Hannes Tschofenig
/
aes-gcm-test-program
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2014, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 /* 00026 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman. 00027 * 00028 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf 00029 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf 00030 */ 00031 00032 #if !defined(POLARSSL_CONFIG_FILE) 00033 #include "polarssl/config.h" 00034 #else 00035 #include POLARSSL_CONFIG_FILE 00036 #endif 00037 00038 #if defined(POLARSSL_RSA_C) 00039 00040 #include "polarssl/rsa.h" 00041 #include "polarssl/oid.h" 00042 00043 #if defined(POLARSSL_PKCS1_V21) 00044 #include "polarssl/md.h" 00045 #endif 00046 00047 #include <stdlib.h> 00048 #include <stdio.h> 00049 00050 #if defined(POLARSSL_PLATFORM_C) 00051 #include "polarssl/platform.h" 00052 #else 00053 #define polarssl_printf printf 00054 #endif 00055 00056 /* 00057 * Initialize an RSA context 00058 */ 00059 void rsa_init( rsa_context *ctx, 00060 int padding, 00061 int hash_id ) 00062 { 00063 memset( ctx, 0, sizeof( rsa_context ) ); 00064 00065 rsa_set_padding( ctx, padding, hash_id ); 00066 00067 #if defined(POLARSSL_THREADING_C) 00068 polarssl_mutex_init( &ctx->mutex ); 00069 #endif 00070 } 00071 00072 /* 00073 * Set padding for an existing RSA context 00074 */ 00075 void rsa_set_padding( rsa_context *ctx, int padding, int hash_id ) 00076 { 00077 ctx->padding = padding; 00078 ctx->hash_id = hash_id; 00079 } 00080 00081 #if defined(POLARSSL_GENPRIME) 00082 00083 /* 00084 * Generate an RSA keypair 00085 */ 00086 int rsa_gen_key( rsa_context *ctx, 00087 int (*f_rng)(void *, unsigned char *, size_t), 00088 void *p_rng, 00089 unsigned int nbits, int exponent ) 00090 { 00091 int ret; 00092 mpi P1, Q1, H, G; 00093 00094 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 00095 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00096 00097 mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); 00098 00099 /* 00100 * find primes P and Q with Q < P so that: 00101 * GCD( E, (P-1)*(Q-1) ) == 1 00102 */ 00103 MPI_CHK( mpi_lset( &ctx->E , exponent ) ); 00104 00105 do 00106 { 00107 MPI_CHK( mpi_gen_prime( &ctx->P , ( nbits + 1 ) >> 1, 0, 00108 f_rng, p_rng ) ); 00109 00110 MPI_CHK( mpi_gen_prime( &ctx->Q , ( nbits + 1 ) >> 1, 0, 00111 f_rng, p_rng ) ); 00112 00113 if( mpi_cmp_mpi( &ctx->P , &ctx->Q ) < 0 ) 00114 mpi_swap( &ctx->P , &ctx->Q ); 00115 00116 if( mpi_cmp_mpi( &ctx->P , &ctx->Q ) == 0 ) 00117 continue; 00118 00119 MPI_CHK( mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00120 if( mpi_msb( &ctx->N ) != nbits ) 00121 continue; 00122 00123 MPI_CHK( mpi_sub_int( &P1, &ctx->P , 1 ) ); 00124 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00125 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); 00126 MPI_CHK( mpi_gcd( &G, &ctx->E , &H ) ); 00127 } 00128 while( mpi_cmp_int( &G, 1 ) != 0 ); 00129 00130 /* 00131 * D = E^-1 mod ((P-1)*(Q-1)) 00132 * DP = D mod (P - 1) 00133 * DQ = D mod (Q - 1) 00134 * QP = Q^-1 mod P 00135 */ 00136 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E , &H ) ); 00137 MPI_CHK( mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) ); 00138 MPI_CHK( mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) ); 00139 MPI_CHK( mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P ) ); 00140 00141 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3; 00142 00143 cleanup: 00144 00145 mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); 00146 00147 if( ret != 0 ) 00148 { 00149 rsa_free( ctx ); 00150 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret ); 00151 } 00152 00153 return( 0 ); 00154 } 00155 00156 #endif /* POLARSSL_GENPRIME */ 00157 00158 /* 00159 * Check a public RSA key 00160 */ 00161 int rsa_check_pubkey( const rsa_context *ctx ) 00162 { 00163 if( !ctx->N .p || !ctx->E .p ) 00164 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); 00165 00166 if( ( ctx->N .p [0] & 1 ) == 0 || 00167 ( ctx->E .p [0] & 1 ) == 0 ) 00168 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); 00169 00170 if( mpi_msb( &ctx->N ) < 128 || 00171 mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS ) 00172 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); 00173 00174 if( mpi_msb( &ctx->E ) < 2 || 00175 mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00176 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); 00177 00178 return( 0 ); 00179 } 00180 00181 /* 00182 * Check a private RSA key 00183 */ 00184 int rsa_check_privkey( const rsa_context *ctx ) 00185 { 00186 int ret; 00187 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 00188 00189 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 ) 00190 return( ret ); 00191 00192 if( !ctx->P .p || !ctx->Q .p || !ctx->D .p ) 00193 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); 00194 00195 mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 ); 00196 mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 ); 00197 mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ ); 00198 mpi_init( &QP ); 00199 00200 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q ) ); 00201 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D , &ctx->E ) ); 00202 MPI_CHK( mpi_sub_int( &P1, &ctx->P , 1 ) ); 00203 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00204 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); 00205 MPI_CHK( mpi_gcd( &G, &ctx->E , &H ) ); 00206 00207 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) ); 00208 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 00209 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) ); 00210 00211 MPI_CHK( mpi_mod_mpi( &DP, &ctx->D , &P1 ) ); 00212 MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) ); 00213 MPI_CHK( mpi_inv_mod( &QP, &ctx->Q , &ctx->P ) ); 00214 /* 00215 * Check for a valid PKCS1v2 private key 00216 */ 00217 if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 00218 mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 00219 mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 00220 mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 00221 mpi_cmp_int( &L2, 0 ) != 0 || 00222 mpi_cmp_int( &I, 1 ) != 0 || 00223 mpi_cmp_int( &G, 1 ) != 0 ) 00224 { 00225 ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED; 00226 } 00227 00228 cleanup: 00229 mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 ); 00230 mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 ); 00231 mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ ); 00232 mpi_free( &QP ); 00233 00234 if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED ) 00235 return( ret ); 00236 00237 if( ret != 0 ) 00238 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret ); 00239 00240 return( 0 ); 00241 } 00242 00243 /* 00244 * Do an RSA public key operation 00245 */ 00246 int rsa_public( rsa_context *ctx, 00247 const unsigned char *input, 00248 unsigned char *output ) 00249 { 00250 int ret; 00251 size_t olen; 00252 mpi T; 00253 00254 mpi_init( &T ); 00255 00256 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); 00257 00258 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00259 { 00260 mpi_free( &T ); 00261 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00262 } 00263 00264 olen = ctx->len ; 00265 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00266 MPI_CHK( mpi_write_binary( &T, output, olen ) ); 00267 00268 cleanup: 00269 00270 mpi_free( &T ); 00271 00272 if( ret != 0 ) 00273 return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret ); 00274 00275 return( 0 ); 00276 } 00277 00278 #if !defined(POLARSSL_RSA_NO_CRT) 00279 /* 00280 * Generate or update blinding values, see section 10 of: 00281 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00282 * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer 00283 * Berlin Heidelberg, 1996. p. 104-113. 00284 */ 00285 static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf, 00286 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00287 { 00288 int ret, count = 0; 00289 00290 #if defined(POLARSSL_THREADING_C) 00291 polarssl_mutex_lock( &ctx->mutex ); 00292 #endif 00293 00294 if( ctx->Vf .p != NULL ) 00295 { 00296 /* We already have blinding values, just update them by squaring */ 00297 MPI_CHK( mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00298 MPI_CHK( mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00299 MPI_CHK( mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00300 MPI_CHK( mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00301 00302 goto done; 00303 } 00304 00305 /* Unblinding value: Vf = random number, invertible mod N */ 00306 do { 00307 if( count++ > 10 ) 00308 return( POLARSSL_ERR_RSA_RNG_FAILED ); 00309 00310 MPI_CHK( mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00311 MPI_CHK( mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00312 } while( mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00313 00314 /* Blinding value: Vi = Vf^(-e) mod N */ 00315 MPI_CHK( mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00316 MPI_CHK( mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00317 00318 done: 00319 if( Vi != &ctx->Vi ) 00320 { 00321 MPI_CHK( mpi_copy( Vi, &ctx->Vi ) ); 00322 MPI_CHK( mpi_copy( Vf, &ctx->Vf ) ); 00323 } 00324 00325 cleanup: 00326 #if defined(POLARSSL_THREADING_C) 00327 polarssl_mutex_unlock( &ctx->mutex ); 00328 #endif 00329 00330 return( ret ); 00331 } 00332 #endif /* !POLARSSL_RSA_NO_CRT */ 00333 00334 /* 00335 * Do an RSA private key operation 00336 */ 00337 int rsa_private( rsa_context *ctx, 00338 int (*f_rng)(void *, unsigned char *, size_t), 00339 void *p_rng, 00340 const unsigned char *input, 00341 unsigned char *output ) 00342 { 00343 int ret; 00344 size_t olen; 00345 mpi T, T1, T2; 00346 #if !defined(POLARSSL_RSA_NO_CRT) 00347 mpi *Vi, *Vf; 00348 00349 /* 00350 * When using the Chinese Remainder Theorem, we use blinding values. 00351 * Without threading, we just read them directly from the context, 00352 * otherwise we make a local copy in order to reduce locking contention. 00353 */ 00354 #if defined(POLARSSL_THREADING_C) 00355 mpi Vi_copy, Vf_copy; 00356 00357 mpi_init( &Vi_copy ); mpi_init( &Vf_copy ); 00358 Vi = &Vi_copy; 00359 Vf = &Vf_copy; 00360 #else 00361 Vi = &ctx->Vi ; 00362 Vf = &ctx->Vf ; 00363 #endif 00364 #endif /* !POLARSSL_RSA_NO_CRT */ 00365 00366 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 ); 00367 00368 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); 00369 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00370 { 00371 mpi_free( &T ); 00372 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00373 } 00374 00375 #if defined(POLARSSL_RSA_NO_CRT) 00376 ((void) f_rng); 00377 ((void) p_rng); 00378 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D , &ctx->N , &ctx->RN ) ); 00379 #else 00380 if( f_rng != NULL ) 00381 { 00382 /* 00383 * Blinding 00384 * T = T * Vi mod N 00385 */ 00386 MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) ); 00387 MPI_CHK( mpi_mul_mpi( &T, &T, Vi ) ); 00388 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); 00389 } 00390 00391 /* 00392 * faster decryption using the CRT 00393 * 00394 * T1 = input ^ dP mod P 00395 * T2 = input ^ dQ mod Q 00396 */ 00397 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP , &ctx->P , &ctx->RP ) ); 00398 