From aa4bae5ae9a278776b27fe817a988702ab0e9e3f Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Wed, 1 Mar 2017 17:51:04 +0100 Subject: [PATCH 1/2] add option to do PKCS#1 v1.5 EMSA without ASN.1 around hash Somehow someone forgot to add the OID in the signature field of a SERVER_KEY_EXCHANGE message in early versions of the SSL protocol. Therefore provide an option to be able to sign/verify a message in that format. --- src/headers/tomcrypt_pkcs.h | 3 +- src/pk/rsa/rsa_sign_hash.c | 76 +++++++++++++++++++-------------- src/pk/rsa/rsa_verify_hash.c | 83 ++++++++++++++++++++---------------- 3 files changed, 94 insertions(+), 68 deletions(-) diff --git a/src/headers/tomcrypt_pkcs.h b/src/headers/tomcrypt_pkcs.h index dae3490..afa3c38 100644 --- a/src/headers/tomcrypt_pkcs.h +++ b/src/headers/tomcrypt_pkcs.h @@ -13,7 +13,8 @@ enum ltc_pkcs_1_paddings { LTC_PKCS_1_V1_5 = 1, /* PKCS #1 v1.5 padding (\sa ltc_pkcs_1_v1_5_blocks) */ LTC_PKCS_1_OAEP = 2, /* PKCS #1 v2.0 encryption padding */ - LTC_PKCS_1_PSS = 3 /* PKCS #1 v2.1 signature padding */ + LTC_PKCS_1_PSS = 3, /* PKCS #1 v2.1 signature padding */ + LTC_PKCS_1_V1_5_NA1 = 4 /* PKCS #1 v1.5 padding - No ASN.1 (\sa ltc_pkcs_1_v1_5_blocks) */ }; int pkcs_1_mgf1( int hash_idx, diff --git a/src/pk/rsa/rsa_sign_hash.c b/src/pk/rsa/rsa_sign_hash.c index 46d5c9f..b7baaf9 100644 --- a/src/pk/rsa/rsa_sign_hash.c +++ b/src/pk/rsa/rsa_sign_hash.c @@ -23,7 +23,7 @@ @param inlen The length of the hash to sign (octets) @param out [out] The signature @param outlen [in/out] The max size and resulting size of the signature - @param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5) + @param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1) @param prng An active PRNG state @param prng_idx The index of the PRNG desired @param hash_idx The index of the hash desired @@ -47,15 +47,21 @@ int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen, LTC_ARGCHK(key != NULL); /* valid padding? */ - if ((padding != LTC_PKCS_1_V1_5) && (padding != LTC_PKCS_1_PSS)) { + if ((padding != LTC_PKCS_1_V1_5) && + (padding != LTC_PKCS_1_PSS) && + (padding != LTC_PKCS_1_V1_5_NA1)) { return CRYPT_PK_INVALID_PADDING; } if (padding == LTC_PKCS_1_PSS) { - /* valid prng and hash ? */ + /* valid prng ? */ if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) { return err; } + } + + if (padding != LTC_PKCS_1_V1_5_NA1) { + /* valid hash ? */ if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { return err; } @@ -81,46 +87,54 @@ int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen, } else { /* PKCS #1 v1.5 pad the hash */ unsigned char *tmpin; - ltc_asn1_list digestinfo[2], siginfo[2]; - /* not all hashes have OIDs... so sad */ - if (hash_descriptor[hash_idx].OIDlen == 0) { - return CRYPT_INVALID_ARG; - } + if (padding == LTC_PKCS_1_V1_5) { + ltc_asn1_list digestinfo[2], siginfo[2]; + /* not all hashes have OIDs... so sad */ + if (hash_descriptor[hash_idx].OIDlen == 0) { + return CRYPT_INVALID_ARG; + } /* construct the SEQUENCE - SEQUENCE { - SEQUENCE {hashoid OID - blah NULL - } + SEQUENCE { + SEQUENCE {hashoid OID + blah NULL + } hash OCTET STRING + } + */ + LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen); + LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); + LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); + LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, in, inlen); + + /* allocate memory for the encoding */ + y = mp_unsigned_bin_size(key->N); + tmpin = XMALLOC(y); + if (tmpin == NULL) { + return CRYPT_MEM; } - */ - LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen); - LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); - LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); - LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, in, inlen); - /* allocate memory for the encoding */ - y = mp_unsigned_bin_size(key->N); - tmpin = XMALLOC(y); - if (tmpin == NULL) { - return CRYPT_MEM; - } - - if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) { - XFREE(tmpin); - return err; + if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) { + XFREE(tmpin); + return err; + } + } else { + /* set the pointer and data-length to the input values */ + tmpin = (unsigned char *)in; + y = inlen; } x = *outlen; - if ((err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, - modulus_bitlen, NULL, 0, - out, &x)) != CRYPT_OK) { + err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, modulus_bitlen, NULL, 0, out, &x); + + if (padding == LTC_PKCS_1_V1_5) { XFREE(tmpin); + } + + if (err != CRYPT_OK) { return err; } - XFREE(tmpin); } /* RSA encode it */ diff --git a/src/pk/rsa/rsa_verify_hash.c b/src/pk/rsa/rsa_verify_hash.c index 9a425cd..c6529f9 100644 --- a/src/pk/rsa/rsa_verify_hash.c +++ b/src/pk/rsa/rsa_verify_hash.c @@ -23,7 +23,7 @@ @param siglen The length of the signature data (octets) @param hash The hash of the message that was signed @param hashlen The length of the hash of the message that was signed (octets) - @param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5) + @param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1) @param hash_idx The index of the desired hash @param saltlen The length of the salt used during signature @param stat [out] The result of the signature comparison, 1==valid, 0==invalid @@ -51,11 +51,12 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, /* valid padding? */ if ((padding != LTC_PKCS_1_V1_5) && - (padding != LTC_PKCS_1_PSS)) { + (padding != LTC_PKCS_1_PSS) && + (padding != LTC_PKCS_1_V1_5_NA1)) { return CRYPT_PK_INVALID_PADDING; } - if (padding == LTC_PKCS_1_PSS) { + if (padding != LTC_PKCS_1_V1_5_NA1) { /* valid hash ? */ if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { return err; @@ -103,15 +104,8 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, } else { /* PKCS #1 v1.5 decode it */ unsigned char *out; - unsigned long outlen, loid[16], reallen; + unsigned long outlen; int decoded; - ltc_asn1_list digestinfo[2], siginfo[2]; - - /* not all hashes have OIDs... so sad */ - if (hash_descriptor[hash_idx].OIDlen == 0) { - err = CRYPT_INVALID_ARG; - goto bail_2; - } /* allocate temp buffer for decoded hash */ outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3; @@ -126,37 +120,54 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, goto bail_2; } - /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */ - /* construct the SEQUENCE - SEQUENCE { - SEQUENCE {hashoid OID - blah NULL - } - hash OCTET STRING + if (padding == LTC_PKCS_1_V1_5) { + unsigned long loid[16], reallen; + ltc_asn1_list digestinfo[2], siginfo[2]; + + /* not all hashes have OIDs... so sad */ + if (hash_descriptor[hash_idx].OIDlen == 0) { + err = CRYPT_INVALID_ARG; + goto bail_2; } - */ - LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0])); - LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); - LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); - LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen); - if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) { - XFREE(out); - goto bail_2; - } + /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */ + /* construct the SEQUENCE + SEQUENCE { + SEQUENCE {hashoid OID + blah NULL + } + hash OCTET STRING + } + */ + LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0])); + LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); + LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); + LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen); - if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) { - XFREE(out); - goto bail_2; - } + if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } - /* test OID */ - if ((reallen == outlen) && - (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && + if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } + + /* test OID */ + if ((reallen == outlen) && + (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && (XMEM_NEQ(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) && - (siginfo[1].size == hashlen) && + (siginfo[1].size == hashlen) && (XMEM_NEQ(siginfo[1].data, hash, hashlen) == 0)) { - *stat = 1; + *stat = 1; + } + } else { + /* only check if the hash is equal */ + if ((hashlen == outlen) && + (XMEMCMP(out, hash, hashlen) == 0)) { + *stat = 1; + } } #ifdef LTC_CLEAN_STACK From f00f8572244ae0bbc40e4db552ad73e1afa819c3 Mon Sep 17 00:00:00 2001 From: Karel Miko Date: Tue, 14 Mar 2017 16:33:24 +0100 Subject: [PATCH 2/2] tests for rsa_sign|verify with LTC_PKCS_1_V1_5_NA1 --- testprof/rsa_test.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/testprof/rsa_test.c b/testprof/rsa_test.c index 55db842..94bce20 100644 --- a/testprof/rsa_test.c +++ b/testprof/rsa_test.c @@ -109,17 +109,48 @@ static const unsigned char openssl_public_rsa_stripped[] = { 0x60, 0x3f, 0x8b, 0x54, 0x3a, 0xc3, 0x4d, 0x31, 0xe7, 0x94, 0xa4, 0x44, 0xfd, 0x02, 0x03, 0x01, 0x00, 0x01, }; + +/* generated with the private key above as: + echo -n 'test' | openssl rsautl -sign -inkey rsa_private.pem -pkcs -hexdump + */ +static const unsigned char openssl_rsautl_pkcs[] = { + 0x24, 0xef, 0x54, 0xea, 0x1a, 0x12, 0x0c, 0xf4, 0x04, 0x0c, 0x48, 0xc8, 0xe8, 0x17, 0xd2, 0x6f, + 0xc3, 0x41, 0xb3, 0x97, 0x5c, 0xbc, 0xa3, 0x2d, 0x21, 0x00, 0x10, 0x0e, 0xbb, 0xf7, 0x30, 0x21, + 0x7e, 0x12, 0xd2, 0xdf, 0x26, 0x28, 0xd8, 0x0f, 0x6d, 0x4d, 0xc8, 0x4d, 0xa8, 0x78, 0xe7, 0x03, + 0xee, 0xbc, 0x68, 0xba, 0x98, 0xea, 0xe9, 0xb6, 0x06, 0x8d, 0x85, 0x5b, 0xdb, 0xa6, 0x49, 0x86, + 0x6f, 0xc7, 0x3d, 0xe0, 0x53, 0x83, 0xe0, 0xea, 0xb1, 0x08, 0x6a, 0x7b, 0xbd, 0xeb, 0xb5, 0x4a, + 0xdd, 0xbc, 0x64, 0x97, 0x8c, 0x17, 0x20, 0xa3, 0x5c, 0xd4, 0xb8, 0x87, 0x43, 0xc5, 0x13, 0xad, + 0x41, 0x6e, 0x45, 0x41, 0x32, 0xd4, 0x09, 0x12, 0x7f, 0xdc, 0x59, 0x1f, 0x28, 0x3f, 0x1e, 0xbc, + 0xef, 0x57, 0x23, 0x4b, 0x3a, 0xa3, 0x24, 0x91, 0x4d, 0xfb, 0xb2, 0xd4, 0xe7, 0x5e, 0x41, 0x7e, +}; + extern const unsigned char _der_tests_cacert_root_cert[]; extern const unsigned long _der_tests_cacert_root_cert_size; static int rsa_compat_test(void) { - rsa_key key; + rsa_key key, pubkey; + int stat; unsigned char buf[1024]; unsigned long len; /* try reading the key */ DO(rsa_import(openssl_private_rsa, sizeof(openssl_private_rsa), &key)); + DO(rsa_import(openssl_public_rsa, sizeof(openssl_public_rsa), &pubkey)); + + /* sign-verify a message with PKCS #1 v1.5 no ASN.1 */ + len = sizeof(buf); + DO(rsa_sign_hash_ex((unsigned char*)"test", 4, buf, &len, LTC_PKCS_1_V1_5_NA1, NULL, 0, 0, 0, &key)); + if (len != sizeof(openssl_rsautl_pkcs) || memcmp(buf, openssl_rsautl_pkcs, len)) { + fprintf(stderr, "RSA rsa_sign_hash_ex + LTC_PKCS_1_V1_5_NA1 failed\n"); + return 1; + } + stat = 0; + DO(rsa_verify_hash_ex(openssl_rsautl_pkcs, sizeof(openssl_rsautl_pkcs), (unsigned char*)"test", 4, LTC_PKCS_1_V1_5_NA1, 0, 0, &stat, &pubkey)); + if (stat != 1) { + fprintf(stderr, "RSA rsa_verify_hash_ex + LTC_PKCS_1_V1_5_NA1 failed\n"); + return 1; + } /* now try to export private/public and compare */ len = sizeof(buf);