TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 37940d9ff68e2f6a2103ac91acf073a645f57a33 / . / library / rsa.c
blob: 94dbe4e36a015ac16b6d22a23c6c3ddd97e120fa [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
35#include <stdlib.h>
36#include <string.h>
37#include <stdio.h>
38
39/*
40 * Initialize an RSA context
41 */
42void rsa_init( rsa_context *ctx,
43 int padding,
44 int hash_id,
45 int (*f_rng)(void *),
46 void *p_rng )
47{
48 memset( ctx, 0, sizeof( rsa_context ) );
49
50 ctx->padding = padding;
51 ctx->hash_id = hash_id;
52
53 ctx->f_rng = f_rng;
54 ctx->p_rng = p_rng;
55}
56
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]57#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
59/*
60 * Generate an RSA keypair
61 */
62int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
63{
64 int ret;
65 mpi P1, Q1, H, G;
66
67 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]68 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69
70 mpi_init( &P1, &Q1, &H, &G, NULL );
71
72 /*
73 * find primes P and Q with Q < P so that:
74 * GCD( E, (P-1)*(Q-1) ) == 1
75 */
76 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
77
78 do
79 {
80 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
81 ctx->f_rng, ctx->p_rng ) );
82
83 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
84 ctx->f_rng, ctx->p_rng ) );
85
86 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
87 mpi_swap( &ctx->P, &ctx->Q );
88
89 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
90 continue;
91
92 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
93 if( mpi_msb( &ctx->N ) != nbits )
94 continue;
95
96 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
97 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
98 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
99 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
100 }
101 while( mpi_cmp_int( &G, 1 ) != 0 );
102
103 /*
104 * D = E^-1 mod ((P-1)*(Q-1))
105 * DP = D mod (P - 1)
106 * DQ = D mod (Q - 1)
107 * QP = Q^-1 mod P
108 */
109 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
110 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
111 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
112 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
113
114 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
115
116cleanup:
117
118 mpi_free( &G, &H, &Q1, &P1, NULL );
119
120 if( ret != 0 )
121 {
122 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]123 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124 }
125
126 return( 0 );
127}
128
129#endif
130
131/*
132 * Check a public RSA key
133 */
134int rsa_check_pubkey( rsa_context *ctx )
135{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame^]136 if( !ctx->N.p || !ctx->E.p )
137 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
138
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139 if( ( ctx->N.p[0] & 1 ) == 0 ||
140 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]141 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142
143 if( mpi_msb( &ctx->N ) < 128 ||
144 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]145 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]146
147 if( mpi_msb( &ctx->E ) < 2 ||
148 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]149 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]150
151 return( 0 );
152}
153
154/*
155 * Check a private RSA key
156 */
157int rsa_check_privkey( rsa_context *ctx )
158{
159 int ret;
160 mpi PQ, DE, P1, Q1, H, I, G;
161
162 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
163 return( ret );
164
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame^]165 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
166 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
167
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]168 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL );
169
170 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
171 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
172 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
173 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
174 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
175 MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) );
176 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
177
178 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
179 mpi_cmp_int( &I, 1 ) == 0 &&
180 mpi_cmp_int( &G, 1 ) == 0 )
181 {
182 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
183 return( 0 );
184 }
185
186cleanup:
187
188 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]189 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190}
191
192/*
193 * Do an RSA public key operation
194 */
195int rsa_public( rsa_context *ctx,
196 unsigned char *input,
197 unsigned char *output )
198{
199 int ret, olen;
200 mpi T;
201
202 mpi_init( &T, NULL );
203
204 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
205
206 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
207 {
208 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]209 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210 }
211
