]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * The RSA public-key cryptosystem | |
3 | * | |
4 | * Copyright (C) 2006-2011, Brainspark B.V. | |
5 | * | |
6 | * This file is part of PolarSSL (http://www.polarssl.org) | |
7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> | |
8 | * | |
9 | * All rights reserved. | |
10 | * | |
11 | * This program is free software; you can redistribute it and/or modify | |
12 | * it under the terms of the GNU General Public License as published by | |
13 | * the Free Software Foundation; either version 2 of the License, or | |
14 | * (at your option) any later version. | |
15 | * | |
16 | * This program is distributed in the hope that it will be useful, | |
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | * GNU General Public License for more details. | |
20 | * | |
21 | * You should have received a copy of the GNU General Public License along | |
22 | * with this program; if not, write to the Free Software Foundation, Inc., | |
23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
24 | */ | |
25 | /* | |
26 | * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman. | |
27 | * | |
28 | * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf | |
29 | * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf | |
30 | */ | |
31 | ||
32 | #include "polarssl_config.h" | |
33 | ||
34 | #if defined(POLARSSL_RSA_C) | |
35 | ||
36 | #include "rsa.h" | |
37 | ||
38 | #if defined(POLARSSL_PKCS1_V21) | |
39 | #include "md.h" | |
40 | #endif | |
41 | ||
42 | #include <stdlib.h> | |
43 | #include <stdio.h> | |
44 | ||
45 | /* | |
46 | * Initialize an RSA context | |
47 | */ | |
48 | void rsa_init( rsa_context *ctx, | |
49 | int padding, | |
50 | int hash_id ) | |
51 | { | |
52 | memset( ctx, 0, sizeof( rsa_context ) ); | |
53 | ||
54 | ctx->padding = padding; | |
55 | ctx->hash_id = hash_id; | |
56 | } | |
57 | ||
58 | #if defined(POLARSSL_GENPRIME) | |
59 | ||
60 | /* | |
61 | * Generate an RSA keypair | |
62 | */ | |
63 | int rsa_gen_key( rsa_context *ctx, | |
64 | int (*f_rng)(void *, unsigned char *, size_t), | |
65 | void *p_rng, | |
66 | unsigned int nbits, int exponent ) | |
67 | { | |
68 | int ret; | |
69 | mpi P1, Q1, H, G; | |
70 | ||
71 | if( f_rng == NULL || nbits < 128 || exponent < 3 ) | |
72 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
73 | ||
74 | mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); | |
75 | ||
76 | /* | |
77 | * find primes P and Q with Q < P so that: | |
78 | * GCD( E, (P-1)*(Q-1) ) == 1 | |
79 | */ | |
80 | MPI_CHK( mpi_lset( &ctx->E, exponent ) ); | |
81 | ||
82 | do | |
83 | { | |
84 | MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0, | |
85 | f_rng, p_rng ) ); | |
86 | ||
87 | MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0, | |
88 | f_rng, p_rng ) ); | |
89 | ||
90 | if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 ) | |
91 | mpi_swap( &ctx->P, &ctx->Q ); | |
92 | ||
93 | if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 ) | |
94 | continue; | |
95 | ||
96 | MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); | |
97 | if( mpi_msb( &ctx->N ) != nbits ) | |
98 | continue; | |
99 | ||
100 | MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) ); | |
101 | MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) ); | |
102 | MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); | |
103 | MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) ); | |
104 | } | |
105 | while( mpi_cmp_int( &G, 1 ) != 0 ); | |
106 | ||
107 | /* | |
108 | * D = E^-1 mod ((P-1)*(Q-1)) | |
109 | * DP = D mod (P - 1) | |
110 | * DQ = D mod (Q - 1) | |
111 | * QP = Q^-1 mod P | |
112 | */ | |
113 | MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) ); | |
114 | MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) ); | |
115 | MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) ); | |
116 | MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) ); | |
117 | ||
118 | ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3; | |
119 | ||
120 | cleanup: | |
121 | ||
122 | mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); | |
123 | ||
124 | if( ret != 0 ) | |
125 | { | |
126 | rsa_free( ctx ); | |
127 | return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret ); | |
128 | } | |
129 | ||
130 | return( 0 ); | |
131 | } | |
132 | ||
133 | #endif | |
134 | ||
135 | /* | |
136 | * Check a public RSA key | |
137 | */ | |
138 | int rsa_check_pubkey( const rsa_context *ctx ) | |
139 | { | |
140 | if( !ctx->N.p || !ctx->E.p ) | |
141 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
142 | ||
143 | if( ( ctx->N.p[0] & 1 ) == 0 || | |
144 | ( ctx->E.p[0] & 1 ) == 0 ) | |
145 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
146 | ||
147 | if( mpi_msb( &ctx->N ) < 128 || | |
148 | mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS ) | |
149 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
150 | ||
151 | if( mpi_msb( &ctx->E ) < 2 || | |
152 | mpi_msb( &ctx->E ) > 64 ) | |
153 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
154 | ||
155 | return( 0 ); | |
156 | } | |
157 | ||
158 | /* | |
159 | * Check a private RSA key | |
160 | */ | |
161 | int rsa_check_privkey( const rsa_context *ctx ) | |
162 | { | |
163 | int ret; | |
164 | mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; | |
165 | ||
166 | if( ( ret = rsa_check_pubkey( ctx ) ) != 0 ) | |
167 | return( ret ); | |
168 | ||
169 | if( !ctx->P.p || !ctx->Q.p || !ctx->D.p ) | |
170 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
171 | ||
172 | mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 ); | |
173 | mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 ); | |