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ , &ctx->Q , &ctx->RQ ) ); 00399 00400 /* 00401 * T = (T1 - T2) * (Q^-1 mod P) mod P 00402 */ 00403 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) ); 00404 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 00405 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) ); 00406 00407 /* 00408 * T = T2 + T * Q 00409 */ 00410 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 00411 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) ); 00412 00413 if( f_rng != NULL ) 00414 { 00415 /* 00416 * Unblind 00417 * T = T * Vf mod N 00418 */ 00419 MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) ); 00420 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); 00421 } 00422 #endif /* POLARSSL_RSA_NO_CRT */ 00423 00424 olen = ctx->len ; 00425 MPI_CHK( mpi_write_binary( &T, output, olen ) ); 00426 00427 cleanup: 00428 mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 ); 00429 #if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C) 00430 mpi_free( &Vi_copy ); mpi_free( &Vf_copy ); 00431 #endif 00432 00433 if( ret != 0 ) 00434 return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret ); 00435 00436 return( 0 ); 00437 } 00438 00439 #if defined(POLARSSL_PKCS1_V21) 00440 /** 00441 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 00442 * 00443 * \param dst buffer to mask 00444 * \param dlen length of destination buffer 00445 * \param src source of the mask generation 00446 * \param slen length of the source buffer 00447 * \param md_ctx message digest context to use 00448 */ 00449 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 00450 size_t slen, md_context_t *md_ctx ) 00451 { 00452 unsigned char mask[POLARSSL_MD_MAX_SIZE]; 00453 unsigned char counter[4]; 00454 unsigned char *p; 00455 unsigned int hlen; 00456 size_t i, use_len; 00457 00458 memset( mask, 0, POLARSSL_MD_MAX_SIZE ); 00459 memset( counter, 0, 4 ); 00460 00461 hlen = md_ctx->md_info->size; 00462 00463 // Generate and apply dbMask 00464 // 00465 p = dst; 00466 00467 while( dlen > 0 ) 00468 { 00469 use_len = hlen; 00470 if( dlen < hlen ) 00471 use_len = dlen; 00472 00473 md_starts( md_ctx ); 00474 md_update( md_ctx, src, slen ); 00475 md_update( md_ctx, counter, 4 ); 00476 md_finish( md_ctx, mask ); 00477 00478 for( i = 0; i < use_len; ++i ) 00479 *p++ ^= mask[i]; 00480 00481 counter[3]++; 00482 00483 dlen -= use_len; 00484 } 00485 } 00486 #endif /* POLARSSL_PKCS1_V21 */ 00487 00488 #if defined(POLARSSL_PKCS1_V21) 00489 /* 00490 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 00491 */ 00492 int rsa_rsaes_oaep_encrypt( rsa_context *ctx, 00493 int (*f_rng)(void *, unsigned char *, size_t), 00494 void *p_rng, 00495 int mode, 00496 const unsigned char *label, size_t label_len, 00497 size_t ilen, 00498 const unsigned char *input, 00499 unsigned char *output ) 00500 { 00501 size_t olen; 00502 int ret; 00503 unsigned char *p = output; 00504 unsigned int hlen; 00505 const md_info_t *md_info; 00506 md_context_t md_ctx; 00507 00508 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) 00509 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00510 00511 md_info = md_info_from_type( ctx->hash_id ); 00512 if( md_info == NULL ) 00513 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00514 00515 olen = ctx->len ; 00516 hlen = md_get_size( md_info ); 00517 00518 if( olen < ilen + 2 * hlen + 2 || f_rng == NULL ) 00519 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00520 00521 memset( output, 0, olen ); 00522 00523 *p++ = 0; 00524 00525 // Generate a random octet string seed 00526 // 00527 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 00528 return( POLARSSL_ERR_RSA_RNG_FAILED + ret ); 00529 00530 p += hlen; 00531 00532 // Construct DB 00533 // 00534 md( md_info, label, label_len, p ); 00535 p += hlen; 00536 p += olen - 2 * hlen - 2 - ilen; 00537 *p++ = 1; 00538 memcpy( p, input, ilen ); 00539 00540 md_init_ctx( &md_ctx, md_info ); 00541 00542 // maskedDB: Apply dbMask to DB 00543 // 00544 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 00545 &md_ctx ); 00546 00547 // maskedSeed: Apply seedMask to seed 00548 // 00549 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 00550 &md_ctx ); 00551 00552 md_free_ctx( &md_ctx ); 00553 00554 return( ( mode == RSA_PUBLIC ) 00555 ? rsa_public( ctx, output, output ) 00556 : rsa_private( ctx, f_rng, p_rng, output, output ) ); 00557 } 00558 #endif /* POLARSSL_PKCS1_V21 */ 00559 00560 #if defined(POLARSSL_PKCS1_V15) 00561 /* 00562 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 00563 */ 00564 int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, 00565 int (*f_rng)(void *, unsigned char *, size_t), 00566 void *p_rng, 00567 int mode, size_t ilen, 00568 const unsigned char *input, 00569 unsigned char *output ) 00570 { 00571 size_t nb_pad, olen; 00572 int ret; 00573 unsigned char *p = output; 00574 00575 if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL ) 00576 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00577 00578 olen = ctx->len ; 00579 00580 if( olen < ilen + 11 ) 00581 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00582 00583 nb_pad = olen - 3 - ilen; 00584 00585 *p++ = 0; 00586 if( mode == RSA_PUBLIC ) 00587 { 00588 *p++ = RSA_CRYPT; 00589 00590 while( nb_pad-- > 0 ) 00591 { 00592 int rng_dl = 100; 00593 00594 do { 00595 ret = f_rng( p_rng, p, 1 ); 00596 } while( *p == 0 && --rng_dl && ret == 0 ); 00597 00598 // Check if RNG failed to generate data 00599 // 00600 if( rng_dl == 0 || ret != 0) 00601 return POLARSSL_ERR_RSA_RNG_FAILED + ret; 00602 00603 p++; 00604 } 00605 } 00606 else 00607 { 00608 *p++ = RSA_SIGN; 