X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Frsa%2Frsa_i32_pkcs1_vrfy.c;h=6ee7a198f221f5a18ae8ab51d9c238ee7660c3ee;hp=cc20ba8947f10eef93cbe7025029f54113784838;hb=28e4e120b84dacdf53963639f1a8a6fec2793662;hpb=6dd8c51ba7e8ca106ede7ff58b5c507042bbf6eb

diff --git a/src/rsa/rsa_i32_pkcs1_vrfy.c b/src/rsa/rsa_i32_pkcs1_vrfy.c
index cc20ba8..6ee7a19 100644
--- a/src/rsa/rsa_i32_pkcs1_vrfy.c
+++ b/src/rsa/rsa_i32_pkcs1_vrfy.c
@@ -30,97 +30,14 @@ br_rsa_i32_pkcs1_vrfy(const unsigned char *x, size_t xlen,
 	const unsigned char *hash_oid, size_t hash_len,
 	const br_rsa_public_key *pk, unsigned char *hash_out)
 {
-	static const unsigned char pad1[] = {
-		0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-	};
-
 	unsigned char sig[BR_MAX_RSA_SIZE >> 3];
-	unsigned char pad2[43];
-	size_t u, x2, x3, pad_len, zlen;
 
-	if (xlen > (sizeof sig) || xlen < 11) {
+	if (xlen > (sizeof sig)) {
 		return 0;
 	}
 	memcpy(sig, x, xlen);
 	if (!br_rsa_i32_public(sig, xlen, pk)) {
 		return 0;
 	}
-
-	/*
-	 * Expected format:
-	 *  00 01 FF ... FF 00 30 x1 30 x2 06 x3 OID [ 05 00 ] 04 x4 HASH
-	 *
-	 * with the following rules:
-	 *
-	 *  -- Total length is that of the modulus and the signature
-	 *     (this was already verified by br_rsa_i32_public()).
-	 *
-	 *  -- There are at least eight bytes of value 0xFF.
-	 *
-	 *  -- x4 is equal to the hash length (hash_len).
-	 *
-	 *  -- x3 is equal to the encoded OID value length (so x3 is the
-	 *     first byte of hash_oid[]).
-	 *
-	 *  -- If the "05 00" is present, then x2 == x3 + 4; otherwise,
-	 *     x2 == x3 + 2.
-	 *
-	 *  -- x1 == x2 + x4 + 4.
-	 *
-	 * So the total length after the last "FF" is either x3 + x4 + 11
-	 * (with the "05 00") or x3 + x4 + 9 (without the "05 00").
-	 */
-
-	/*
-	 * Check the "00 01 FF .. FF 00" with at least eight 0xFF bytes.
-	 * The comparaison is valid because we made sure that the signature
-	 * is at least 11 bytes long.
-	 */
-	if (memcmp(sig, pad1, sizeof pad1) != 0) {
-		return 0;
-	}
-	for (u = sizeof pad1; u < xlen; u ++) {
-		if (sig[u] != 0xFF) {
-			break;
-		}
-	}
-
-	/*
-	 * Remaining length is xlen - u bytes (including the 00 just
-	 * after the last FF). This must be equal to one of the two
-	 * possible values (depending on whether the "05 00" sequence is
-	 * present or not).
-	 */
-	if (hash_oid == NULL) {
-		if (xlen - u != hash_len + 1 || sig[u] != 0x00) {
-			return 0;
-		}
-	} else {
-		x3 = hash_oid[0];
-		pad_len = x3 + 9;
-		memset(pad2, 0, pad_len);
-		zlen = xlen - u - hash_len;
-		if (zlen == pad_len) {
-			x2 = x3 + 2;
-		} else if (zlen == pad_len + 2) {
-			x2 = x3 + 4;
-			pad_len = zlen;
-			pad2[pad_len - 4] = 0x05;
-		} else {
-			return 0;
-		}
-		pad2[1] = 0x30;
-		pad2[2] = x2 + hash_len + 4;
-		pad2[3] = 0x30;
-		pad2[4] = x2;
-		pad2[5] = 0x06;
-		memcpy(pad2 + 6, hash_oid, x3 + 1);
-		pad2[pad_len - 2] = 0x04;
-		pad2[pad_len - 1] = hash_len;
-		if (memcmp(pad2, sig + u, pad_len) != 0) {
-			return 0;
-		}
-	}
-	memcpy(hash_out, sig + xlen - hash_len, hash_len);
-	return 1;
+	return br_rsa_pkcs1_sig_unpad(sig, xlen, hash_oid, hash_len, hash_out);
 }