174 | mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ ); | |
175 | mpi_init( &QP ); | |
176 | ||
177 | MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) ); | |
178 | MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) ); | |
179 | MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) ); | |
180 | MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) ); | |
181 | MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); | |
182 | MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) ); | |
183 | ||
184 | MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) ); | |
185 | MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) ); | |
186 | MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) ); | |
187 | ||
188 | MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) ); | |
189 | MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) ); | |
190 | MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) ); | |
191 | /* | |
192 | * Check for a valid PKCS1v2 private key | |
193 | */ | |
194 | if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || | |
195 | mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || | |
196 | mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || | |
197 | mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || | |
198 | mpi_cmp_int( &L2, 0 ) != 0 || | |
199 | mpi_cmp_int( &I, 1 ) != 0 || | |
200 | mpi_cmp_int( &G, 1 ) != 0 ) | |
201 | { | |
202 | ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED; | |
203 | } | |
204 | ||
205 | cleanup: | |
206 | mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 ); | |
207 | mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 ); | |
208 | mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ ); | |
209 | mpi_free( &QP ); | |
210 | ||
211 | if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED ) | |
212 | return( ret ); | |
213 | ||
214 | if( ret != 0 ) | |
215 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret ); | |
216 | ||
217 | return( 0 ); | |
218 | } | |
219 | ||
220 | /* | |
221 | * Do an RSA public key operation | |
222 | */ | |
223 | int rsa_public( rsa_context *ctx, | |
224 | const unsigned char *input, | |
225 | unsigned char *output ) | |
226 | { | |
227 | int ret; | |
228 | size_t olen; | |
229 | mpi T; | |
230 | ||
231 | mpi_init( &T ); | |
232 | ||
233 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
234 | ||
235 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
236 | { | |
237 | mpi_free( &T ); | |
238 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
239 | } | |
240 | ||
241 | olen = ctx->len; | |
242 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); | |
243 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
244 | ||
245 | cleanup: | |
246 | ||
247 | mpi_free( &T ); | |
248 | ||
249 | if( ret != 0 ) | |
250 | return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret ); | |
251 | ||
252 | return( 0 ); | |
253 | } | |
254 | ||
255 | /* | |
256 | * Do an RSA private key operation | |
257 | */ | |
258 | int rsa_private( rsa_context *ctx, | |
259 | const unsigned char *input, | |
260 | unsigned char *output ) | |
261 | { | |
262 | int ret; | |
263 | size_t olen; | |
264 | mpi T, T1, T2; | |
265 | ||
266 | mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 ); | |
267 | ||
268 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
269 | ||
270 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
271 | { | |
272 | mpi_free( &T ); | |
273 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
274 | } | |
275 | ||
276 | #if defined(POLARSSL_RSA_NO_CRT) | |
277 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); | |
278 | #else | |
279 | /* | |
280 | * faster decryption using the CRT | |
281 | * | |
282 | * T1 = input ^ dP mod P | |
283 | * T2 = input ^ dQ mod Q | |
284 | */ | |
285 | MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) ); | |
286 | MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) ); | |
287 | ||
288 | /* | |
289 | * T = (T1 - T2) * (Q^-1 mod P) mod P | |
290 | */ | |
291 | MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) ); | |
292 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) ); | |
293 | MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) ); | |
294 | ||
295 | /* | |
296 | * output = T2 + T * Q | |
297 | */ | |
298 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) ); | |
299 | MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) ); | |
300 | #endif | |
301 | ||
302 | olen = ctx->len; | |
303 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
304 | ||
305 | cleanup: | |
306 | ||
307 | mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 ); | |
308 | ||
309 | if( ret != 0 ) | |
310 | return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret ); | |
311 | ||
312 | return( 0 ); | |
313 | } | |
314 | ||
315 | #if defined(POLARSSL_PKCS1_V21) | |
316 | /** | |
317 | * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. | |
318 | * | |
319 | * \param dst buffer to mask | |
320 | * \param dlen length of destination buffer | |
321 | * \param src source of the mask generation | |
322 | * \param slen length of the source buffer | |
323 | * \param md_ctx message digest context to use | |
324 | */ | |
325 | static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen, | |
326 | md_context_t *md_ctx ) | |
327 | { | |
328 | unsigned char mask[POLARSSL_MD_MAX_SIZE]; | |
329 | unsigned char counter[4]; | |
330 | unsigned char *p; | |
331 | unsigned int hlen; | |
332 | size_t i, use_len; | |
333 | ||
334 | memset( mask, 0, POLARSSL_MD_MAX_SIZE ); | |
335 | memset( counter, 0, 4 ); | |
336 | ||