00609 00610 while( nb_pad-- > 0 ) 00611 *p++ = 0xFF; 00612 } 00613 00614 *p++ = 0; 00615 memcpy( p, input, ilen ); 00616 00617 return( ( mode == RSA_PUBLIC ) 00618 ? rsa_public( ctx, output, output ) 00619 : rsa_private( ctx, f_rng, p_rng, output, output ) ); 00620 } 00621 #endif /* POLARSSL_PKCS1_V15 */ 00622 00623 /* 00624 * Add the message padding, then do an RSA operation 00625 */ 00626 int rsa_pkcs1_encrypt( rsa_context *ctx, 00627 int (*f_rng)(void *, unsigned char *, size_t), 00628 void *p_rng, 00629 int mode, size_t ilen, 00630 const unsigned char *input, 00631 unsigned char *output ) 00632 { 00633 switch( ctx->padding ) 00634 { 00635 #if defined(POLARSSL_PKCS1_V15) 00636 case RSA_PKCS_V15: 00637 return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 00638 input, output ); 00639 #endif 00640 00641 #if defined(POLARSSL_PKCS1_V21) 00642 case RSA_PKCS_V21: 00643 return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00644 ilen, input, output ); 00645 #endif 00646 00647 default: 00648 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 00649 } 00650 } 00651 00652 #if defined(POLARSSL_PKCS1_V21) 00653 /* 00654 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 00655 */ 00656 int rsa_rsaes_oaep_decrypt( rsa_context *ctx, 00657 int (*f_rng)(void *, unsigned char *, size_t), 00658 void *p_rng, 00659 int mode, 00660 const unsigned char *label, size_t label_len, 00661 size_t *olen, 00662 const unsigned char *input, 00663 unsigned char *output, 00664 size_t output_max_len ) 00665 { 00666 int ret; 00667 size_t ilen, i, pad_len; 00668 unsigned char *p, bad, pad_done; 00669 unsigned char buf[POLARSSL_MPI_MAX_SIZE]; 00670 unsigned char lhash[POLARSSL_MD_MAX_SIZE]; 00671 unsigned int hlen; 00672 const md_info_t *md_info; 00673 md_context_t md_ctx; 00674 00675 /* 00676 * Parameters sanity checks 00677 */ 00678 if( ctx->padding != RSA_PKCS_V21 ) 00679 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00680 00681 ilen = ctx->len ; 00682 00683 if( ilen < 16 || ilen > sizeof( buf ) ) 00684 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00685 00686 md_info = md_info_from_type( ctx->hash_id ); 00687 if( md_info == NULL ) 00688 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00689 00690 /* 00691 * RSA operation 00692 */ 00693 ret = ( mode == RSA_PUBLIC ) 00694 ? rsa_public( ctx, input, buf ) 00695 : rsa_private( ctx, f_rng, p_rng, input, buf ); 00696 00697 if( ret != 0 ) 00698 return( ret ); 00699 00700 /* 00701 * Unmask data and generate lHash 00702 */ 00703 hlen = md_get_size( md_info ); 00704 00705 md_init_ctx( &md_ctx, md_info ); 00706 00707 /* Generate lHash */ 00708 md( md_info, label, label_len, lhash ); 00709 00710 /* seed: Apply seedMask to maskedSeed */ 00711 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 00712 &md_ctx ); 00713 00714 /* DB: Apply dbMask to maskedDB */ 00715 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 00716 &md_ctx ); 00717 00718 md_free_ctx( &md_ctx ); 00719 00720 /* 00721 * Check contents, in "constant-time" 00722 */ 00723 p = buf; 00724 bad = 0; 00725 00726 bad |= *p++; /* First byte must be 0 */ 00727 00728 p += hlen; /* Skip seed */ 00729 00730 /* Check lHash */ 00731 for( i = 0; i < hlen; i++ ) 00732 bad |= lhash[i] ^ *p++; 00733 00734 /* Get zero-padding len, but always read till end of buffer 00735 * (minus one, for the 01 byte) */ 00736 pad_len = 0; 00737 pad_done = 0; 00738 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 00739 { 00740 pad_done |= p[i]; 00741 pad_len += ( pad_done == 0 ); 00742 } 00743 00744 p += pad_len; 00745 bad |= *p++ ^ 0x01; 00746 00747 /* 00748 * The only information "leaked" is whether the padding was correct or not 00749 * (eg, no data is copied if it was not correct). This meets the 00750 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 00751 * the different error conditions. 00752 */ 00753 if( bad != 0 ) 00754 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 00755 00756 if (ilen - (p - buf) > output_max_len) 00757 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE ); 00758 00759 *olen = ilen - (p - buf); 00760 memcpy( output, p, *olen ); 00761 00762 return( 0 ); 00763 } 00764 #endif /* POLARSSL_PKCS1_V21 */ 00765 00766 #if defined(POLARSSL_PKCS1_V15) 00767 /* 00768 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 00769 */ 00770 int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx, 00771 int (*f_rng)(void *, unsigned char *, size_t), 00772 void *p_rng, 00773 int mode, size_t *olen, 00774 const unsigned char *input, 00775 unsigned char *output, 00776 size_t output_max_len) 00777 { 00778 int ret; 00779 size_t ilen, pad_count = 0, i; 00780 unsigned char *p, bad, pad_done = 0; 00781 unsigned char buf[POLARSSL_MPI_MAX_SIZE]; 00782 00783 if( ctx->padding != RSA_PKCS_V15 ) 00784 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00785 00786 ilen = ctx->len ; 00787 00788 if( ilen < 16 || ilen > sizeof( buf ) ) 00789 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00790 00791 ret = ( mode == RSA_PUBLIC ) 00792 ? rsa_public( ctx, input, buf ) 00793 : rsa_private( ctx, f_rng, p_rng, input, buf ); 00794 00795 if( ret != 0 ) 00796 return( ret ); 00797 00798 p = buf; 00799 bad = 0; 00800 00801 /* 00802 * Check and get padding len in "constant-time" 00803 */ 00804 bad |= *p++; /* First byte must be 0 */ 00805 00806 /* This test does not depend on secret data */ 00807 if( mode == RSA_PRIVATE ) 00808 { 00809 bad |= *p++ ^ RSA_CRYPT; 00810 00811 /* Get padding len, but always read till end of buffer 00812 * (minus one, for the 00 byte) */ 00813 for( i = 0; i < ilen - 3; i++ ) 00814 { 00815 pad_done |= ( p[i] == 0 ); 00816 