212 olen = ctx->len;
213 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
214 MPI_CHK( mpi_write_binary( &T, output, olen ) );
215
216cleanup:
217
218 mpi_free( &T, NULL );
219
220 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]221 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]222
223 return( 0 );
224}
225
226/*
227 * Do an RSA private key operation
228 */
229int rsa_private( rsa_context *ctx,
230 unsigned char *input,
231 unsigned char *output )
232{
233 int ret, olen;
234 mpi T, T1, T2;
235
236 mpi_init( &T, &T1, &T2, NULL );
237
238 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
239
240 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
241 {
242 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]243 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244 }
245
246#if 0
247 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
248#else
249 /*
250 * faster decryption using the CRT
251 *
252 * T1 = input ^ dP mod P
253 * T2 = input ^ dQ mod Q
254 */
255 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
256 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
257
258 /*
259 * T = (T1 - T2) * (Q^-1 mod P) mod P
260 */
261 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
262 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
263 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
264
265 /*
266 * output = T2 + T * Q
267 */
268 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
269 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
270#endif
271
272 olen = ctx->len;
273 MPI_CHK( mpi_write_binary( &T, output, olen ) );
274
275cleanup:
276
277 mpi_free( &T, &T1, &T2, NULL );
278
279 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]280 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
282 return( 0 );
283}
284
285/*
286 * Add the message padding, then do an RSA operation
287 */
288int rsa_pkcs1_encrypt( rsa_context *ctx,
289 int mode, int ilen,
290 unsigned char *input,
291 unsigned char *output )
292{
293 int nb_pad, olen;
294 unsigned char *p = output;
295
296 olen = ctx->len;
297
298 switch( ctx->padding )
299 {
300 case RSA_PKCS_V15:
301
302 if( ilen < 0 || olen < ilen + 11 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]303 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]304
305 nb_pad = olen - 3 - ilen;
306
307 *p++ = 0;
308 *p++ = RSA_CRYPT;
309
310 while( nb_pad-- > 0 )
311 {
312 do {
313 *p = (unsigned char) rand();
314 } while( *p == 0 );
315 p++;
316 }
317 *p++ = 0;
318 memcpy( p, input, ilen );
319 break;
320
321 default:
322
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]323 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324 }
325
326 return( ( mode == RSA_PUBLIC )
327 ? rsa_public( ctx, output, output )
328 : rsa_private( ctx, output, output ) );
329}
330
331/*
332 * Do an RSA operation, then remove the message padding
333 */
334int rsa_pkcs1_decrypt( rsa_context *ctx,
335 int mode, int *olen,
336 unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]337 unsigned char *output,
338 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339{
340 int ret, ilen;
341 unsigned char *p;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]342 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343
344 ilen = ctx->len;
345
346 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]347 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]348
349 ret = ( mode == RSA_PUBLIC )
350 ? rsa_public( ctx, input, buf )
351 : rsa_private( ctx, input, buf );
352
353 if( ret != 0 )
354 return( ret );
355
356 p = buf;
357
358 switch( ctx->padding )
359 {
360 case RSA_PKCS_V15:
361
362 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]363 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365 while( *p != 0 )
366 {
367 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]368 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 p++;
370 }
371 p++;
372 break;
373
374 default:
375
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]376 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 }
378
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]379 if (ilen - (int)(p - buf) > output_max_len)
380 return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE );
381
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382 *olen = ilen - (int)(p - buf);
383 memcpy( output, p, *olen );
384
385 return( 0 );
386}
387
388/*
389 * Do an RSA operation to sign the message digest
390 */
391int rsa_pkcs1_sign( rsa_context *ctx,
392 int mode,
393 int hash_id,
394 int hashlen,
395 unsigned char *hash,
396 unsigned char *sig )
397{
398 int nb_pad, olen;
399 unsigned char *p = sig;
400
401 olen = ctx->len;
402
403 switch( ctx->padding )
404 {
405 case RSA_PKCS_V15:
406
407 switch( hash_id )
408 {
409 case RSA_RAW:
410 nb_pad = olen - 3 - hashlen;
411 break;
412
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]413 case SIG_RSA_MD2:
414 case SIG_RSA_MD4:
415 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416 nb_pad = olen - 3 - 34;
417 break;
418
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]419 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]420 nb_pad = olen - 3 - 35;