337 | hlen = md_ctx->md_info->size; | |
338 | ||
339 | // Generate and apply dbMask | |
340 | // | |
341 | p = dst; | |
342 | ||
343 | while( dlen > 0 ) | |
344 | { | |
345 | use_len = hlen; | |
346 | if( dlen < hlen ) | |
347 | use_len = dlen; | |
348 | ||
349 | md_starts( md_ctx ); | |
350 | md_update( md_ctx, src, slen ); | |
351 | md_update( md_ctx, counter, 4 ); | |
352 | md_finish( md_ctx, mask ); | |
353 | ||
354 | for( i = 0; i < use_len; ++i ) | |
355 | *p++ ^= mask[i]; | |
356 | ||
357 | counter[3]++; | |
358 | ||
359 | dlen -= use_len; | |
360 | } | |
361 | } | |
362 | #endif | |
363 | ||
364 | #if defined(POLARSSL_PKCS1_V21) | |
365 | /* | |
366 | * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function | |
367 | */ | |
368 | int rsa_rsaes_oaep_encrypt( rsa_context *ctx, | |
369 | int (*f_rng)(void *, unsigned char *, size_t), | |
370 | void *p_rng, | |
371 | int mode, | |
372 | const unsigned char *label, size_t label_len, | |
373 | size_t ilen, | |
374 | const unsigned char *input, | |
375 | unsigned char *output ) | |
376 | { | |
377 | size_t olen; | |
378 | int ret; | |
379 | unsigned char *p = output; | |
380 | unsigned int hlen; | |
381 | const md_info_t *md_info; | |
382 | md_context_t md_ctx; | |
383 | ||
384 | if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) | |
385 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
386 | ||
387 | md_info = md_info_from_type( ctx->hash_id ); | |
388 | ||
389 | if( md_info == NULL ) | |
390 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
391 | ||
392 | olen = ctx->len; | |
393 | hlen = md_get_size( md_info ); | |
394 | ||
395 | if( olen < ilen + 2 * hlen + 2 || f_rng == NULL ) | |
396 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
397 | ||
398 | memset( output, 0, olen ); | |
399 | ||
400 | *p++ = 0; | |
401 | ||
402 | // Generate a random octet string seed | |
403 | // | |
404 | if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) | |
405 | return( POLARSSL_ERR_RSA_RNG_FAILED + ret ); | |
406 | ||
407 | p += hlen; | |
408 | ||
409 | // Construct DB | |
410 | // | |
411 | md( md_info, label, label_len, p ); | |
412 | p += hlen; | |
413 | p += olen - 2 * hlen - 2 - ilen; | |
414 | *p++ = 1; | |
415 | memcpy( p, input, ilen ); | |
416 | ||
417 | md_init_ctx( &md_ctx, md_info ); | |
418 | ||
419 | // maskedDB: Apply dbMask to DB | |
420 | // | |
421 | mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, | |
422 | &md_ctx ); | |
423 | ||
424 | // maskedSeed: Apply seedMask to seed | |
425 | // | |
426 | mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, | |
427 | &md_ctx ); | |
428 | ||
429 | md_free_ctx( &md_ctx ); | |
430 | ||
431 | return( ( mode == RSA_PUBLIC ) | |
432 | ? rsa_public( ctx, output, output ) | |
433 | : rsa_private( ctx, output, output ) ); | |
434 | } | |
435 | #endif /* POLARSSL_PKCS1_V21 */ | |
436 | ||
437 | /* | |
438 | * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function | |
439 | */ | |
440 | int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, | |
441 | int (*f_rng)(void *, unsigned char *, size_t), | |
442 | void *p_rng, | |
443 | int mode, size_t ilen, | |
444 | const unsigned char *input, | |
445 | unsigned char *output ) | |
446 | { | |
447 | size_t nb_pad, olen; | |
448 | int ret; | |
449 | unsigned char *p = output; | |
450 | ||
451 | if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL ) | |
452 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
453 | ||
454 | olen = ctx->len; | |
455 | ||
456 | if( olen < ilen + 11 ) | |
457 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
458 | ||
459 | nb_pad = olen - 3 - ilen; | |
460 | ||
461 | *p++ = 0; | |
462 | if( mode == RSA_PUBLIC ) | |
463 | { | |
464 | *p++ = RSA_CRYPT; | |
465 | ||
466 | while( nb_pad-- > 0 ) | |
467 | { | |
468 | int rng_dl = 100; | |
469 | ||
470 | do { | |
471 | ret = f_rng( p_rng, p, 1 ); | |
472 | } while( *p == 0 && --rng_dl && ret == 0 ); | |
473 | ||
474 | // Check if RNG failed to generate data | |
475 | // | |
476 | if( rng_dl == 0 || ret != 0) | |
477 | return POLARSSL_ERR_RSA_RNG_FAILED + ret; | |
478 | ||
479 | p++; | |
480 | } | |
481 | } | |
482 | else | |
483 | { | |
484 | *p++ = RSA_SIGN; | |
485 | ||
486 | while( nb_pad-- > 0 ) | |
487 | *p++ = 0xFF; | |
488 | } | |
489 | ||
490 | *p++ = 0; | |
491 | memcpy( p, input, ilen ); | |
492 | ||
493 | return( ( mode == RSA_PUBLIC ) | |
494 | ? rsa_public( ctx, output, output ) | |
495 | : rsa_private( ctx, output, output ) ); | |
496 | } | |
497 | ||
498 | /* | |
499 | * Add the message padding, then do an RSA operation | |
500 | */ | |
501 | int rsa_pkcs1_encrypt( rsa_context *ctx, | |
502 | int (*f_rng)(void *, unsigned char *, size_t), | |
503 | void *p_rng, | |
504 | int mode, size_t ilen, | |
505 | const unsigned char *input, | |
506 | unsigned char *output ) | |
507 | { | |
508 | switch( ctx->padding ) | |
509 | { | |
510 | case RSA_PKCS_V15: | |
511 | return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, | |
512 | input, output ); | |
513 | ||
514 | #if defined(POLARSSL_PKCS1_V21) | |
515 | case RSA_PKCS_V21: | |
516 | return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, | |
517 | ilen, input, output ); | |
518 | #endif | |
519 | ||
520 | default: | |
521 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
522 | } | |
523 | } | |
524 | ||
525 | #if defined(POLARSSL_PKCS1_V21) | |
526 | /* | |
527 | * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function | |
528 | */ | |
529 | int rsa_rsaes_oaep_decrypt( rsa_context *ctx, | |
530 | int mode, | |
531 | const unsigned char *label, size_t label_len, | |
532 | size_t *olen, | |
