diff --git a/ChangeLog b/ChangeLog
index 7543e5ac6d09c0358edc6b5c752e36ac5338246e..c2dac5935e98a02e99714333e1e287569a5c4d79 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2012-06-03 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/pkcs1-test.c (test_main): Include leading zero in
+ expected result.
+
+ * pkcs1.c (pkcs1_signature_prefix): Return pointer to where the
+ digest should be written. Let the size input be the key size in
+ octets, rather then key size - 1.
+ * pkcs1-rsa-*.c: Updated for above.
+ * rsa-*-sign.c, rsa-*-verify.c: Pass key->size, not key->size - 1.
+
2012-05-18 Niels Möller <nisse@lysator.liu.se>
* pkcs1-encrypt.c (pkcs1_encrypt): New file and function.
diff --git a/pkcs1-rsa-md5.c b/pkcs1-rsa-md5.c
index 8284f4f244b904e115dbb2619fe94ffbb2eb42db..d9259822992fd79f9d8af68ac50180acd5a37feb 100644
--- a/pkcs1-rsa-md5.c
+++ b/pkcs1-rsa-md5.c
@@ -62,18 +62,20 @@ md5_prefix[] =
};
int
-pkcs1_rsa_md5_encode(mpz_t m, unsigned size, struct md5_ctx *hash)
+pkcs1_rsa_md5_encode(mpz_t m, unsigned key_size, struct md5_ctx *hash)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(md5_prefix),
md5_prefix,
- MD5_DIGEST_SIZE))
+ MD5_DIGEST_SIZE);
+ if (p)
{
- md5_digest(hash, MD5_DIGEST_SIZE, em + size - MD5_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ md5_digest(hash, MD5_DIGEST_SIZE, p);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
@@ -81,18 +83,20 @@ pkcs1_rsa_md5_encode(mpz_t m, unsigned size, struct md5_ctx *hash)
}
int
-pkcs1_rsa_md5_encode_digest(mpz_t m, unsigned size, const uint8_t *digest)
+pkcs1_rsa_md5_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(md5_prefix),
md5_prefix,
- MD5_DIGEST_SIZE))
+ MD5_DIGEST_SIZE);
+ if (p)
{
- memcpy(em + size - MD5_DIGEST_SIZE, digest, MD5_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ memcpy(p, digest, MD5_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
diff --git a/pkcs1-rsa-sha1.c b/pkcs1-rsa-sha1.c
index 78143a770ead26c0c4a96ee1b6a02a44cd135e29..427a5adee75763f97148dd5e9218e2d6d2bfab83 100644
--- a/pkcs1-rsa-sha1.c
+++ b/pkcs1-rsa-sha1.c
@@ -62,18 +62,20 @@ sha1_prefix[] =
};
int
-pkcs1_rsa_sha1_encode(mpz_t m, unsigned size, struct sha1_ctx *hash)
+pkcs1_rsa_sha1_encode(mpz_t m, unsigned key_size, struct sha1_ctx *hash)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha1_prefix),
sha1_prefix,
- SHA1_DIGEST_SIZE))
+ SHA1_DIGEST_SIZE);
+ if (p)
{
- sha1_digest(hash, SHA1_DIGEST_SIZE, em + size - SHA1_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ sha1_digest(hash, SHA1_DIGEST_SIZE, p);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
@@ -81,18 +83,20 @@ pkcs1_rsa_sha1_encode(mpz_t m, unsigned size, struct sha1_ctx *hash)
}
int
-pkcs1_rsa_sha1_encode_digest(mpz_t m, unsigned size, const uint8_t *digest)
+pkcs1_rsa_sha1_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha1_prefix),
sha1_prefix,
- SHA1_DIGEST_SIZE))
+ SHA1_DIGEST_SIZE);
+ if (p)
{
- memcpy(em + size - SHA1_DIGEST_SIZE, digest, SHA1_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ memcpy(p, digest, SHA1_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
diff --git a/pkcs1-rsa-sha256.c b/pkcs1-rsa-sha256.c