421 break;
422
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]423 case SIG_RSA_SHA224:
424 nb_pad = olen - 3 - 47;
425 break;
426
427 case SIG_RSA_SHA256:
428 nb_pad = olen - 3 - 51;
429 break;
430
431 case SIG_RSA_SHA384:
432 nb_pad = olen - 3 - 67;
433 break;
434
435 case SIG_RSA_SHA512:
436 nb_pad = olen - 3 - 83;
437 break;
438
439
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]441 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442 }
443
444 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]445 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
447 *p++ = 0;
448 *p++ = RSA_SIGN;
449 memset( p, 0xFF, nb_pad );
450 p += nb_pad;
451 *p++ = 0;
452 break;
453
454 default:
455
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]456 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 }
458
459 switch( hash_id )
460 {
461 case RSA_RAW:
462 memcpy( p, hash, hashlen );
463 break;
464
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]465 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 memcpy( p, ASN1_HASH_MDX, 18 );
467 memcpy( p + 18, hash, 16 );
468 p[13] = 2; break;
469
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]470 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 memcpy( p, ASN1_HASH_MDX, 18 );
472 memcpy( p + 18, hash, 16 );
473 p[13] = 4; break;
474
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]475 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 memcpy( p, ASN1_HASH_MDX, 18 );
477 memcpy( p + 18, hash, 16 );
478 p[13] = 5; break;
479
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]480 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 memcpy( p, ASN1_HASH_SHA1, 15 );
482 memcpy( p + 15, hash, 20 );
483 break;
484
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]485 case SIG_RSA_SHA224:
486 memcpy( p, ASN1_HASH_SHA2X, 19 );
487 memcpy( p + 19, hash, 28 );
488 p[1] += 28; p[14] = 4; p[18] += 28; break;
489
490 case SIG_RSA_SHA256:
491 memcpy( p, ASN1_HASH_SHA2X, 19 );
492 memcpy( p + 19, hash, 32 );
493 p[1] += 32; p[14] = 1; p[18] += 32; break;
494
495 case SIG_RSA_SHA384:
496 memcpy( p, ASN1_HASH_SHA2X, 19 );
497 memcpy( p + 19, hash, 48 );
498 p[1] += 48; p[14] = 2; p[18] += 48; break;
499
500 case SIG_RSA_SHA512:
501 memcpy( p, ASN1_HASH_SHA2X, 19 );
502 memcpy( p + 19, hash, 64 );
503 p[1] += 64; p[14] = 3; p[18] += 64; break;
504
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]506 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507 }
508
509 return( ( mode == RSA_PUBLIC )
510 ? rsa_public( ctx, sig, sig )
511 : rsa_private( ctx, sig, sig ) );
512}
513
514/*
515 * Do an RSA operation and check the message digest
516 */
517int rsa_pkcs1_verify( rsa_context *ctx,
518 int mode,
519 int hash_id,
520 int hashlen,
521 unsigned char *hash,
522 unsigned char *sig )
523{
524 int ret, len, siglen;
525 unsigned char *p, c;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]526 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527
528 siglen = ctx->len;
529
530 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]531 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532
533 ret = ( mode == RSA_PUBLIC )
534 ? rsa_public( ctx, sig, buf )
535 : rsa_private( ctx, sig, buf );
536
537 if( ret != 0 )
538 return( ret );
539
540 p = buf;
541
542 switch( ctx->padding )
543 {
544 case RSA_PKCS_V15:
545
546 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]547 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548
549 while( *p != 0 )
550 {
551 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]552 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553 p++;
554 }
555 p++;
556 break;
557
558 default:
559
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]560 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
563 len = siglen - (int)( p - buf );
564
565 if( len == 34 )
566 {
567 c = p[13];
568 p[13] = 0;
569
570 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]571 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]573 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
574 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
575 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576 {
577 if( memcmp( p + 18, hash, 16 ) == 0 )
578 return( 0 );
579 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]580 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 }
582 }
583
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]584 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585 {
586 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
587 memcmp( p + 15, hash, 20 ) == 0 )
588 return( 0 );
589 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]590 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]592 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
593 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
594 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
595 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
596 {
597 c = p[1] - 17;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]598 p[1] = 17;
599 p[14] = 0;
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]600
