* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c,

rsa-sha512-sign.c and rsa-sha512-verify.c.

* rsa.h: Added prototypes for sha512-related functions.
(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased.
* pkcs1.h: Added prototypes for sha512-related functions.

* rsa-sha512-verify.c: New file.
* rsa-sha512-sign.c: New file.
* pkcs1-rsa-sha512.c: New file.

Rev: nettle/ChangeLog:1.52
Rev: nettle/Makefile.in:1.16
Rev: nettle/pkcs1-rsa-sha512.c:1.1
Rev: nettle/pkcs1.h:1.2
Rev: nettle/rsa-sha512-sign.c:1.1
Rev: nettle/rsa-sha512-verify.c:1.1
Rev: nettle/rsa.h:1.3

7 files changed, 286 insertions, 15 deletions

diff --git a/ChangeLog b/ChangeLog
index df5e53a0..485194db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2010-03-23  Niels Möller  <nisse@lysator.liu.se>
+
+	* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c,
+	rsa-sha512-sign.c and rsa-sha512-verify.c.
+
+	* rsa.h: Added prototypes for sha512-related functions.
+	(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased.
+	* pkcs1.h: Added prototypes for sha512-related functions.
+
+	* rsa-sha512-verify.c: New file.
+	* rsa-sha512-sign.c: New file.
+	* pkcs1-rsa-sha512.c: New file.
+
 2010-03-22  Niels Möller  <nisse@lysator.liu.se>
 
 	* Makefile.in (nettle_SOURCES): Added hmac-sha512.c.
@@ -5,17 +18,17 @@
 	* testsuite/hmac-test.c (test_main): Added test cases for
 	hmac-sha512.
 
-	* hmac.h: Declare functions SHA-512-related functions.
+	* hmac.h: Declare functions sha512-related functions.
 	* hmac-sha512.c (hmac_sha512_set_key): New file.
 
-	Basic SHA 512 support.
+	Basic sha512 support.
 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c.
 	* testsuite/sha512-test.c: New file.
 
 	* macros.h (READ_UINT64, WRITE_UINT64): New macros.
 
 	* Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c.
-	* sha.h: Added SHA-512-related declarations.
+	* sha.h: Added sha512-related declarations.
 	* nettle-meta.h: Likewise.
 	* sha512-meta.c: New file.
 	* sha512.c: New file.
@@ -402,7 +415,7 @@
 
 	* C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the
 	Makefile sorts out which files should be compiled.
-	
+
 	* pgp.h: Include bignum.h, don't pretend to work without bignums.
 
 	* pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key)
@@ -4132,16 +4145,16 @@
 
 	* yarrow256.c: New file, implementing Yarrow. Work in progress.
 
-	* sha256.c: New file, implementing SHA-256.
+	* sha256.c: New file, implementing sha256.
 
 	* testsuite/Makefile.am (CFLAGS): Added sha256-test.
 
-	* testsuite/sha256-test.m4: New testcases for SHA-256.
+	* testsuite/sha256-test.m4: New testcases for sha256.
 
-	* shadata.c: New file, for generating SHA-256 constants.
+	* shadata.c: New file, for generating sha256 constants.
 
 	* sha.h: Renamed sha1.h to sha.h, and added declarations for
-	SHA-256.
+	sha256.
 
 2001-10-05  Niels Möller  <nisse@ehand.com>
 
@@ -4404,7 +4417,7 @@
 
 	* testsuite/des-test.m4: New file.
 
-	* Added SHA1 files.
+	* Added sha1 files.
 
 	* Added desCore files.
 