index a02a3e9529199e1c11e92487014ccc1045b2e682..e3f0797d9fcc3c8c5e921c52e4caf3974858b8f0 100644
--- a/pkcs1-rsa-sha256.c
+++ b/pkcs1-rsa-sha256.c
@@ -60,18 +60,20 @@ sha256_prefix[] =
};
int
-pkcs1_rsa_sha256_encode(mpz_t m, unsigned size, struct sha256_ctx *hash)
+pkcs1_rsa_sha256_encode(mpz_t m, unsigned key_size, struct sha256_ctx *hash)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha256_prefix),
sha256_prefix,
- SHA256_DIGEST_SIZE))
+ SHA256_DIGEST_SIZE);
+ if (p)
{
- sha256_digest(hash, SHA256_DIGEST_SIZE, em + size - SHA256_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ sha256_digest(hash, SHA256_DIGEST_SIZE, p);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
@@ -79,18 +81,20 @@ pkcs1_rsa_sha256_encode(mpz_t m, unsigned size, struct sha256_ctx *hash)
}
int
-pkcs1_rsa_sha256_encode_digest(mpz_t m, unsigned size, const uint8_t *digest)
+pkcs1_rsa_sha256_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha256_prefix),
sha256_prefix,
- SHA256_DIGEST_SIZE))
+ SHA256_DIGEST_SIZE);
+ if (p)
{
- memcpy(em + size - SHA256_DIGEST_SIZE, digest, SHA256_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ memcpy(p, digest, SHA256_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
diff --git a/pkcs1-rsa-sha512.c b/pkcs1-rsa-sha512.c
index df7520e5224760847886ee7c6b8b7ff8ff5e0493..ddf627691b4f4ac92505afcbf7d7abfaf396673a 100644
--- a/pkcs1-rsa-sha512.c
+++ b/pkcs1-rsa-sha512.c
@@ -60,19 +60,20 @@ sha512_prefix[] =
};
int
-pkcs1_rsa_sha512_encode(mpz_t m, unsigned size, struct sha512_ctx *hash)
+pkcs1_rsa_sha512_encode(mpz_t m, unsigned key_size, struct sha512_ctx *hash)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha512_prefix),
sha512_prefix,
- SHA512_DIGEST_SIZE))
+ SHA512_DIGEST_SIZE);
+ if (p)
{
- sha512_digest(hash, SHA512_DIGEST_SIZE,
- em + size - SHA512_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ sha512_digest(hash, SHA512_DIGEST_SIZE, p);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
@@ -80,18 +81,20 @@ pkcs1_rsa_sha512_encode(mpz_t m, unsigned size, struct sha512_ctx *hash)
}
int
-pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned size, const uint8_t *digest)
+pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest)
{
+ uint8_t *p;
TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
- TMP_ALLOC(em, size);
+ TMP_ALLOC(em, key_size);
- if (pkcs1_signature_prefix(size, em,
+ p = pkcs1_signature_prefix(key_size, em,
sizeof(sha512_prefix),
sha512_prefix,
- SHA512_DIGEST_SIZE))
+ SHA512_DIGEST_SIZE);
+ if (p)
{
- memcpy(em + size - SHA512_DIGEST_SIZE, digest, SHA512_DIGEST_SIZE);
- nettle_mpz_set_str_256_u(m, size, em);
+ memcpy(p, digest, SHA512_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(m, key_size, em);
return 1;
}
else
diff --git a/pkcs1.c b/pkcs1.c
index 757017f9fd185b765d1b726ac785f78c582a9240..4b73d35c4da9ee36f2516461255122884f03cd00 100644
--- a/pkcs1.c
+++ b/pkcs1.c
@@ -34,13 +34,13 @@
/* Formats the PKCS#1 padding, of the form
*
- * 0x01 0xff ... 0xff 0x00 id ...digest...
+ * 0x00 0x01 0xff ... 0xff 0x00 id ...digest...
*
* where the 0xff ... 0xff part consists of at least 8 octets. The
- * total size should be one less than the octet size of n.
+ * total size equals the octet size of n.