533 | const unsigned char *input, | |
534 | unsigned char *output, | |
535 | size_t output_max_len ) | |
536 | { | |
537 | int ret; | |
538 | size_t ilen; | |
539 | unsigned char *p; | |
540 | unsigned char buf[POLARSSL_MPI_MAX_SIZE]; | |
541 | unsigned char lhash[POLARSSL_MD_MAX_SIZE]; | |
542 | unsigned int hlen; | |
543 | const md_info_t *md_info; | |
544 | md_context_t md_ctx; | |
545 | ||
546 | if( ctx->padding != RSA_PKCS_V21 ) | |
547 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
548 | ||
549 | ilen = ctx->len; | |
550 | ||
551 | if( ilen < 16 || ilen > sizeof( buf ) ) | |
552 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
553 | ||
554 | ret = ( mode == RSA_PUBLIC ) | |
555 | ? rsa_public( ctx, input, buf ) | |
556 | : rsa_private( ctx, input, buf ); | |
557 | ||
558 | if( ret != 0 ) | |
559 | return( ret ); | |
560 | ||
561 | p = buf; | |
562 | ||
563 | if( *p++ != 0 ) | |
564 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
565 | ||
566 | md_info = md_info_from_type( ctx->hash_id ); | |
567 | if( md_info == NULL ) | |
568 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
569 | ||
570 | hlen = md_get_size( md_info ); | |
571 | ||
572 | md_init_ctx( &md_ctx, md_info ); | |
573 | ||
574 | // Generate lHash | |
575 | // | |
576 | md( md_info, label, label_len, lhash ); | |
577 | ||
578 | // seed: Apply seedMask to maskedSeed | |
579 | // | |
580 | mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, | |
581 | &md_ctx ); | |
582 | ||
583 | // DB: Apply dbMask to maskedDB | |
584 | // | |
585 | mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, | |
586 | &md_ctx ); | |
587 | ||
588 | p += hlen; | |
589 | md_free_ctx( &md_ctx ); | |
590 | ||
591 | // Check validity | |
592 | // | |
593 | if( memcmp( lhash, p, hlen ) != 0 ) | |
594 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
595 | ||
596 | p += hlen; | |
597 | ||
598 | while( *p == 0 && p < buf + ilen ) | |
599 | p++; | |
600 | ||
601 | if( p == buf + ilen ) | |
602 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
603 | ||
604 | if( *p++ != 0x01 ) | |
605 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
606 | ||
607 | if (ilen - (p - buf) > output_max_len) | |
608 | return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE ); | |
609 | ||
610 | *olen = ilen - (p - buf); | |
611 | memcpy( output, p, *olen ); | |
612 | ||
613 | return( 0 ); | |
614 | } | |
615 | #endif /* POLARSSL_PKCS1_V21 */ | |
616 | ||
617 | /* | |
618 | * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function | |
619 | */ | |
620 | int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx, | |
621 | int mode, size_t *olen, | |
622 | const unsigned char *input, | |
623 | unsigned char *output, | |
624 | size_t output_max_len) | |
625 | { | |
626 | int ret, correct = 1; | |
627 | size_t ilen, pad_count = 0; | |
628 | unsigned char *p, *q; | |
629 | unsigned char bt; | |
630 | unsigned char buf[POLARSSL_MPI_MAX_SIZE]; | |
631 | ||
632 | if( ctx->padding != RSA_PKCS_V15 ) | |
633 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
634 | ||
635 | ilen = ctx->len; | |
636 | ||
637 | if( ilen < 16 || ilen > sizeof( buf ) ) | |
638 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
639 | ||
640 | ret = ( mode == RSA_PUBLIC ) | |
641 | ? rsa_public( ctx, input, buf ) | |
642 | : rsa_private( ctx, input, buf ); | |
643 | ||
644 | if( ret != 0 ) | |
645 | return( ret ); | |
646 | ||
647 | p = buf; | |
648 | ||
649 | if( *p++ != 0 ) | |
650 | correct = 0; | |
651 | ||
652 | bt = *p++; | |
653 | if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) || | |
654 | ( bt != RSA_SIGN && mode == RSA_PUBLIC ) ) | |
655 | { | |
656 | correct = 0; | |
657 | } | |
658 | ||
659 | if( bt == RSA_CRYPT ) | |
660 | { | |
661 | while( *p != 0 && p < buf + ilen - 1 ) | |
662 | pad_count += ( *p++ != 0 ); | |
663 | ||
664 | correct &= ( *p == 0 && p < buf + ilen - 1 ); | |
665 | ||
666 | q = p; | |
667 | ||
668 | // Also pass over all other bytes to reduce timing differences | |
669 | // | |
670 | while ( q < buf + ilen - 1 ) | |
671 | pad_count += ( *q++ != 0 ); | |
672 | ||
673 | // Prevent compiler optimization of pad_count | |
674 | // | |
675 | correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */ | |
676 | p++; | |
677 | } | |
678 | else | |
679 | { | |
680 | while( *p == 0xFF && p < buf + ilen - 1 ) | |
681 | pad_count += ( *p++ == 0xFF ); | |
682 | ||
683 | correct &= ( *p == 0 && p < buf + ilen - 1 ); | |
684 | ||
685 | q = p; | |
686 | ||
687 | // Also pass over all other bytes to reduce timing differences | |
688 | // | |
689 | while ( q < buf + ilen - 1 ) | |
690 | pad_count += ( *q++ != 0 ); | |
691 | ||
692 | // Prevent compiler optimization of pad_count | |
693 | // | |
694 | correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */ | |
695 | p++; | |
696 | } | |
697 | ||
698 | if( correct == 0 ) | |
699 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
700 | ||
701 | if (ilen - (p - buf) > output_max_len) | |
702 | return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE ); | |
703 | ||
704 | *olen = ilen - (p - buf); | |
705 | memcpy( output, p, *olen ); | |
706 | ||
707 | return( 0 ); | |
708 | } | |
709 | ||
710 | /* | |
711 | * Do an RSA operation, then remove the message padding | |
712 | */ | |
713 | int rsa_pkcs1_decrypt( rsa_context *ctx, | |
714 | int mode, size_t *olen, | |
715 | const unsigned char *input, | |
716 | unsigned char *output, | |
717 | size_t output_max_len) | |
718 | { | |
719 | switch( ctx->padding ) | |
720 | { | |
721 | case RSA_PKCS_V15: | |
722 | return rsa_rsaes_pkcs1_v15_decrypt( ctx, mode, olen, input, output, | |
