1 // SPDX-License-Identifier: BSD-2-Clause
2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3  *
4  * LibTomCrypt is a library that provides various cryptographic
5  * algorithms in a highly modular and flexible manner.
6  *
7  * The library is free for all purposes without any express
8  * guarantee it works.
9  */
10 #include "tomcrypt_private.h"
11 
12 /**
13   @file rsa_sign_hash.c
14   RSA PKCS #1 v1.5 and v2 PSS sign hash, Tom St Denis and Andreas Lange
15 */
16 
17 #ifdef LTC_MRSA
18 
19 /**
20   PKCS #1 pad then sign
21   @param in        The hash to sign
22   @param inlen     The length of the hash to sign (octets)
23   @param out       [out] The signature
24   @param outlen    [in/out] The max size and resulting size of the signature
25   @param padding   Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
26   @param prng      An active PRNG state
27   @param prng_idx  The index of the PRNG desired
28   @param hash_idx  The index of the hash desired
29   @param saltlen   The length of the salt desired (octets)
30   @param key       The private RSA key to use
31   @return CRYPT_OK if successful
32 */
rsa_sign_hash_ex(const unsigned char * in,unsigned long inlen,unsigned char * out,unsigned long * outlen,int padding,prng_state * prng,int prng_idx,int hash_idx,unsigned long saltlen,const rsa_key * key)33 int rsa_sign_hash_ex(const unsigned char *in,       unsigned long  inlen,
34                            unsigned char *out,      unsigned long *outlen,
35                            int            padding,
36                            prng_state    *prng,     int            prng_idx,
37                            int            hash_idx, unsigned long  saltlen,
38                      const rsa_key *key)
39 {
40    unsigned long modulus_bitlen, modulus_bytelen, x, y;
41    int           err;
42 
43    LTC_ARGCHK(in       != NULL);
44    LTC_ARGCHK(out      != NULL);
45    LTC_ARGCHK(outlen   != NULL);
46    LTC_ARGCHK(key      != NULL);
47 
48    /* valid padding? */
49    if ((padding != LTC_PKCS_1_V1_5) &&
50        (padding != LTC_PKCS_1_PSS) &&
51        (padding != LTC_PKCS_1_V1_5_NA1)) {
52      return CRYPT_PK_INVALID_PADDING;
53    }
54 
55    if (padding == LTC_PKCS_1_PSS) {
56      /* valid prng ? */
57      if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) {
58         return err;
59      }
60    }
61 
62    if (padding != LTC_PKCS_1_V1_5_NA1) {
63      /* valid hash ? */
64      if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
65         return err;
66      }
67    }
68 
69    /* get modulus len in bits */
70    modulus_bitlen = mp_count_bits((key->N));
71 
72   /* outlen must be at least the size of the modulus */
73   modulus_bytelen = mp_unsigned_bin_size((key->N));
74   if (modulus_bytelen > *outlen) {
75      *outlen = modulus_bytelen;
76      return CRYPT_BUFFER_OVERFLOW;
77   }
78 
79   if (padding == LTC_PKCS_1_PSS) {
80     /* PSS pad the key */
81     x = *outlen;
82     if ((err = pkcs_1_pss_encode(in, inlen, saltlen, prng, prng_idx,
83                                  hash_idx, modulus_bitlen, out, &x)) != CRYPT_OK) {
84        return err;
85     }
86   } else {
87     /* PKCS #1 v1.5 pad the hash */
88     unsigned char *tmpin;
89 
90     if (padding == LTC_PKCS_1_V1_5) {
91       ltc_asn1_list digestinfo[2], siginfo[2];
92       /* not all hashes have OIDs... so sad */
93       if (hash_descriptor[hash_idx]->OIDlen == 0) {
94          return CRYPT_INVALID_ARG;
95       }
96 
97     /* construct the SEQUENCE
98         SEQUENCE {
99            SEQUENCE {hashoid OID
100                      blah    NULL
101            }
102          hash    OCTET STRING
103         }
104      */
105       LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx]->OID, hash_descriptor[hash_idx]->OIDlen);
106       LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL,              NULL,                          0);
107       LTC_SET_ASN1(siginfo,    0, LTC_ASN1_SEQUENCE,          digestinfo,                    2);
108       LTC_SET_ASN1(siginfo,    1, LTC_ASN1_OCTET_STRING,      in,                            inlen);
109 
110       /* allocate memory for the encoding */
111       y = mp_unsigned_bin_size(key->N);
112       tmpin = XMALLOC(y);
113       if (tmpin == NULL) {
114          return CRYPT_MEM;
115       }
116 
117       if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) {
118          XFREE(tmpin);
119          return err;
120       }
121     } else {
122       /* set the pointer and data-length to the input values */
123       tmpin = (unsigned char *)in;
124       y = inlen;
125     }
126 
127     x = *outlen;
128     err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, modulus_bitlen, NULL, 0, out, &x);
129 
130     if (padding == LTC_PKCS_1_V1_5) {
131       XFREE(tmpin);
132     }
133 
134     if (err != CRYPT_OK) {
135       return err;
136     }
137   }
138 
139   /* RSA encode it */
140   return ltc_mp.rsa_me(out, x, out, outlen, PK_PRIVATE, key);
141 }
142 
143 #endif /* LTC_MRSA */
144 
145 /* ref:         $Format:%D$ */
146 /* git commit:  $Format:%H$ */
147 /* commit time: $Format:%ai$ */
148