core/lib/libtomcrypt/src/pk/pkcs1/pkcs_1_pss_decode.c - optee-os-mtk - Git at Google

 // SPDX-License-Identifier: BSD-2-Clause
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
  *
  * LibTomCrypt is a library that provides various cryptographic
  * algorithms in a highly modular and flexible manner.
  *
  * The library is free for all purposes without any express
  * guarantee it works.
  */
 #include "tomcrypt_private.h"

 /**
   @file pkcs_1_pss_decode.c
   PKCS #1 PSS Signature Padding, Tom St Denis
 */

 #ifdef LTC_PKCS_1

 /**
    PKCS #1 v2.00 PSS decode
    @param  msghash         The hash to verify
    @param  msghashlen      The length of the hash (octets)
    @param  sig             The signature data (encoded data)
    @param  siglen          The length of the signature data (octets)
    @param  saltlen         The length of the salt used (octets)
    @param  hash_idx        The index of the hash desired
    @param  modulus_bitlen  The bit length of the RSA modulus
    @param  res             [out] The result of the comparison, 1==valid, 0==invalid
    @return CRYPT_OK if successful (even if the comparison failed)
 */
 int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
                       const unsigned char *sig,     unsigned long siglen,
                             unsigned long saltlen,  int           hash_idx,
                             unsigned long modulus_bitlen, int    *res)
 {
    unsigned char *DB, *mask, *salt, *hash;
    unsigned long x, y, hLen, modulus_len;
    int           err;
    hash_state    md;

    LTC_ARGCHK(msghash != NULL);
    LTC_ARGCHK(res     != NULL);

    /* default to invalid */
    *res = 0;

    /* ensure hash is valid */
    if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
       return err;
    }

    hLen        = hash_descriptor[hash_idx]->hashsize;
    modulus_bitlen--;
    modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);

    /* check sizes */
    if ((saltlen > modulus_len) ||
        (modulus_len < hLen + saltlen + 2)) {
       return CRYPT_PK_INVALID_SIZE;
    }

    /* allocate ram for DB/mask/salt/hash of size modulus_len */
    DB   = XMALLOC(modulus_len);
    mask = XMALLOC(modulus_len);
    salt = XMALLOC(modulus_len);
    hash = XMALLOC(modulus_len);
    if (DB == NULL || mask == NULL || salt == NULL || hash == NULL) {
       if (DB != NULL) {
          XFREE(DB);
       }
       if (mask != NULL) {
          XFREE(mask);
       }
       if (salt != NULL) {
          XFREE(salt);
       }
       if (hash != NULL) {
          XFREE(hash);
       }
       return CRYPT_MEM;
    }

    /* ensure the 0xBC byte */
    if (sig[siglen-1] != 0xBC) {
       err = CRYPT_INVALID_PACKET;
       goto LBL_ERR;
    }

    /* copy out the DB */
    x = 0;
    XMEMCPY(DB, sig + x, modulus_len - hLen - 1);
    x += modulus_len - hLen - 1;

    /* copy out the hash */
    XMEMCPY(hash, sig + x, hLen);
    /* x += hLen; */

    /* check the MSB */
    if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen)))) != 0) {
       err = CRYPT_INVALID_PACKET;
       goto LBL_ERR;
    }

    /* generate mask of length modulus_len - hLen - 1 from hash */
    if ((err = pkcs_1_mgf1(hash_idx, hash, hLen, mask, modulus_len - hLen - 1)) != CRYPT_OK) {
       goto LBL_ERR;
    }

    /* xor against DB */
    for (y = 0; y < (modulus_len - hLen - 1); y++) {
       DB[y] ^= mask[y];
    }

    /* now clear the first byte [make sure smaller than modulus] */
    DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen));

    /* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */

    /* check for zeroes and 0x01 */
    for (x = 0; x < modulus_len - saltlen - hLen - 2; x++) {
        if (DB[x] != 0x00) {
           err = CRYPT_INVALID_PACKET;
           goto LBL_ERR;
        }
    }

    /* check for the 0x01 */
    if (DB[x++] != 0x01) {
       err = CRYPT_INVALID_PACKET;
       goto LBL_ERR;
    }

    /* M = (eight) 0x00 || msghash || salt, mask = H(M) */
    if ((err = hash_descriptor[hash_idx]->init(&md)) != CRYPT_OK) {
       goto LBL_ERR;
    }
    zeromem(mask, 8);
    if ((err = hash_descriptor[hash_idx]->process(&md, mask, 8)) != CRYPT_OK) {
       goto LBL_ERR;
    }
    if ((err = hash_descriptor[hash_idx]->process(&md, msghash, msghashlen)) != CRYPT_OK) {
       goto LBL_ERR;
    }
    if ((err = hash_descriptor[hash_idx]->process(&md, DB+x, saltlen)) != CRYPT_OK) {
       goto LBL_ERR;
    }
    if ((err = hash_descriptor[hash_idx]->done(&md, mask)) != CRYPT_OK) {
       goto LBL_ERR;
    }

    /* mask == hash means valid signature */
    if (XMEM_NEQ(mask, hash, hLen) == 0) {
       *res = 1;
    }

    err = CRYPT_OK;
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
    zeromem(DB,   modulus_len);
    zeromem(mask, modulus_len);
    zeromem(salt, modulus_len);
    zeromem(hash, modulus_len);
 #endif