723 | output_max_len ); | |
724 | ||
725 | #if defined(POLARSSL_PKCS1_V21) | |
726 | case RSA_PKCS_V21: | |
727 | return rsa_rsaes_oaep_decrypt( ctx, mode, NULL, 0, olen, input, | |
728 | output, output_max_len ); | |
729 | #endif | |
730 | ||
731 | default: | |
732 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
733 | } | |
734 | } | |
735 | ||
736 | #if defined(POLARSSL_PKCS1_V21) | |
737 | /* | |
738 | * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function | |
739 | */ | |
740 | int rsa_rsassa_pss_sign( rsa_context *ctx, | |
741 | int (*f_rng)(void *, unsigned char *, size_t), | |
742 | void *p_rng, | |
743 | int mode, | |
744 | int hash_id, | |
745 | unsigned int hashlen, | |
746 | const unsigned char *hash, | |
747 | unsigned char *sig ) | |
748 | { | |
749 | size_t olen; | |
750 | unsigned char *p = sig; | |
751 | unsigned char salt[POLARSSL_MD_MAX_SIZE]; | |
752 | unsigned int slen, hlen, offset = 0; | |
753 | int ret; | |
754 | size_t msb; | |
755 | const md_info_t *md_info; | |
756 | md_context_t md_ctx; | |
757 | ||
758 | if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) | |
759 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
760 | ||
761 | olen = ctx->len; | |
762 | ||
763 | switch( hash_id ) | |
764 | { | |
765 | case SIG_RSA_MD2: | |
766 | case SIG_RSA_MD4: | |
767 | case SIG_RSA_MD5: | |
768 | hashlen = 16; | |
769 | break; | |
770 | ||
771 | case SIG_RSA_SHA1: | |
772 | hashlen = 20; | |
773 | break; | |
774 | ||
775 | case SIG_RSA_SHA224: | |
776 | hashlen = 28; | |
777 | break; | |
778 | ||
779 | case SIG_RSA_SHA256: | |
780 | hashlen = 32; | |
781 | break; | |
782 | ||
783 | case SIG_RSA_SHA384: | |
784 | hashlen = 48; | |
785 | break; | |
786 | ||
787 | case SIG_RSA_SHA512: | |
788 | hashlen = 64; | |
789 | break; | |
790 | ||
791 | default: | |
792 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
793 | } | |
794 | ||
795 | md_info = md_info_from_type( ctx->hash_id ); | |
796 | if( md_info == NULL ) | |
797 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
798 | ||
799 | hlen = md_get_size( md_info ); | |
800 | slen = hlen; | |
801 | ||
802 | if( olen < hlen + slen + 2 ) | |
803 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
804 | ||
805 | memset( sig, 0, olen ); | |
806 | ||
807 | msb = mpi_msb( &ctx->N ) - 1; | |
808 | ||
809 | // Generate salt of length slen | |
810 | // | |
811 | if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) | |
812 | return( POLARSSL_ERR_RSA_RNG_FAILED + ret ); | |
813 | ||
814 | // Note: EMSA-PSS encoding is over the length of N - 1 bits | |
815 | // | |
816 | msb = mpi_msb( &ctx->N ) - 1; | |
817 | p += olen - hlen * 2 - 2; | |
818 | *p++ = 0x01; | |
819 | memcpy( p, salt, slen ); | |
820 | p += slen; | |
821 | ||
822 | md_init_ctx( &md_ctx, md_info ); | |
823 | ||
824 | // Generate H = Hash( M' ) | |
825 | // | |
826 | md_starts( &md_ctx ); | |
827 | md_update( &md_ctx, p, 8 ); | |
828 | md_update( &md_ctx, hash, hashlen ); | |
829 | md_update( &md_ctx, salt, slen ); | |
830 | md_finish( &md_ctx, p ); | |
831 | ||
832 | // Compensate for boundary condition when applying mask | |
833 | // | |
834 | if( msb % 8 == 0 ) | |
835 | offset = 1; | |
836 | ||
837 | // maskedDB: Apply dbMask to DB | |
838 | // | |
839 | mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); | |
840 | ||
841 | md_free_ctx( &md_ctx ); | |
842 | ||
843 | msb = mpi_msb( &ctx->N ) - 1; | |
844 | sig[0] &= 0xFF >> ( olen * 8 - msb ); | |
845 | ||
846 | p += hlen; | |
847 | *p++ = 0xBC; | |
848 | ||
849 | return( ( mode == RSA_PUBLIC ) | |
850 | ? rsa_public( ctx, sig, sig ) | |
851 | : rsa_private( ctx, sig, sig ) ); | |
852 | } | |
853 | #endif /* POLARSSL_PKCS1_V21 */ | |
854 | ||
855 | /* | |
856 | * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function | |
857 | */ | |
858 | /* | |
859 | * Do an RSA operation to sign the message digest | |
860 | */ | |
861 | int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx, | |
862 | int mode, | |
863 | int hash_id, | |
864 | unsigned int hashlen, | |
865 | const unsigned char *hash, | |
866 | unsigned char *sig ) | |
867 | { | |
868 | size_t nb_pad, olen; | |
869 | unsigned char *p = sig; | |
870 | ||
871 | if( ctx->padding != RSA_PKCS_V15 ) | |
872 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
873 | ||
874 | olen = ctx->len; | |
875 | ||
876 | switch( hash_id ) | |
877 | { | |
878 | case SIG_RSA_RAW: | |
879 | nb_pad = olen - 3 - hashlen; | |
880 | break; | |
881 | ||
882 | case SIG_RSA_MD2: | |
883 | case SIG_RSA_MD4: | |
884 | case SIG_RSA_MD5: | |
885 | nb_pad = olen - 3 - 34; | |
886 | break; | |
887 | ||
888 | case SIG_RSA_SHA1: | |
889 | nb_pad = olen - 3 - 35; | |
890 | break; | |
891 | ||
892 | case SIG_RSA_SHA224: | |
893 | nb_pad = olen - 3 - 47; | |
894 | break; | |
895 | ||
896 | case SIG_RSA_SHA256: | |
897 | nb_pad = olen - 3 - 51; | |
898 | break; | |
899 | ||
900 | case SIG_RSA_SHA384: | |
901 | nb_pad = olen - 3 - 67; | |
902 | break; | |
903 | ||
904 | case SIG_RSA_SHA512: | |
905 | nb_pad = olen - 3 - 83; | |
906 | break; | |
907 | ||
908 | ||
909 | default: | |
910 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
911 | } | |
912 | ||
913 | if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) | |
914 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
915 | ||
916 | *p++ = 0; | |
917 | *p++ = RSA_SIGN; | |
918 | memset( p, 0xFF, nb_pad ); | |
919 | p += nb_pad; | |
920 | *p++ = 0; | |
921 | ||
922 | switch( hash_id ) | |
923 | { | |
924 | case SIG_RSA_RAW: | |
925 | memcpy( p, hash, hashlen ); | |
926 | break; | |
927 | ||
928 | case SIG_RSA_MD2: | |
929 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