diff --git a/Makefile.in b/Makefile.in
index 823aab27..ed364d27 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -75,11 +75,13 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
 hogweed_SOURCES = sexp.c sexp-format.c \
 		  sexp-transport.c sexp-transport-format.c \
 		  bignum.c bignum-next-prime.c bignum-random.c sexp2bignum.c \
-		  pkcs1.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c pkcs1-rsa-sha256.c \
+		  pkcs1.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \
+		  pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \
 		  rsa.c rsa-sign.c rsa-verify.c \
 		  rsa-md5-sign.c rsa-md5-verify.c \
 		  rsa-sha1-sign.c rsa-sha1-verify.c \
 		  rsa-sha256-sign.c rsa-sha256-verify.c \
+		  rsa-sha512-sign.c rsa-sha512-verify.c \
 		  rsa-encrypt.c rsa-decrypt.c \
 		  rsa-keygen.c rsa-compat.c \
 		  rsa2sexp.c sexp2rsa.c \
diff --git a/pkcs1-rsa-sha512.c b/pkcs1-rsa-sha512.c
new file mode 100644
index 00000000..1e446667
--- /dev/null
+++ b/pkcs1-rsa-sha512.c
@@ -0,0 +1,90 @@
+/* pkcs1-rsa-sha512.c
+ *
+ * PKCS stuff for rsa-sha512.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+#include "nettle-internal.h"
+
+/* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA
+ * Cryptography Specifications Version 2.1.
+ *
+ *     id-sha512    OBJECT IDENTIFIER ::=
+ *       {joint-iso-itu-t(2) country(16) us(840) organization(1)
+ *         gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3}
+ */
+
+static const uint8_t
+sha512_prefix[] =
+{
+  /* 19 octets prefix, 64 octets hash, total 83 */
+  0x30,      81, /* SEQUENCE */
+    0x30,    13, /* SEQUENCE */
+      0x06,   9, /* OBJECT IDENTIFIER */
+        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+      0x05,   0, /* NULL */
+    0x04,    64  /* OCTET STRING */
+      /* Here comes the raw hash value, 64 octets */
+};
+
+void
+pkcs1_rsa_sha512_encode(mpz_t m, unsigned length, struct sha512_ctx *hash)
+{
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
+
+  assert(length >= SHA512_DIGEST_SIZE);
+  pkcs1_signature_prefix(length - SHA512_DIGEST_SIZE, em,
+			 sizeof(sha512_prefix),
+			 sha512_prefix);
+  
+  sha512_digest(hash, SHA512_DIGEST_SIZE, em + length - SHA512_DIGEST_SIZE);
+  nettle_mpz_set_str_256_u(m, length, em);
+}
+
+void
+pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned length, const uint8_t *digest)
+{
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
+
+  assert(length >= SHA512_DIGEST_SIZE);
+  pkcs1_signature_prefix(length - SHA512_DIGEST_SIZE, em,
+			 sizeof(sha512_prefix),
+			 sha512_prefix);
+
+  memcpy(em + length - SHA512_DIGEST_SIZE, digest, SHA512_DIGEST_SIZE);
+  nettle_mpz_set_str_256_u(m, length, em);
+}
diff --git a/pkcs1.h b/pkcs1.h
index 953604f2..575570b4 100644
--- a/pkcs1.h
+++ b/pkcs1.h
@@ -41,10 +41,13 @@ extern "C" {
 #define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest
 #define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode
 #define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest
+#define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode
+#define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest
 
 struct md5_ctx;
 struct sha1_ctx;
 struct sha256_ctx;
+struct sha512_ctx;
 
 void
 pkcs1_signature_prefix(unsigned length,
@@ -70,6 +73,12 @@ pkcs1_rsa_sha256_encode(mpz_t m, unsigned length, struct sha256_ctx *hash);
 void
 pkcs1_rsa_sha256_encode_digest(mpz_t m, unsigned length, const uint8_t *digest);
 