pad_count += ( pad_done == 0 ); 00817 } 00818 00819 p += pad_count; 00820 bad |= *p++; /* Must be zero */ 00821 } 00822 else 00823 { 00824 bad |= *p++ ^ RSA_SIGN; 00825 00826 /* Get padding len, but always read till end of buffer 00827 * (minus one, for the 00 byte) */ 00828 for( i = 0; i < ilen - 3; i++ ) 00829 { 00830 pad_done |= ( p[i] != 0xFF ); 00831 pad_count += ( pad_done == 0 ); 00832 } 00833 00834 p += pad_count; 00835 bad |= *p++; /* Must be zero */ 00836 } 00837 00838 if( bad ) 00839 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 00840 00841 if (ilen - (p - buf) > output_max_len) 00842 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE ); 00843 00844 *olen = ilen - (p - buf); 00845 memcpy( output, p, *olen ); 00846 00847 return( 0 ); 00848 } 00849 #endif /* POLARSSL_PKCS1_V15 */ 00850 00851 /* 00852 * Do an RSA operation, then remove the message padding 00853 */ 00854 int rsa_pkcs1_decrypt( rsa_context *ctx, 00855 int (*f_rng)(void *, unsigned char *, size_t), 00856 void *p_rng, 00857 int mode, size_t *olen, 00858 const unsigned char *input, 00859 unsigned char *output, 00860 size_t output_max_len) 00861 { 00862 switch( ctx->padding ) 00863 { 00864 #if defined(POLARSSL_PKCS1_V15) 00865 case RSA_PKCS_V15: 00866 return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 00867 input, output, output_max_len ); 00868 #endif 00869 00870 #if defined(POLARSSL_PKCS1_V21) 00871 case RSA_PKCS_V21: 00872 return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00873 olen, input, output, 00874 output_max_len ); 00875 #endif 00876 00877 default: 00878 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 00879 } 00880 } 00881 00882 #if defined(POLARSSL_PKCS1_V21) 00883 /* 00884 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 00885 */ 00886 int rsa_rsassa_pss_sign( rsa_context *ctx, 00887 int (*f_rng)(void *, unsigned char *, size_t), 00888 void *p_rng, 00889 int mode, 00890 md_type_t md_alg, 00891 unsigned int hashlen, 00892 const unsigned char *hash, 00893 unsigned char *sig ) 00894 { 00895 size_t olen; 00896 unsigned char *p = sig; 00897 unsigned char salt[POLARSSL_MD_MAX_SIZE]; 00898 unsigned int slen, hlen, offset = 0; 00899 int ret; 00900 size_t msb; 00901 const md_info_t *md_info; 00902 md_context_t md_ctx; 00903 00904 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) 00905 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00906 00907 olen = ctx->len ; 00908 00909 if( md_alg != POLARSSL_MD_NONE ) 00910 { 00911 // Gather length of hash to sign 00912 // 00913 md_info = md_info_from_type( md_alg ); 00914 if( md_info == NULL ) 00915 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00916 00917 hashlen = md_get_size( md_info ); 00918 } 00919 00920 md_info = md_info_from_type( ctx->hash_id ); 00921 if( md_info == NULL ) 00922 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00923 00924 hlen = md_get_size( md_info ); 00925 slen = hlen; 00926 00927 if( olen < hlen + slen + 2 ) 00928 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 00929 00930 memset( sig, 0, olen ); 00931 00932 // Generate salt of length slen 00933 // 00934 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 00935 return( POLARSSL_ERR_RSA_RNG_FAILED + ret ); 00936 00937 // Note: EMSA-PSS encoding is over the length of N - 1 bits 00938 // 00939 msb = mpi_msb( &ctx->N ) - 1; 00940 p += olen - hlen * 2 - 2; 00941 *p++ = 0x01; 00942 memcpy( p, salt, slen ); 00943 p += slen; 00944 00945 md_init_ctx( &md_ctx, md_info ); 00946 00947 // Generate H = Hash( M' ) 00948 // 00949 md_starts( &md_ctx ); 00950 md_update( &md_ctx, p, 8 ); 00951 md_update( &md_ctx, hash, hashlen ); 00952 md_update( &md_ctx, salt, slen ); 00953 md_finish( &md_ctx, p ); 00954 00955 // Compensate for boundary condition when applying mask 00956 // 00957 if( msb % 8 == 0 ) 00958 offset = 1; 00959 00960 // maskedDB: Apply dbMask to DB 00961 // 00962 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 00963 00964 md_free_ctx( &md_ctx ); 00965 00966 msb = mpi_msb( &ctx->N ) - 1; 00967 sig[0] &= 0xFF >> ( olen * 8 - msb ); 00968 00969 p += hlen; 00970 *p++ = 0xBC; 00971 00972 return( ( mode == RSA_PUBLIC ) 00973 ? rsa_public( ctx, sig, sig ) 00974 : rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 00975 } 00976 #endif /* POLARSSL_PKCS1_V21 */ 00977 00978 #if defined(POLARSSL_PKCS1_V15) 00979 /* 00980 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 00981 */ 00982 /* 00983 * Do an RSA operation to sign the message digest 00984 */ 00985 int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx, 00986 int (*f_rng)(void *, unsigned char *, size_t), 00987 void *p_rng, 00988 int mode, 00989 md_type_t md_alg, 00990 unsigned int hashlen, 00991 const unsigned char *hash, 00992 unsigned char *sig ) 00993 { 00994 size_t nb_pad, olen, oid_size = 0; 00995 unsigned char *p = sig; 00996 const char *oid; 00997 00998 if( ctx->padding != RSA_PKCS_V15 ) 00999 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01000 01001 olen = ctx->len ; 01002 nb_pad = olen - 3; 01003 01004 if( md_alg != POLARSSL_MD_NONE ) 01005 { 01006 const md_info_t *md_info = md_info_from_type( md_alg ); 01007 if( md_info == NULL ) 01008 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01009 01010 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01011 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01012 01013 nb_pad -= 10 + oid_size; 01014 01015 hashlen = md_get_size( md_info ); 01016 } 01017 01018 nb_pad -= hashlen; 01019 01020 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 01021 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01022 01023 *p++ = 0; 01024 *p++ = RSA_SIGN; 01025 