930 | memcpy( p + 18, hash, 16 ); | |
931 | p[13] = 2; break; | |
932 | ||
933 | case SIG_RSA_MD4: | |
934 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
935 | memcpy( p + 18, hash, 16 ); | |
936 | p[13] = 4; break; | |
937 | ||
938 | case SIG_RSA_MD5: | |
939 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
940 | memcpy( p + 18, hash, 16 ); | |
941 | p[13] = 5; break; | |
942 | ||
943 | case SIG_RSA_SHA1: | |
944 | memcpy( p, ASN1_HASH_SHA1, 15 ); | |
945 | memcpy( p + 15, hash, 20 ); | |
946 | break; | |
947 | ||
948 | case SIG_RSA_SHA224: | |
949 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
950 | memcpy( p + 19, hash, 28 ); | |
951 | p[1] += 28; p[14] = 4; p[18] += 28; break; | |
952 | ||
953 | case SIG_RSA_SHA256: | |
954 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
955 | memcpy( p + 19, hash, 32 ); | |
956 | p[1] += 32; p[14] = 1; p[18] += 32; break; | |
957 | ||
958 | case SIG_RSA_SHA384: | |
959 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
960 | memcpy( p + 19, hash, 48 ); | |
961 | p[1] += 48; p[14] = 2; p[18] += 48; break; | |
962 | ||
963 | case SIG_RSA_SHA512: | |
964 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
965 | memcpy( p + 19, hash, 64 ); | |
966 | p[1] += 64; p[14] = 3; p[18] += 64; break; | |
967 | ||
968 | default: | |
969 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
970 | } | |
971 | ||
972 | return( ( mode == RSA_PUBLIC ) | |
973 | ? rsa_public( ctx, sig, sig ) | |
974 | : rsa_private( ctx, sig, sig ) ); | |
975 | } | |
976 | ||
977 | /* | |
978 | * Do an RSA operation to sign the message digest | |
979 | */ | |
980 | int rsa_pkcs1_sign( rsa_context *ctx, | |
981 | int (*f_rng)(void *, unsigned char *, size_t), | |
982 | void *p_rng, | |
983 | int mode, | |
984 | int hash_id, | |
985 | unsigned int hashlen, | |
986 | const unsigned char *hash, | |
987 | unsigned char *sig ) | |
988 | { | |
989 | switch( ctx->padding ) | |
990 | { | |
991 | case RSA_PKCS_V15: | |
992 | return rsa_rsassa_pkcs1_v15_sign( ctx, mode, hash_id, | |
993 | hashlen, hash, sig ); | |
994 | ||
995 | #if defined(POLARSSL_PKCS1_V21) | |
996 | case RSA_PKCS_V21: | |
997 | return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, hash_id, | |
998 | hashlen, hash, sig ); | |
999 | #endif | |
1000 | ||
1001 | default: | |
1002 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1003 | } | |
1004 | } | |
1005 | ||
1006 | #if defined(POLARSSL_PKCS1_V21) | |
1007 | /* | |
1008 | * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function | |
1009 | */ | |
1010 | int rsa_rsassa_pss_verify( rsa_context *ctx, | |
1011 | int mode, | |
1012 | int hash_id, | |
1013 | unsigned int hashlen, | |
1014 | const unsigned char *hash, | |
1015 | unsigned char *sig ) | |
1016 | { | |
1017 | int ret; | |
1018 | size_t siglen; | |
1019 | unsigned char *p; | |
1020 | unsigned char buf[POLARSSL_MPI_MAX_SIZE]; | |
1021 | unsigned char result[POLARSSL_MD_MAX_SIZE]; | |
1022 | unsigned char zeros[8]; | |
1023 | unsigned int hlen; | |
1024 | size_t slen, msb; | |
1025 | const md_info_t *md_info; | |
1026 | md_context_t md_ctx; | |
1027 | ||
1028 | if( ctx->padding != RSA_PKCS_V21 ) | |
1029 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1030 | ||
1031 | siglen = ctx->len; | |
1032 | ||
1033 | if( siglen < 16 || siglen > sizeof( buf ) ) | |
1034 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1035 | ||
1036 | ret = ( mode == RSA_PUBLIC ) | |
1037 | ? rsa_public( ctx, sig, buf ) | |
1038 | : rsa_private( ctx, sig, buf ); | |
1039 | ||
1040 | if( ret != 0 ) | |
1041 | return( ret ); | |
1042 | ||
1043 | p = buf; | |
1044 | ||
1045 | if( buf[siglen - 1] != 0xBC ) | |
1046 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1047 | ||
1048 | switch( hash_id ) | |
1049 | { | |
1050 | case SIG_RSA_MD2: | |
1051 | case SIG_RSA_MD4: | |
1052 | case SIG_RSA_MD5: | |
1053 | hashlen = 16; | |
1054 | break; | |
1055 | ||
1056 | case SIG_RSA_SHA1: | |
1057 | hashlen = 20; | |
1058 | break; | |
1059 | ||
1060 | case SIG_RSA_SHA224: | |
1061 | hashlen = 28; | |
1062 | break; | |
1063 | ||
1064 | case SIG_RSA_SHA256: | |
1065 | hashlen = 32; | |
1066 | break; | |
1067 | ||
1068 | case SIG_RSA_SHA384: | |
1069 | hashlen = 48; | |
1070 | break; | |
1071 | ||
1072 | case SIG_RSA_SHA512: | |
1073 | hashlen = 64; | |
1074 | break; | |
1075 | ||
1076 | default: | |
1077 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1078 | } | |
1079 | ||
1080 | md_info = md_info_from_type( ctx->hash_id ); | |
1081 | if( md_info == NULL ) | |
1082 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1083 | ||
1084 | hlen = md_get_size( md_info ); | |
1085 | slen = siglen - hlen - 1; | |
1086 | ||
1087 | memset( zeros, 0, 8 ); | |
1088 | ||
1089 | // Note: EMSA-PSS verification is over the length of N - 1 bits | |
1090 | // | |
1091 | msb = mpi_msb( &ctx->N ) - 1; | |
1092 | ||
1093 | // Compensate for boundary condition when applying mask | |
1094 | // | |
1095 | if( msb % 8 == 0 ) | |
1096 | { | |
1097 | p++; | |
1098 | siglen -= 1; | |
1099 | } | |
1100 | if( buf[0] >> ( 8 - siglen * 8 + msb ) ) | |
1101 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1102 | ||
1103 | md_init_ctx( &md_ctx, md_info ); | |
1104 | ||
1105 | mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); | |
1106 | ||
1107 | buf[0] &= 0xFF >> ( siglen * 8 - msb ); | |
1108 | ||
1109 | while( *p == 0 && p < buf + siglen ) | |
1110 | p++; | |
1111 | ||
1112 | if( p == buf + siglen || | |
1113 | *p++ != 0x01 ) | |
1114 | { | |
1115 | md_free_ctx( &md_ctx ); | |
1116 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1117 | } | |