*/
-int
-pkcs1_signature_prefix(unsigned size,
+uint8_t *
+pkcs1_signature_prefix(unsigned key_size,
uint8_t *buffer,
unsigned id_size,
const uint8_t *id,
@@ -48,17 +48,18 @@ pkcs1_signature_prefix(unsigned size,
{
unsigned j;
- if (size < 10 + id_size + digest_size)
- return 0;
+ if (key_size < 11 + id_size + digest_size)
+ return NULL;
- j = size - digest_size - id_size;
+ j = key_size - digest_size - id_size;
memcpy (buffer + j, id, id_size);
- buffer[0] = 1;
- buffer[--j] = 0;
+ buffer[0] = 0;
+ buffer[1] = 1;
+ buffer[j-1] = 0;
- assert(j >= 9);
- memset(buffer + 1, 0xff, j - 1);
+ assert(j >= 11);
+ memset(buffer + 2, 0xff, j - 3);
- return 1;
+ return buffer + j + id_size;
}
diff --git a/pkcs1.h b/pkcs1.h
index 68de0b7d769894e818b41517be4e3de2c7e596ce..2f6251e25799683db35127091a68a48e630ec9c8 100644
--- a/pkcs1.h
+++ b/pkcs1.h
@@ -51,8 +51,8 @@ struct sha1_ctx;
struct sha256_ctx;
struct sha512_ctx;
-int
-pkcs1_signature_prefix(unsigned size,
+uint8_t *
+pkcs1_signature_prefix(unsigned key_size,
uint8_t *buffer,
unsigned id_size,
const uint8_t *id,
diff --git a/rsa-md5-sign.c b/rsa-md5-sign.c
index f13ce0644b1d689e23785b376dc04a7a28aefec2..fbd433c73338a3e6cd671f59a3b30b58fa33d741 100644
--- a/rsa-md5-sign.c
+++ b/rsa-md5-sign.c
@@ -39,9 +39,7 @@ rsa_md5_sign(const struct rsa_private_key *key,
struct md5_ctx *hash,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_md5_encode(s, key->size - 1, hash))
+ if (pkcs1_rsa_md5_encode(s, key->size, hash))
{
rsa_compute_root(key, s, s);
return 1;
@@ -58,9 +56,7 @@ rsa_md5_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_md5_encode_digest(s, key->size - 1, digest))
+ if (pkcs1_rsa_md5_encode_digest(s, key->size, digest))
{
rsa_compute_root(key, s, s);
return 1;
diff --git a/rsa-md5-verify.c b/rsa-md5-verify.c
index 3de121588d5bfbf7418dc801f8c7824e2207b539..0e9bcc1ed113a115e24dc12d782568866e606205 100644
--- a/rsa-md5-verify.c
+++ b/rsa-md5-verify.c
@@ -42,10 +42,9 @@ rsa_md5_verify(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_md5_encode(m, key->size - 1, hash)
+ res = (pkcs1_rsa_md5_encode(m, key->size, hash)
&& _rsa_verify(key, m, s));
mpz_clear(m);
@@ -61,10 +60,9 @@ rsa_md5_verify_digest(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_md5_encode_digest(m, key->size - 1, digest)
+ res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest)
&& _rsa_verify(key, m, s));
mpz_clear(m);
diff --git a/rsa-sha1-sign.c b/rsa-sha1-sign.c
index aad9879badee398d0cc0b4776c1352db55ecd508..0f138f855fdef9a724086ec92c41ea12f7fe5993 100644
--- a/rsa-sha1-sign.c
+++ b/rsa-sha1-sign.c
@@ -39,9 +39,7 @@ rsa_sha1_sign(const struct rsa_private_key *key,
struct sha1_ctx *hash,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha1_encode(s, key->size - 1, hash))
+ if (pkcs1_rsa_sha1_encode(s, key->size, hash))
{
rsa_compute_root(key, s, s);
return 1;
@@ -58,9 +56,7 @@ rsa_sha1_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha1_encode_digest(s, key->size - 1, digest))
+ if (pkcs1_rsa_sha1_encode_digest(s, key->size, digest))
{
rsa_compute_root(key, s, s);
return 1;
diff --git a/rsa-sha1-verify.c b/rsa-sha1-verify.c
index 90f01f68cf354a53984609f9628facc8bcedc4bc..8624e749d0865d63f647ce46a04d4aa8139ae1d4 100644
--- a/rsa-sha1-verify.c
+++ b/rsa-sha1-verify.c
@@ -42,10 +42,9 @@ rsa_sha1_verify(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha1_encode(m, key->size - 1, hash)
+ res = (pkcs1_rsa_sha1_encode(m, key->size, hash)
&& _rsa_verify(key, m, s));
mpz_clear(m);