    XFREE(hash);
    XFREE(salt);
    XFREE(mask);
    XFREE(DB);

    return err;
 }

 #endif /* LTC_PKCS_1 */

 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */
	// SPDX-License-Identifier: BSD-2-Clause
	/* LibTomCrypt, modular cryptographic library -- Tom St Denis
	*
	* LibTomCrypt is a library that provides various cryptographic
	* algorithms in a highly modular and flexible manner.
	*
	* The library is free for all purposes without any express
	* guarantee it works.
	*/
	#include "tomcrypt_private.h"

	/**
	@file pkcs_1_pss_decode.c
	PKCS #1 PSS Signature Padding, Tom St Denis
	*/

	#ifdef LTC_PKCS_1

	/**
	PKCS #1 v2.00 PSS decode
	@param msghash The hash to verify
	@param msghashlen The length of the hash (octets)
	@param sig The signature data (encoded data)
	@param siglen The length of the signature data (octets)
	@param saltlen The length of the salt used (octets)
	@param hash_idx The index of the hash desired
	@param modulus_bitlen The bit length of the RSA modulus
	@param res [out] The result of the comparison, 1==valid, 0==invalid
	@return CRYPT_OK if successful (even if the comparison failed)
	*/
	int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
	const unsigned char *sig, unsigned long siglen,
	unsigned long saltlen, int hash_idx,
	unsigned long modulus_bitlen, int *res)
	{
	unsigned char DB, mask, salt, hash;
	unsigned long x, y, hLen, modulus_len;
	int err;
	hash_state md;

	LTC_ARGCHK(msghash != NULL);
	LTC_ARGCHK(res != NULL);

	/* default to invalid */
	*res = 0;

	/* ensure hash is valid */
	if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
	return err;
	}

	hLen = hash_descriptor[hash_idx]->hashsize;
	modulus_bitlen--;
	modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);

	/* check sizes */
	if ((saltlen > modulus_len) \|\|
	(modulus_len < hLen + saltlen + 2)) {
	return CRYPT_PK_INVALID_SIZE;
	}

	/* allocate ram for DB/mask/salt/hash of size modulus_len */
	DB = XMALLOC(modulus_len);
	mask = XMALLOC(modulus_len);
	salt = XMALLOC(modulus_len);
	hash = XMALLOC(modulus_len);
	if (DB == NULL \|\| mask == NULL \|\| salt == NULL \|\| hash == NULL) {
	if (DB != NULL) {
	XFREE(DB);
	}
	if (mask != NULL) {
	XFREE(mask);
	}
	if (salt != NULL) {
	XFREE(salt);
	}
	if (hash != NULL) {
	XFREE(hash);
	}
	return CRYPT_MEM;
	}

	/* ensure the 0xBC byte */
	if (sig[siglen-1] != 0xBC) {
	err = CRYPT_INVALID_PACKET;
	goto LBL_ERR;
	}

	/* copy out the DB */
	x = 0;
	XMEMCPY(DB, sig + x, modulus_len - hLen - 1);
	x += modulus_len - hLen - 1;

	/* copy out the hash */
	XMEMCPY(hash, sig + x, hLen);
	/* x += hLen; */

	/* check the MSB */
	if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen)))) != 0) {
	err = CRYPT_INVALID_PACKET;
	goto LBL_ERR;
	}

	/* generate mask of length modulus_len - hLen - 1 from hash */
	if ((err = pkcs_1_mgf1(hash_idx, hash, hLen, mask, modulus_len - hLen - 1)) != CRYPT_OK) {
	goto LBL_ERR;
	}

	/* xor against DB */
	for (y = 0; y < (modulus_len - hLen - 1); y++) {
	DB[y] ^= mask[y];
	}

	/* now clear the first byte [make sure smaller than modulus] */
	DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen));

	/* DB = PS \|\| 0x01 \|\| salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */

	/* check for zeroes and 0x01 */
	for (x = 0; x < modulus_len - saltlen - hLen - 2; x++) {
	if (DB[x] != 0x00) {
	err = CRYPT_INVALID_PACKET;
	goto LBL_ERR;
	}
	}

	/* check for the 0x01 */
	if (DB[x++] != 0x01) {
	err = CRYPT_INVALID_PACKET;
	goto LBL_ERR;
	}

	/* M = (eight) 0x00 \|\| msghash \|\| salt, mask = H(M) */
	if ((err = hash_descriptor[hash_idx]->init(&md)) != CRYPT_OK) {
	goto LBL_ERR;
	}
	zeromem(mask, 8);
	if ((err = hash_descriptor[hash_idx]->process(&md, mask, 8)) != CRYPT_OK) {
	goto LBL_ERR;
	}
	if ((err = hash_descriptor[hash_idx]->process(&md, msghash, msghashlen)) != CRYPT_OK) {
	goto LBL_ERR;
	}
	if ((err = hash_descriptor[hash_idx]->process(&md, DB+x, saltlen)) != CRYPT_OK) {
	goto LBL_ERR;
	}
	if ((err = hash_descriptor[hash_idx]->done(&md, mask)) != CRYPT_OK) {
	goto LBL_ERR;
	}

	/* mask == hash means valid signature */
	if (XMEM_NEQ(mask, hash, hLen) == 0) {
	*res = 1;
	}

	err = CRYPT_OK;
	LBL_ERR:
	#ifdef LTC_CLEAN_STACK
	zeromem(DB, modulus_len);
	zeromem(mask, modulus_len);
	zeromem(salt, modulus_len);
	zeromem(hash, modulus_len);
	#endif

	XFREE(hash);
	XFREE(salt);
	XFREE(mask);
	XFREE(DB);

	return err;
	}

	#endif /* LTC_PKCS_1 */

	/* ref: $Format:%D$ */
	/* git commit: $Format:%H$ */
	/* commit time: $Format:%ai$ */