memset( p, 0xFF, nb_pad ); 01026 p += nb_pad; 01027 *p++ = 0; 01028 01029 if( md_alg == POLARSSL_MD_NONE ) 01030 { 01031 memcpy( p, hash, hashlen ); 01032 } 01033 else 01034 { 01035 /* 01036 * DigestInfo ::= SEQUENCE { 01037 * digestAlgorithm DigestAlgorithmIdentifier, 01038 * digest Digest } 01039 * 01040 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01041 * 01042 * Digest ::= OCTET STRING 01043 */ 01044 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; 01045 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 01046 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; 01047 *p++ = (unsigned char) ( 0x04 + oid_size ); 01048 *p++ = ASN1_OID; 01049 *p++ = oid_size & 0xFF; 01050 memcpy( p, oid, oid_size ); 01051 p += oid_size; 01052 *p++ = ASN1_NULL; 01053 *p++ = 0x00; 01054 *p++ = ASN1_OCTET_STRING; 01055 *p++ = hashlen; 01056 memcpy( p, hash, hashlen ); 01057 } 01058 01059 return( ( mode == RSA_PUBLIC ) 01060 ? rsa_public( ctx, sig, sig ) 01061 : rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 01062 } 01063 #endif /* POLARSSL_PKCS1_V15 */ 01064 01065 /* 01066 * Do an RSA operation to sign the message digest 01067 */ 01068 int rsa_pkcs1_sign( rsa_context *ctx, 01069 int (*f_rng)(void *, unsigned char *, size_t), 01070 void *p_rng, 01071 int mode, 01072 md_type_t md_alg, 01073 unsigned int hashlen, 01074 const unsigned char *hash, 01075 unsigned char *sig ) 01076 { 01077 switch( ctx->padding ) 01078 { 01079 #if defined(POLARSSL_PKCS1_V15) 01080 case RSA_PKCS_V15: 01081 return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 01082 hashlen, hash, sig ); 01083 #endif 01084 01085 #if defined(POLARSSL_PKCS1_V21) 01086 case RSA_PKCS_V21: 01087 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 01088 hashlen, hash, sig ); 01089 #endif 01090 01091 default: 01092 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01093 } 01094 } 01095 01096 #if defined(POLARSSL_PKCS1_V21) 01097 /* 01098 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01099 */ 01100 int rsa_rsassa_pss_verify( rsa_context *ctx, 01101 int (*f_rng)(void *, unsigned char *, size_t), 01102 void *p_rng, 01103 int mode, 01104 md_type_t md_alg, 01105 unsigned int hashlen, 01106 const unsigned char *hash, 01107 const unsigned char *sig ) 01108 { 01109 int ret; 01110 size_t siglen; 01111 unsigned char *p; 01112 unsigned char buf[POLARSSL_MPI_MAX_SIZE]; 01113 unsigned char result[POLARSSL_MD_MAX_SIZE]; 01114 unsigned char zeros[8]; 01115 unsigned int hlen; 01116 size_t slen, msb; 01117 const md_info_t *md_info; 01118 md_context_t md_ctx; 01119 01120 if( ctx->padding != RSA_PKCS_V21 ) 01121 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01122 01123 siglen = ctx->len ; 01124 01125 if( siglen < 16 || siglen > sizeof( buf ) ) 01126 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01127 01128 ret = ( mode == RSA_PUBLIC ) 01129 ? rsa_public( ctx, sig, buf ) 01130 : rsa_private( ctx, f_rng, p_rng, sig, buf ); 01131 01132 if( ret != 0 ) 01133 return( ret ); 01134 01135 p = buf; 01136 01137 if( buf[siglen - 1] != 0xBC ) 01138 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01139 01140 if( md_alg != POLARSSL_MD_NONE ) 01141 { 01142 // Gather length of hash to sign 01143 // 01144 md_info = md_info_from_type( md_alg ); 01145 if( md_info == NULL ) 01146 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01147 01148 hashlen = md_get_size( md_info ); 01149 } 01150 01151 md_info = md_info_from_type( ctx->hash_id ); 01152 if( md_info == NULL ) 01153 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01154 01155 hlen = md_get_size( md_info ); 01156 slen = siglen - hlen - 1; 01157 01158 memset( zeros, 0, 8 ); 01159 01160 // Note: EMSA-PSS verification is over the length of N - 1 bits 01161 // 01162 msb = mpi_msb( &ctx->N ) - 1; 01163 01164 // Compensate for boundary condition when applying mask 01165 // 01166 if( msb % 8 == 0 ) 01167 { 01168 p++; 01169 siglen -= 1; 01170 } 01171 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 01172 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01173 01174 md_init_ctx( &md_ctx, md_info ); 01175 01176 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 01177 01178 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 01179 01180 while( p < buf + siglen && *p == 0 ) 01181 p++; 01182 01183 if( p == buf + siglen || 01184 *p++ != 0x01 ) 01185 { 01186 md_free_ctx( &md_ctx ); 01187 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01188 } 01189 01190 slen -= p - buf; 01191 01192 // Generate H = Hash( M' ) 01193 // 01194 md_starts( &md_ctx ); 01195 md_update( &md_ctx, zeros, 8 ); 01196 md_update( &md_ctx, hash, hashlen ); 01197 md_update( &md_ctx, p, slen ); 01198 md_finish( &md_ctx, result ); 01199 01200 md_free_ctx( &md_ctx ); 01201 01202 if( memcmp( p + slen, result, hlen ) == 0 ) 01203 return( 0 ); 01204 else 01205 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01206 } 01207 #endif /* POLARSSL_PKCS1_V21 */ 01208 01209 #if defined(POLARSSL_PKCS1_V15) 01210 /* 01211 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 01212 */ 01213 int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx, 01214 int (*f_rng)(void *, unsigned char *, size_t), 01215 void *p_rng, 01216 int mode, 01217 md_type_t md_alg, 01218 unsigned int hashlen, 01219 const unsigned char *hash, 01220 const unsigned char *sig ) 01221 { 01222 int ret; 01223 size_t len, siglen, asn1_len; 01224 unsigned char *p, *end; 01225 unsigned char buf[POLARSSL_MPI_MAX_SIZE]; 01226 md_type_t msg_md_alg; 01227 const md_info_t *md_info; 01228 asn1_buf oid; 01229 01230 if( ctx->padding != RSA_PKCS_V15 ) 01231 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01232 