+void
+pkcs1_rsa_sha512_encode(mpz_t m, unsigned length, struct sha512_ctx *hash);
+
+void
+pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned length, const uint8_t *digest);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/rsa-sha512-sign.c b/rsa-sha512-sign.c
new file mode 100644
index 00000000..2d0981d8
--- /dev/null
+++ b/rsa-sha512-sign.c
@@ -0,0 +1,59 @@
+/* rsa-sha512-sign.c
+ *
+ * Signatures using RSA and SHA512.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+void
+rsa_sha512_sign(const struct rsa_private_key *key,
+		struct sha512_ctx *hash,
+		mpz_t s)
+{
+  assert(key->size >= RSA_MINIMUM_N_OCTETS);
+
+  pkcs1_rsa_sha512_encode(s, key->size - 1, hash);
+
+  rsa_compute_root(key, s, s);
+}
+
+void
+rsa_sha512_sign_digest(const struct rsa_private_key *key,
+		       const uint8_t *digest,
+		       mpz_t s)
+{
+  assert(key->size >= RSA_MINIMUM_N_OCTETS);
+
+  pkcs1_rsa_sha512_encode_digest(s, key->size - 1, digest);
+
+  rsa_compute_root(key, s, s);
+}
diff --git a/rsa-sha512-verify.c b/rsa-sha512-verify.c
new file mode 100644
index 00000000..1ac24a12
--- /dev/null
+++ b/rsa-sha512-verify.c
@@ -0,0 +1,73 @@
+/* rsa-sha512-verify.c
+ *
+ * Verifying signatures created with RSA and SHA512.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+int
+rsa_sha512_verify(const struct rsa_public_key *key,
+		  struct sha512_ctx *hash,
+		  const mpz_t s)
+{
+  int res;
+  mpz_t m;
+
+  assert(key->size >= RSA_MINIMUM_N_OCTETS);
+  mpz_init(m);
+  
+  pkcs1_rsa_sha512_encode(m, key->size - 1, hash);
+  res = _rsa_verify(key, m, s);
+  
+  mpz_clear(m);
+
+  return res;
+}
+
+int
+rsa_sha512_verify_digest(const struct rsa_public_key *key,
+			 const uint8_t *digest,
+			 const mpz_t s)
+{
+  int res;
+  mpz_t m;
+
+  assert(key->size >= RSA_MINIMUM_N_OCTETS);
+  mpz_init(m);
+  
+  pkcs1_rsa_sha512_encode_digest(m, key->size - 1, digest);
+  res = _rsa_verify(key, m, s);
+  
+  mpz_clear(m);
+
+  return res;
+}
diff --git a/rsa.h b/rsa.h
index dbdace22..9c29587b 100644
--- a/rsa.h
+++ b/rsa.h
@@ -52,12 +52,16 @@ extern "C" {
 #define rsa_sha1_verify nettle_rsa_sha1_verify
 #define rsa_sha256_sign nettle_rsa_sha256_sign
 #define rsa_sha256_verify nettle_rsa_sha256_verify
+#define rsa_sha512_sign nettle_rsa_sha512_sign
+#define rsa_sha512_verify nettle_rsa_sha512_verify
 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
+#define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
+#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
 #define rsa_encrypt nettle_rsa_encrypt
 #define rsa_decrypt nettle_rsa_decrypt
 #define rsa_compute_root nettle_rsa_compute_root
@@ -75,12 +79,13 @@ extern "C" {
 /* For PKCS#1 to make sense, the size of the modulo, in octets, must
  * be at least 11 + the length of the DER-encoded Digest Info.
  *
- * And a DigestInfo is 34 octets for md5, 35 octets for sha1, and 51
- * octets for sha256. 62 octets is 496 bits, and as the upper 7 bits
- * may be zero, the smallest useful size of n is 489 bits. */
+ * And a DigestInfo is 34 octets for md5, 35 octets for sha1, 51
+ * octets for sha256, and 83 octetss for sha512. 94 octets is 752
+ * bits, and as the upper 7 bits may be zero, the smallest useful size
+ * of n is 745 bits. */
 
-#define RSA_MINIMUM_N_OCTETS 62
-#define RSA_MINIMUM_N_BITS 489
+#define RSA_MINIMUM_N_OCTETS 94
+#define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
 
 struct rsa_public_key
 {
@@ -194,6 +199,16 @@ rsa_sha256_verify(const struct rsa_public_key *key,
 		  struct sha256_ctx *hash,
 		  const mpz_t signature);
 
+void
+rsa_sha512_sign(const struct rsa_private_key *key,
+		struct sha512_ctx *hash,
+		mpz_t signature);
+
+int
+rsa_sha512_verify(const struct rsa_public_key *key,
+		  struct sha512_ctx *hash,
+		  const mpz_t signature);
+
 /* Variants taking the digest as argument. */
 void
 rsa_md5_sign_digest(const struct rsa_private_key *key,
@@ -225,6 +240,16 @@ rsa_sha256_verify_digest(const struct rsa_public_key *key,
 			 const uint8_t *digest,
 			 const mpz_t signature);
 
+void
+rsa_sha512_sign_digest(const struct rsa_private_key *key,
+		       const uint8_t *digest,
+		       mpz_t s);
+
+int
+rsa_sha512_verify_digest(const struct rsa_public_key *key,
+			 const uint8_t *digest,
+			 const mpz_t signature);
+
 
 /* RSA encryption, using PKCS#1 */
 /* These functions uses the v1.5 padding. What should the v2 (OAEP)