/* * Copyright (c) 2016 Samsung Electronics Co., Ltd. All rights reserved. * * Created in Samsung Ukraine R&D Center (SRK) under a contract between * LLC "Samsung Electronics Ukraine Company" (Kiev, Ukraine) * and "Samsung Electronics Co", Ltd (Seoul, Republic of Korea) */ /** * @file MbedTlsExt.c * @brief TigerTa * @author Viktor Kopp (v.kopp@samsung.com) * @date Created Sep 16, 2016 */ #include "TigerMbedTlsExt.h" #include #include "TzwMisc.h" static void mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src, size_t slen, mbedtls_md_context_t *md_ctx); int tigerMbedtlsRng(void* pRng, unsigned char* output, size_t outputLen) { (void) pRng; // variable not used return tzwGenerateRandom(output, outputLen); } /* * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function to sign Tiger certificates with TIGER_SIGN_SALT_LENGTH bytes salt */ int tigerMbedtlsRsaRsassaPssSign(mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, int salt_len, unsigned char *sig) { size_t olen; unsigned char *p = sig; unsigned char salt[MBEDTLS_MD_MAX_SIZE]; unsigned int slen, hlen, offset = 0; int ret; size_t msb; const mbedtls_md_info_t *md_info; mbedtls_md_context_t md_ctx; if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); olen = ctx->len; if( md_alg != MBEDTLS_MD_NONE ) { // Gather length of hash to sign // md_info = mbedtls_md_info_from_type( md_alg ); if( md_info == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); hashlen = mbedtls_md_get_size( md_info ); } md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); if( md_info == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); hlen = mbedtls_md_get_size( md_info ); slen = salt_len; if( olen < hlen + slen + 2 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); memset( sig, 0, olen ); // Generate salt of length slen // if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); // Note: EMSA-PSS encoding is over the length of N - 1 bits // msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; // ORIGINAL: p += olen - hlen * 2 - 2; p += olen - (hlen + slen) - 2; *p++ = 0x01; memcpy( p, salt, slen ); p += slen; mbedtls_md_init( &md_ctx ); mbedtls_md_setup( &md_ctx, md_info, 0 ); // Generate H = Hash( M' ) // mbedtls_md_starts( &md_ctx ); mbedtls_md_update( &md_ctx, p, 8 ); mbedtls_md_update( &md_ctx, hash, hashlen ); mbedtls_md_update( &md_ctx, salt, slen ); mbedtls_md_finish( &md_ctx, p ); // Compensate for boundary condition when applying mask // if( msb % 8 == 0 ) offset = 1; // maskedDB: Apply dbMask to DB // mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); mbedtls_md_free( &md_ctx ); msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; sig[0] &= 0xFF >> ( olen * 8 - msb ); p += hlen; *p++ = 0xBC; return( ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, sig ) : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); } // --------------------------- required static functions copy-pasted from rsa.c file ------------------- void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen, mbedtls_md_context_t *md_ctx ) { unsigned char mask[MBEDTLS_MD_MAX_SIZE]; unsigned char counter[4]; unsigned char *p; unsigned int hlen; size_t i, use_len; memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); memset( counter, 0, 4 ); hlen = mbedtls_md_get_size( md_ctx->md_info ); // Generate and apply dbMask // p = dst; while( dlen > 0 ) { use_len = hlen; if( dlen < hlen ) use_len = dlen; mbedtls_md_starts( md_ctx ); mbedtls_md_update( md_ctx, src, slen ); mbedtls_md_update( md_ctx, counter, 4 ); mbedtls_md_finish( md_ctx, mask ); for( i = 0; i < use_len; ++i ) *p++ ^= mask[i]; counter[3]++; dlen -= use_len; } }