@@ -61,10 +60,9 @@ rsa_sha1_verify_digest(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha1_encode_digest(m, key->size - 1, digest)
+ res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest)
&& _rsa_verify(key, m, s));
mpz_clear(m);
diff --git a/rsa-sha256-sign.c b/rsa-sha256-sign.c
index 0af12c9475f9aa8c7d0f93c6e87b191ab50f247f..30ba497adef450e3ef5af17654857fbb0b5848f4 100644
--- a/rsa-sha256-sign.c
+++ b/rsa-sha256-sign.c
@@ -39,9 +39,7 @@ rsa_sha256_sign(const struct rsa_private_key *key,
struct sha256_ctx *hash,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha256_encode(s, key->size - 1, hash))
+ if (pkcs1_rsa_sha256_encode(s, key->size, hash))
{
rsa_compute_root(key, s, s);
return 1;
@@ -58,9 +56,7 @@ rsa_sha256_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha256_encode_digest(s, key->size - 1, digest))
+ if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest))
{
rsa_compute_root(key, s, s);
return 1;
diff --git a/rsa-sha256-verify.c b/rsa-sha256-verify.c
index ed8f7d0cc535a9749a9174d595f87003ffd8e311..cfb6afb4da7034b0aae7e11aeb95d386d1f8281a 100644
--- a/rsa-sha256-verify.c
+++ b/rsa-sha256-verify.c
@@ -42,10 +42,9 @@ rsa_sha256_verify(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha256_encode(m, key->size - 1, hash)
+ res = (pkcs1_rsa_sha256_encode(m, key->size, hash)
&&_rsa_verify(key, m, s));
mpz_clear(m);
@@ -61,10 +60,9 @@ rsa_sha256_verify_digest(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha256_encode_digest(m, key->size - 1, digest)
+ res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest)
&& _rsa_verify(key, m, s));
mpz_clear(m);
diff --git a/rsa-sha512-sign.c b/rsa-sha512-sign.c
index a8ab9810809770ed285d64f94b690cd4e382d2e7..cf2047efb8e0eb6e97f669edbc72b3851478023a 100644
--- a/rsa-sha512-sign.c
+++ b/rsa-sha512-sign.c
@@ -39,9 +39,7 @@ rsa_sha512_sign(const struct rsa_private_key *key,
struct sha512_ctx *hash,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha512_encode(s, key->size - 1, hash))
+ if (pkcs1_rsa_sha512_encode(s, key->size, hash))
{
rsa_compute_root(key, s, s);
return 1;
@@ -58,9 +56,7 @@ rsa_sha512_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
- assert(key->size > 0);
-
- if (pkcs1_rsa_sha512_encode_digest(s, key->size - 1, digest))
+ if (pkcs1_rsa_sha512_encode_digest(s, key->size, digest))
{
rsa_compute_root(key, s, s);
return 1;
diff --git a/rsa-sha512-verify.c b/rsa-sha512-verify.c
index 0fca6b877cf4fc9296e622e8598c7f2a82ad7bd3..90f823477bc75df98024eadcd60cee71ba6b52eb 100644
--- a/rsa-sha512-verify.c
+++ b/rsa-sha512-verify.c
@@ -42,10 +42,9 @@ rsa_sha512_verify(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha512_encode(m, key->size - 1, hash)
+ res = (pkcs1_rsa_sha512_encode(m, key->size, hash)
&& _rsa_verify(key, m, s));
mpz_clear(m);
@@ -61,10 +60,9 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
int res;
mpz_t m;
- assert(key->size > 0);
mpz_init(m);
- res = (pkcs1_rsa_sha512_encode_digest(m, key->size - 1, digest)
+ res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest)
&& _rsa_verify(key, m, s));
mpz_clear(m);
diff --git a/testsuite/pkcs1-test.c b/testsuite/pkcs1-test.c
index 283e742e6163daa56ba20649cf95ef5f5e298718..a0521b031c4bcd5dfd103c6b4bbd3d5e1ad5ed24 100644
--- a/testsuite/pkcs1-test.c
+++ b/testsuite/pkcs1-test.c
@@ -6,7 +6,7 @@ int
test_main(void)
{
uint8_t buffer[16];
- uint8_t expected[16] = { 1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ uint8_t expected[16] = { 0, 1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0, 'a', 'b', 'c' };
pkcs1_signature_prefix(sizeof(buffer), buffer,