01233 siglen = ctx->len ; 01234 01235 if( siglen < 16 || siglen > sizeof( buf ) ) 01236 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01237 01238 ret = ( mode == RSA_PUBLIC ) 01239 ? rsa_public( ctx, sig, buf ) 01240 : rsa_private( ctx, f_rng, p_rng, sig, buf ); 01241 01242 if( ret != 0 ) 01243 return( ret ); 01244 01245 p = buf; 01246 01247 if( *p++ != 0 || *p++ != RSA_SIGN ) 01248 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01249 01250 while( *p != 0 ) 01251 { 01252 if( p >= buf + siglen - 1 || *p != 0xFF ) 01253 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01254 p++; 01255 } 01256 p++; 01257 01258 len = siglen - ( p - buf ); 01259 01260 if( len == hashlen && md_alg == POLARSSL_MD_NONE ) 01261 { 01262 if( memcmp( p, hash, hashlen ) == 0 ) 01263 return( 0 ); 01264 else 01265 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01266 } 01267 01268 md_info = md_info_from_type( md_alg ); 01269 if( md_info == NULL ) 01270 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); 01271 hashlen = md_get_size( md_info ); 01272 01273 end = p + len; 01274 01275 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure 01276 // 01277 if( ( ret = asn1_get_tag( &p, end, &asn1_len, 01278 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) 01279 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01280 01281 if( asn1_len + 2 != len ) 01282 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01283 01284 if( ( ret = asn1_get_tag( &p, end, &asn1_len, 01285 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) 01286 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01287 01288 if( asn1_len + 6 + hashlen != len ) 01289 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01290 01291 if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 ) 01292 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01293 01294 oid.p = p; 01295 p += oid.len; 01296 01297 if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 01298 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01299 01300 if( md_alg != msg_md_alg ) 01301 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01302 01303 /* 01304 * assume the algorithm parameters must be NULL 01305 */ 01306 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 ) 01307 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01308 01309 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 ) 01310 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01311 01312 if( asn1_len != hashlen ) 01313 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01314 01315 if( memcmp( p, hash, hashlen ) != 0 ) 01316 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01317 01318 p += hashlen; 01319 01320 if( p != end ) 01321 return( POLARSSL_ERR_RSA_VERIFY_FAILED ); 01322 01323 return( 0 ); 01324 } 01325 #endif /* POLARSSL_PKCS1_V15 */ 01326 01327 /* 01328 * Do an RSA operation and check the message digest 01329 */ 01330 int rsa_pkcs1_verify( rsa_context *ctx, 01331 int (*f_rng)(void *, unsigned char *, size_t), 01332 void *p_rng, 01333 int mode, 01334 md_type_t md_alg, 01335 unsigned int hashlen, 01336 const unsigned char *hash, 01337 const unsigned char *sig ) 01338 { 01339 switch( ctx->padding ) 01340 { 01341 #if defined(POLARSSL_PKCS1_V15) 01342 case RSA_PKCS_V15: 01343 return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 01344 hashlen, hash, sig ); 01345 #endif 01346 01347 #if defined(POLARSSL_PKCS1_V21) 01348 case RSA_PKCS_V21: 01349 return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 01350 hashlen, hash, sig ); 01351 #endif 01352 01353 default: 01354 return( POLARSSL_ERR_RSA_INVALID_PADDING ); 01355 } 01356 } 01357 01358 /* 01359 * Copy the components of an RSA key 01360 */ 01361 int rsa_copy( rsa_context *dst, const rsa_context *src ) 01362 { 01363 int ret; 01364 01365 dst->ver = src->ver ; 01366 dst->len = src->len ; 01367 01368 MPI_CHK( mpi_copy( &dst->N , &src->N ) ); 01369 MPI_CHK( mpi_copy( &dst->E , &src->E ) ); 01370 01371 MPI_CHK( mpi_copy( &dst->D , &src->D ) ); 01372 MPI_CHK( mpi_copy( &dst->P , &src->P ) ); 01373 MPI_CHK( mpi_copy( &dst->Q , &src->Q ) ); 01374 MPI_CHK( mpi_copy( &dst->DP , &src->DP ) ); 01375 MPI_CHK( mpi_copy( &dst->DQ , &src->DQ ) ); 01376 MPI_CHK( mpi_copy( &dst->QP , &src->QP ) ); 01377 01378 MPI_CHK( mpi_copy( &dst->RN , &src->RN ) ); 01379 MPI_CHK( mpi_copy( &dst->RP , &src->RP ) ); 01380 MPI_CHK( mpi_copy( &dst->RQ , &src->RQ ) ); 01381 01382 #if !defined(POLARSSL_RSA_NO_CRT) 01383 MPI_CHK( mpi_copy( &dst->Vi , &src->Vi ) ); 01384 MPI_CHK( mpi_copy( &dst->Vf , &src->Vf ) ); 01385 #endif 01386 01387 dst->padding = src->padding ; 01388 dst->hash_id = src->hash_id ; 01389 01390 cleanup: 01391 if( ret != 0 ) 01392 rsa_free( dst ); 01393 01394 return( ret ); 01395 } 01396 01397 /* 01398 * Free the components of an RSA key 01399 */ 01400 void rsa_free( rsa_context *ctx ) 01401 { 01402 #if !defined(POLARSSL_RSA_NO_CRT) 01403 mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf ); 01404 #endif 01405 mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN ); 01406 mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP ); 01407 mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D ); 01408 mpi_free( &ctx->E ); mpi_free( &ctx->N ); 01409 01410 #if defined(POLARSSL_THREADING_C) 01411 polarssl_mutex_free( &ctx->mutex ); 01412 #endif 01413 } 01414 01415 #if defined(POLARSSL_SELF_TEST) 01416 01417 #include "polarssl/sha1.h" 01418 01419 /* 01420 * Example RSA-1024 keypair, for test purposes 01421 */ 01422 #define KEY_LEN 128 01423 01424 #define RSA_N "9292758453063D803DD603D5E777D788" \ 01425 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 01426 