1118 | ||
1119 | slen -= p - buf; | |
1120 | ||
1121 | // Generate H = Hash( M' ) | |
1122 | // | |
1123 | md_starts( &md_ctx ); | |
1124 | md_update( &md_ctx, zeros, 8 ); | |
1125 | md_update( &md_ctx, hash, hashlen ); | |
1126 | md_update( &md_ctx, p, slen ); | |
1127 | md_finish( &md_ctx, result ); | |
1128 | ||
1129 | md_free_ctx( &md_ctx ); | |
1130 | ||
1131 | if( memcmp( p + slen, result, hlen ) == 0 ) | |
1132 | return( 0 ); | |
1133 | else | |
1134 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1135 | } | |
1136 | #endif /* POLARSSL_PKCS1_V21 */ | |
1137 | ||
1138 | /* | |
1139 | * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function | |
1140 | */ | |
1141 | int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx, | |
1142 | int mode, | |
1143 | int hash_id, | |
1144 | unsigned int hashlen, | |
1145 | const unsigned char *hash, | |
1146 | unsigned char *sig ) | |
1147 | { | |
1148 | int ret; | |
1149 | size_t len, siglen; | |
1150 | unsigned char *p, c; | |
1151 | unsigned char buf[POLARSSL_MPI_MAX_SIZE]; | |
1152 | ||
1153 | if( ctx->padding != RSA_PKCS_V15 ) | |
1154 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1155 | ||
1156 | siglen = ctx->len; | |
1157 | ||
1158 | if( siglen < 16 || siglen > sizeof( buf ) ) | |
1159 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
1160 | ||
1161 | ret = ( mode == RSA_PUBLIC ) | |
1162 | ? rsa_public( ctx, sig, buf ) | |
1163 | : rsa_private( ctx, sig, buf ); | |
1164 | ||
1165 | if( ret != 0 ) | |
1166 | return( ret ); | |
1167 | ||
1168 | p = buf; | |
1169 | ||
1170 | if( *p++ != 0 || *p++ != RSA_SIGN ) | |
1171 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1172 | ||
1173 | while( *p != 0 ) | |
1174 | { | |
1175 | if( p >= buf + siglen - 1 || *p != 0xFF ) | |
1176 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1177 | p++; | |
1178 | } | |
1179 | p++; | |
1180 | ||
1181 | len = siglen - ( p - buf ); | |
1182 | ||
1183 | if( len == 33 && hash_id == SIG_RSA_SHA1 ) | |
1184 | { | |
1185 | if( memcmp( p, ASN1_HASH_SHA1_ALT, 13 ) == 0 && | |
1186 | memcmp( p + 13, hash, 20 ) == 0 ) | |
1187 | return( 0 ); | |
1188 | else | |
1189 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1190 | } | |
1191 | if( len == 34 ) | |
1192 | { | |
1193 | c = p[13]; | |
1194 | p[13] = 0; | |
1195 | ||
1196 | if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 ) | |
1197 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1198 | ||
1199 | if( ( c == 2 && hash_id == SIG_RSA_MD2 ) || | |
1200 | ( c == 4 && hash_id == SIG_RSA_MD4 ) || | |
1201 | ( c == 5 && hash_id == SIG_RSA_MD5 ) ) | |
1202 | { | |
1203 | if( memcmp( p + 18, hash, 16 ) == 0 ) | |
1204 | return( 0 ); | |
1205 | else | |
1206 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1207 | } | |
1208 | } | |
1209 | ||
1210 | if( len == 35 && hash_id == SIG_RSA_SHA1 ) | |
1211 | { | |
1212 | if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 && | |
1213 | memcmp( p + 15, hash, 20 ) == 0 ) | |
1214 | return( 0 ); | |
1215 | else | |
1216 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1217 | } | |
1218 | if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) || | |
1219 | ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) || | |
1220 | ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) || | |
1221 | ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) ) | |
1222 | { | |
1223 | c = p[1] - 17; | |
1224 | p[1] = 17; | |
1225 | p[14] = 0; | |
1226 | ||
1227 | if( p[18] == c && | |
1228 | memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 && | |
1229 | memcmp( p + 19, hash, c ) == 0 ) | |
1230 | return( 0 ); | |
1231 | else | |
1232 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1233 | } | |
1234 | ||
1235 | if( len == hashlen && hash_id == SIG_RSA_RAW ) | |
1236 | { | |
1237 | if( memcmp( p, hash, hashlen ) == 0 ) | |
1238 | return( 0 ); | |
1239 | else | |
1240 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
1241 | } | |
1242 | ||
1243 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1244 | } | |
1245 | ||
1246 | /* | |
1247 | * Do an RSA operation and check the message digest | |
1248 | */ | |
1249 | int rsa_pkcs1_verify( rsa_context *ctx, | |
1250 | int mode, | |
1251 | int hash_id, | |
1252 | unsigned int hashlen, | |
1253 | const unsigned char *hash, | |
1254 | unsigned char *sig ) | |
1255 | { | |
1256 | switch( ctx->padding ) | |
1257 | { | |
1258 | case RSA_PKCS_V15: | |
1259 | return rsa_rsassa_pkcs1_v15_verify( ctx, mode, hash_id, | |
1260 | hashlen, hash, sig ); | |
1261 | ||
1262 | #if defined(POLARSSL_PKCS1_V21) | |
1263 | case RSA_PKCS_V21: | |
1264 | return rsa_rsassa_pss_verify( ctx, mode, hash_id, | |
1265 | hashlen, hash, sig ); | |
1266 | #endif | |
1267 | ||
1268 | default: | |
1269 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
1270 | } | |
1271 | } | |
1272 | ||
1273 | /* | |
1274 | * Free the components of an RSA key | |
1275 | */ | |
1276 | void rsa_free( rsa_context *ctx ) | |
1277 | { | |
1278 | mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN ); | |
1279 | mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP ); | |
1280 | mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D ); | |
1281 | mpi_free( &ctx->E ); mpi_free( &ctx->N ); | |
1282 | } | |
1283 | ||
1284 | #if defined(POLARSSL_SELF_TEST) | |
1285 | ||
1286 | #include "polarssl/sha1.h" | |
1287 | ||
1288 | /* | |
1289 | * Example RSA-1024 keypair, for test purposes | |
1290 | */ | |
1291 | #define KEY_LEN 128 | |
1292 | ||
1293 | #define RSA_N "9292758453063D803DD603D5E777D788" \ | |
1294 | "8ED1D5BF35786190FA2F23EBC0848AEA" \ | |
1295 | "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ | |
1296 | "7130B9CED7ACDF54CFC7555AC14EEBAB" \ | |
1297 | "93A89813FBF3C4F8066D2D800F7C38A8" \ | |
1298 | "1AE31942917403FF4946B0A83D3D3E05" \ | |
1299 | "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ | |
1300 | "5E94BB77B07507233A0BC7BAC8F90F79" | |
1301 | ||
1302 | #define RSA_E "10001" | |
1303 | ||
1304 | #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ | |
1305 | "66CA472BC44D253102F8B4A9D3BFA750" \ | |
1306 | "91386C0077937FE33FA3252D28855837" \ | |
1307 | "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ | |
1308 | "DF79C5CE07EE72C7F123142198164234" \ | |
1309 | "CABB724CF78B8173B9F880FC86322407" \ | |
1310 | "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ | |
1311 | "071513A1E85B5DFA031F21ECAE91A34D" | |
1312 | ||
1313 | #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ | |
1314 | "2C01CAD19EA484A87EA4377637E75500" \ | |
1315 | "FCB2005C5C7DD6EC4AC023CDA285D796" \ | |
1316 | "C3D9E75E1EFC42488BB4F1D13AC30A57" | |
1317 | ||
1318 | #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ | |
1319 | "E211C2B9E5DB1ED0BF61D0D9899620F4" \ | |
1320 | "910E4168387E3C30AA1E00C339A79508" \ | |
1321 | "8452DD96A9A5EA5D9DCA68DA636032AF" | |
1322 | ||
1323 | #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ | |
1324 | "3C94D22288ACD763FD8E5600ED4A702D" \ | |
1325 | "F84198A5F06C2E72236AE490C93F07F8" \ | |
1326 | "3CC559CD27BC2D1CA488811730BB5725" | |
1327 | ||
1328 | #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ | |
1329 | "D8AAEA56749EA28623272E4F7D0592AF" \ | |
1330 | "7C1F1313CAC9471B5C523BFE592F517B" \ | |
1331 | "407A1BD76C164B93DA2D32A383E58357" | |
1332 | ||
1333 | #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ | |
1334 | "F38D18D2B2F0E2DD275AA977E2BF4411" \ | |
1335 | "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ | |
1336 | "A74206CEC169D74BF5A8C50D6F48EA08" | |
1337 | ||
1338 | #define PT_LEN 24 | |
1339 | #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ | |
1340 | "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" | |
1341 | ||
1342 | static int myrand( void *rng_state, unsigned char *output, size_t len ) | |
1343 | { | |
1344 | size_t i; | |
1345 | ||
1346 | if( rng_state != NULL ) | |
1347 | rng_state = NULL; | |
1348 | ||
1349 | for( i = 0; i < len; ++i ) | |
1350 | output[i] = rand(); | |
1351 | ||
1352 | return( 0 ); | |
1353 | } | |
1354 | ||
1355 | /* | |
1356 | * Checkup routine | |
1357 | */ | |
1358 | int rsa_self_test( int verbose ) | |
1359 | { | |
1360 | size_t len; | |
1361 | rsa_context rsa; | |
1362 | unsigned char rsa_plaintext[PT_LEN]; | |
1363 | unsigned char rsa_decrypted[PT_LEN]; | |
1364 | unsigned char rsa_ciphertext[KEY_LEN]; | |
1365 | #if defined(POLARSSL_SHA1_C) | |
1366 | unsigned char sha1sum[20]; | |
1367 | #endif | |
1368 | ||
1369 | rsa_init( &rsa, RSA_PKCS_V15, 0 ); | |
1370 | ||
1371 | rsa.len = KEY_LEN; | |
1372 | mpi_read_string( &rsa.N , 16, RSA_N ); | |
1373 | mpi_read_string( &rsa.E , 16, RSA_E ); | |
1374 | mpi_read_string( &rsa.D , 16, RSA_D ); | |
1375 | mpi_read_string( &rsa.P , 16, RSA_P ); | |
1376 | mpi_read_string( &rsa.Q , 16, RSA_Q ); | |
1377 | mpi_read_string( &rsa.DP, 16, RSA_DP ); | |
1378 | mpi_read_string( &rsa.DQ, 16, RSA_DQ ); | |
1379 | mpi_read_string( &rsa.QP, 16, RSA_QP ); | |
1380 | ||
1381 | if( verbose != 0 ) | |
1382 | printf( " RSA key validation: " ); | |
1383 | ||
1384 | if( rsa_check_pubkey( &rsa ) != 0 || | |
1385 | rsa_check_privkey( &rsa ) != 0 ) | |
1386 | { | |
1387 | if( verbose != 0 ) | |
1388 | printf( "failed\n" ); | |
1389 | ||
1390 | return( 1 ); | |
1391 | } | |
1392 | ||
1393 | if( verbose != 0 ) | |
1394 | printf( "passed\n PKCS#1 encryption : " ); | |
1395 | ||
1396 | memcpy( rsa_plaintext, RSA_PT, PT_LEN ); | |
1397 | ||
1398 | if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN, | |
1399 | rsa_plaintext, rsa_ciphertext ) != 0 ) | |
1400 | { | |
1401 | if( verbose != 0 ) | |
1402 | printf( "failed\n" ); | |
1403 | ||
1404 | return( 1 ); | |
1405 | } | |
1406 | ||
1407 | if( verbose != 0 ) | |
1408 | printf( "passed\n PKCS#1 decryption : " ); | |
1409 | ||
1410 | if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len, | |
1411 | rsa_ciphertext, rsa_decrypted, | |
1412 | sizeof(rsa_decrypted) ) != 0 ) | |
1413 | { | |
1414 | if( verbose != 0 ) | |
1415 | printf( "failed\n" ); | |
1416 | ||
1417 | return( 1 ); | |
1418 | } | |
1419 | ||
1420 | if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) | |
1421 | { | |
1422 | if( verbose != 0 ) | |
1423 | printf( "failed\n" ); | |
1424 | ||
1425 | return( 1 ); | |
1426 | } | |
1427 | ||
1428 | #if defined(POLARSSL_SHA1_C) | |
1429 | if( verbose != 0 ) | |
1430 | printf( "passed\n PKCS#1 data sign : " ); | |
1431 | ||
1432 | sha1( rsa_plaintext, PT_LEN, sha1sum ); | |
1433 | ||
1434 | if( rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20, | |
1435 | sha1sum, rsa_ciphertext ) != 0 ) | |
1436 | { | |
1437 | if( verbose != 0 ) | |
1438 | printf( "failed\n" ); | |
1439 | ||
1440 | return( 1 ); | |
1441 | } | |
1442 | ||
1443 | if( verbose != 0 ) | |
1444 | printf( "passed\n PKCS#1 sig. verify: " ); | |
1445 | ||
1446 | if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20, | |
1447 | sha1sum, rsa_ciphertext ) != 0 ) | |
1448 | { | |
1449 | if( verbose != 0 ) | |
1450 | printf( "failed\n" ); | |
1451 | ||
1452 | return( 1 ); | |
1453 | } | |
1454 | ||
1455 | if( verbose != 0 ) | |
1456 | printf( "passed\n\n" ); | |
1457 | #endif /* POLARSSL_SHA1_C */ | |
1458 | ||
1459 | rsa_free( &rsa ); | |
1460 | ||
1461 | return( 0 ); | |
1462 | } | |
1463 | ||
1464 | #endif | |
1465 | ||
1466 | #endif |