4d28331341cabf7ac85bc59a58d439b7ec2c607c6a74e35b5909" + "1dfa3d9de9fde93e4a431f0f768bec07c39995d253209f86e3dc84" + "037ecd5d23d963fab4fa8a001e018d82cb19d743a94ba7dc7a821e" + "87b72e67a0fe058f956208f7060dc104", 16); + + test_rsa_pss_sign_tr(&pub, &key, LDATA(SALT), LDATA(MSG1), expected); + + /* From FIPS 186-2 */ + mpz_set_str(pub.n, + "be499b5e7f06c83f" "a0293e31465c8eb6" "b58af920bae52a7b" + "5b9bfeb7aa72db12" "64112eb3fd431d31" "a2a7e50941566929" + "494a0e891ed56139" "18b4b51b0d1fb977" "83b26acf7d0f384c" + "fb35f4d2824f5dd3" "80623a26bf180b63" "961c619dcdb20cae" + "406f22f6e276c80a" "37259490cfeb72c1" "a71a84f1846d3308" + "77ba3e3101ec9c7b" , 16); + + mpz_set_str(pub.e, "11", 16); + + ASSERT (rsa_public_key_prepare(&pub)); + + mpz_set_str(key.p, + "e7a80c5d211c06ac" "b900939495f26d36" "5fc2b4825b75e356" + "f89003eaa5931e6b" "e5c3f7e6a633ad59" "db6289d06c354c23" + "5e739a1e3f3d39fb" "40d1ffb9cb44288f", 16); + + mpz_set_str(key.q, + "d248aa248000f720" "258742da67b71194" "0c8f76e1ecd52b67" + "a6ffe1e49354d66f" "f84fa601804743f5" "838da2ed4693a5a2" + "8658d6528cc1803b" "f6c8dc73c5230b55", 16); + + mpz_set_str(key.d, + "0d0f17362bdad181" "db4e1fe03e8de1a3" "208989914e14bf26" + "9558826bfa20faf4" "b68dba6bb989a01f" "03a21c44665dc5f6" + "48cb5b59b954eb10" "77a80263bd22cdfb" "88d39164b7404f4f" + "1106ee01cf60b776" "95748d8fdaf9fd42" "8963fe75144010b1" + "934c8e26a8823967" "2cf49b3422a07c4d" "834ba208d570fe40" + "8e7095c90547e68d", 16); + + /* a = d % (p-1) */ + mpz_sub_ui(p1, key.p, 1); + mpz_fdiv_r(key.a, key.d, p1); + mpz_clear(p1); + + /* b = d % (q-1) */ + mpz_sub_ui(q1, key.q, 1); + mpz_fdiv_r(key.b, key.d, q1); + mpz_clear(q1); + + /* c = q^{-1} (mod p) */ + mpz_invert(key.c, key.q, key.p); + + ASSERT (rsa_private_key_prepare(&key)); + ASSERT (pub.size == key.size); + + mpz_set_str(expected, + "11e169f2fd40b07641b9768a2ab19965fb6c27f10fcf0323fcc6d1" + "2eb4f1c06b330ddaa1ea504407afa29de9ebe0374fe9d1e7d0ffbd" + "5fc1cf3a3446e4145415d2ab24f789b3464c5c43a256bbc1d692cf" + "7f04801dac5bb401a4a03ab7d5728a860c19e1a4dc797ca542c820" + "3cec2e601eb0c51f567f2eda022b0b9ebddeeefa", 16); + + salt = SHEX("11223344555432167890"); + msg = SHEX("c7f5270fca725f9bd19f519a8d7cca3cc5c079024029f3bae510f9" + "b02140fe238908e4f6c18f07a89c687c8684669b1f1db2baf9251a" + "3c829faccb493084e16ec9e28d58868074a5d6221667dd6e528d16" + "fe2c9f3db4cfaf6c4dce8c8439af38ceaaaa9ce2ecae7bc8f4a5a5" + "5e3bf96df9cd575c4f9cb327951b8cdfe4087168"); + + test_rsa_pss_sign_tr(&pub, &key, salt->length, salt->data, + msg->length, msg->data, expected); + + rsa_private_key_clear(&key); + rsa_public_key_clear(&pub); + mpz_clear(expected); +}
Daiki Ueno ueno@gnu.org writes:
This series of patches implements the RSA-PSS signature scheme, as specified in RFC 3447. To keep the interface minimal but to allow TLS 1.3 implementations on top of this, only SHA256/384/512 variants are provided.
Thanks! Sorry I've been a bit offline and not able to comment earlier.
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix? It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
For MGF, "mask generation function 1" backed by the same hash algorithm is always used, as indicated in [1]. I thought it might make sense to provide more flexible variants, such as rsa_pss_{sign_tr,verify} analogous to rsa_pkcs1_*, but realized that parsing ASN.1 encoded parameters would require extra complexity.
There's some asn.1 parsing code in nettle, see asn1.h, but I agree it's preferable to not have sign or verify functions depend on that.
Suggestions appreciated.
I'm writing some more detailed comments as replies to the other patch emails.
Regards, /Niels
On Sun, 2017-03-12 at 11:21 +0100, Niels Möller wrote:
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix? It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
I think it would be quite an interesting experiment testing for RSA contant time (PSS or not). I do not believe that the current counter- measures would really make it constant time, though I've never tested it.
There are tools which can assist in that checking: https://github.com/oreparaz/dudect https://github.com/agl/ctgrind
regards, Nikos
nisse@lysator.liu.se (Niels Möller) writes:
Daiki Ueno ueno@gnu.org writes:
This series of patches implements the RSA-PSS signature scheme, as specified in RFC 3447. To keep the interface minimal but to allow TLS 1.3 implementations on top of this, only SHA256/384/512 variants are provided.
Thanks! Sorry I've been a bit offline and not able to comment earlier.
No problem, thank you for the thorough review. I will send an update of the patches reflecting the comments.
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix?
Yes, I think so, at least for the PSS encoding functions, as long as all underlying constructs (hashes, memxor, etc) are side-channel silent.
It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
Thank you for the tip. I have added a similar client requests for SALT and DIGEST in pss-test.c, and confirmed that valgrind didn't report any "... depends on uninitialized value(s)" error.
Regards,
nettle-bugs@lists.lysator.liu.se
-
Daiki Ueno -
Nikos Mavrogiannopoulos -
nisse@lysator.liu.se