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 01427 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 01428 "93A89813FBF3C4F8066D2D800F7C38A8" \ 01429 "1AE31942917403FF4946B0A83D3D3E05" \ 01430 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 01431 "5E94BB77B07507233A0BC7BAC8F90F79" 01432 01433 #define RSA_E "10001" 01434 01435 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 01436 "66CA472BC44D253102F8B4A9D3BFA750" \ 01437 "91386C0077937FE33FA3252D28855837" \ 01438 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 01439 "DF79C5CE07EE72C7F123142198164234" \ 01440 "CABB724CF78B8173B9F880FC86322407" \ 01441 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 01442 "071513A1E85B5DFA031F21ECAE91A34D" 01443 01444 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 01445 "2C01CAD19EA484A87EA4377637E75500" \ 01446 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 01447 "C3D9E75E1EFC42488BB4F1D13AC30A57" 01448 01449 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 01450 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 01451 "910E4168387E3C30AA1E00C339A79508" \ 01452 "8452DD96A9A5EA5D9DCA68DA636032AF" 01453 01454 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 01455 "3C94D22288ACD763FD8E5600ED4A702D" \ 01456 "F84198A5F06C2E72236AE490C93F07F8" \ 01457 "3CC559CD27BC2D1CA488811730BB5725" 01458 01459 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 01460 "D8AAEA56749EA28623272E4F7D0592AF" \ 01461 "7C1F1313CAC9471B5C523BFE592F517B" \ 01462 "407A1BD76C164B93DA2D32A383E58357" 01463 01464 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 01465 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 01466 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 01467 "A74206CEC169D74BF5A8C50D6F48EA08" 01468 01469 #define PT_LEN 24 01470 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 01471 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 01472 01473 #if defined(POLARSSL_PKCS1_V15) 01474 static int myrand( void *rng_state, unsigned char *output, size_t len ) 01475 { 01476 #if !defined(__OpenBSD__) 01477 size_t i; 01478 01479 if( rng_state != NULL ) 01480 rng_state = NULL; 01481 01482 for( i = 0; i < len; ++i ) 01483 output[i] = rand(); 01484 #else 01485 if( rng_state != NULL ) 01486 rng_state = NULL; 01487 01488 arc4random_buf( output, len ); 01489 #endif /* !OpenBSD */ 01490 01491 return( 0 ); 01492 } 01493 #endif /* POLARSSL_PKCS1_V15 */ 01494 01495 /* 01496 * Checkup routine 01497 */ 01498 int rsa_self_test( int verbose ) 01499 { 01500 int ret = 0; 01501 #if defined(POLARSSL_PKCS1_V15) 01502 size_t len; 01503 rsa_context rsa; 01504 unsigned char rsa_plaintext[PT_LEN]; 01505 unsigned char rsa_decrypted[PT_LEN]; 01506 unsigned char rsa_ciphertext[KEY_LEN]; 01507 #if defined(POLARSSL_SHA1_C) 01508 unsigned char sha1sum[20]; 01509 #endif 01510 01511 rsa_init( &rsa, RSA_PKCS_V15, 0 ); 01512 01513 rsa.len = KEY_LEN; 01514 MPI_CHK( mpi_read_string( &rsa.N , 16, RSA_N ) ); 01515 MPI_CHK( mpi_read_string( &rsa.E , 16, RSA_E ) ); 01516 MPI_CHK( mpi_read_string( &rsa.D , 16, RSA_D ) ); 01517 MPI_CHK( mpi_read_string( &rsa.P , 16, RSA_P ) ); 01518 MPI_CHK( mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 01519 MPI_CHK( mpi_read_string( &rsa.DP , 16, RSA_DP ) ); 01520 MPI_CHK( mpi_read_string( &rsa.DQ , 16, RSA_DQ ) ); 01521 MPI_CHK( mpi_read_string( &rsa.QP , 16, RSA_QP ) ); 01522 01523 if( verbose != 0 ) 01524 polarssl_printf( " RSA key validation: " ); 01525 01526 if( rsa_check_pubkey( &rsa ) != 0 || 01527 rsa_check_privkey( &rsa ) != 0 ) 01528 { 01529 if( verbose != 0 ) 01530 polarssl_printf( "failed\n" ); 01531 01532 return( 1 ); 01533 } 01534 01535 if( verbose != 0 ) 01536 polarssl_printf( "passed\n PKCS#1 encryption : " ); 01537 01538 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 01539 01540 if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN, 01541 rsa_plaintext, rsa_ciphertext ) != 0 ) 01542 { 01543 if( verbose != 0 ) 01544 polarssl_printf( "failed\n" ); 01545 01546 return( 1 ); 01547 } 01548 01549 if( verbose != 0 ) 01550 polarssl_printf( "passed\n PKCS#1 decryption : " ); 01551 01552 if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len, 01553 rsa_ciphertext, rsa_decrypted, 01554 sizeof(rsa_decrypted) ) != 0 ) 01555 { 01556 if( verbose != 0 ) 01557 polarssl_printf( "failed\n" ); 01558 01559 return( 1 ); 01560 } 01561 01562 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 01563 { 01564 if( verbose != 0 ) 01565 polarssl_printf( "failed\n" ); 01566 01567 return( 1 ); 01568 } 01569 01570 #if defined(POLARSSL_SHA1_C) 01571 if( verbose != 0 ) 01572 polarssl_printf( "passed\n PKCS#1 data sign : " ); 01573 01574 sha1( rsa_plaintext, PT_LEN, sha1sum ); 01575 01576 if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0, 01577 sha1sum, rsa_ciphertext ) != 0 ) 01578 { 01579 if( verbose != 0 ) 01580 polarssl_printf( "failed\n" ); 01581 01582 return( 1 ); 01583 } 01584 01585 if( verbose != 0 ) 01586 polarssl_printf( "passed\n PKCS#1 sig. verify: " ); 01587 01588 if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0, 01589 sha1sum, rsa_ciphertext ) != 0 ) 01590 { 01591 if( verbose != 0 ) 01592 polarssl_printf( "failed\n" ); 01593 01594 return( 1 ); 01595 } 01596 01597 if( verbose != 0 ) 01598 polarssl_printf( "passed\n\n" ); 01599 #endif /* POLARSSL_SHA1_C */ 01600 01601 cleanup: 01602 rsa_free( &rsa ); 01603 #else /* POLARSSL_PKCS1_V15 */ 01604 ((void) verbose); 01605 #endif /* POLARSSL_PKCS1_V15 */ 01606 return( ret ); 01607 } 01608 01609 #endif /* POLARSSL_SELF_TEST */ 01610 01611 #endif /* POLARSSL_RSA_C */ 01612 01613
Generated on Tue Jul 12 2022 19:40:20 by
1.7.2