601 if( p[18] == c &&
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]602 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
603 memcmp( p + 19, hash, c ) == 0 )
604 return( 0 );
605 else
606 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]607 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608
609 if( len == hashlen && hash_id == RSA_RAW )
610 {
611 if( memcmp( p, hash, hashlen ) == 0 )
612 return( 0 );
613 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]614 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615 }
616
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]617 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618}
619
620/*
621 * Free the components of an RSA key
622 */
623void rsa_free( rsa_context *ctx )
624{
625 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
626 &ctx->QP, &ctx->DQ, &ctx->DP,
627 &ctx->Q, &ctx->P, &ctx->D,
628 &ctx->E, &ctx->N, NULL );
629}
630
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]631#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]633#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634
635/*
636 * Example RSA-1024 keypair, for test purposes
637 */
638#define KEY_LEN 128
639
640#define RSA_N "9292758453063D803DD603D5E777D788" \
641 "8ED1D5BF35786190FA2F23EBC0848AEA" \
642 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
643 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
644 "93A89813FBF3C4F8066D2D800F7C38A8" \
645 "1AE31942917403FF4946B0A83D3D3E05" \
646 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
647 "5E94BB77B07507233A0BC7BAC8F90F79"
648
649#define RSA_E "10001"
650
651#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
652 "66CA472BC44D253102F8B4A9D3BFA750" \
653 "91386C0077937FE33FA3252D28855837" \
654 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
655 "DF79C5CE07EE72C7F123142198164234" \
656 "CABB724CF78B8173B9F880FC86322407" \
657 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
658 "071513A1E85B5DFA031F21ECAE91A34D"
659
660#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
661 "2C01CAD19EA484A87EA4377637E75500" \
662 "FCB2005C5C7DD6EC4AC023CDA285D796" \
663 "C3D9E75E1EFC42488BB4F1D13AC30A57"
664
665#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
666 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
667 "910E4168387E3C30AA1E00C339A79508" \
668 "8452DD96A9A5EA5D9DCA68DA636032AF"
669
670#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
671 "3C94D22288ACD763FD8E5600ED4A702D" \
672 "F84198A5F06C2E72236AE490C93F07F8" \
673 "3CC559CD27BC2D1CA488811730BB5725"
674
675#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
676 "D8AAEA56749EA28623272E4F7D0592AF" \
677 "7C1F1313CAC9471B5C523BFE592F517B" \
678 "407A1BD76C164B93DA2D32A383E58357"
679
680#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
681 "F38D18D2B2F0E2DD275AA977E2BF4411" \
682 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
683 "A74206CEC169D74BF5A8C50D6F48EA08"
684
685#define PT_LEN 24
686#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
687 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
688
689/*
690 * Checkup routine
691 */
692int rsa_self_test( int verbose )
693{
694 int len;
695 rsa_context rsa;
696 unsigned char sha1sum[20];
697 unsigned char rsa_plaintext[PT_LEN];
698 unsigned char rsa_decrypted[PT_LEN];
699 unsigned char rsa_ciphertext[KEY_LEN];
700
701 memset( &rsa, 0, sizeof( rsa_context ) );
702
703 rsa.len = KEY_LEN;
704 mpi_read_string( &rsa.N , 16, RSA_N );
705 mpi_read_string( &rsa.E , 16, RSA_E );
706 mpi_read_string( &rsa.D , 16, RSA_D );
707 mpi_read_string( &rsa.P , 16, RSA_P );
708 mpi_read_string( &rsa.Q , 16, RSA_Q );
709 mpi_read_string( &rsa.DP, 16, RSA_DP );
710 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
711 mpi_read_string( &rsa.QP, 16, RSA_QP );
712
713 if( verbose != 0 )
714 printf( " RSA key validation: " );
715
716 if( rsa_check_pubkey( &rsa ) != 0 ||
717 rsa_check_privkey( &rsa ) != 0 )
718 {
719 if( verbose != 0 )
720 printf( "failed\n" );
721
722 return( 1 );
723 }
724
725 if( verbose != 0 )
726 printf( "passed\n PKCS#1 encryption : " );
727
728 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
729
730 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
731 rsa_plaintext, rsa_ciphertext ) != 0 )
732 {
733 if( verbose != 0 )
734 printf( "failed\n" );
735
736 return( 1 );
737 }
738
739 if( verbose != 0 )
740 printf( "passed\n PKCS#1 decryption : " );
741
742 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]743 rsa_ciphertext, rsa_decrypted,
744 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745 {
746 if( verbose != 0 )
747 printf( "failed\n" );
748
749 return( 1 );
750 }
751
752 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
753 {
754 if( verbose != 0 )
755 printf( "failed\n" );
756
757 return( 1 );
758 }
759
760 if( verbose != 0 )
761 printf( "passed\n PKCS#1 data sign : " );
762
763 sha1( rsa_plaintext, PT_LEN, sha1sum );
764
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]765 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]766 sha1sum, rsa_ciphertext ) != 0 )
767 {
768 if( verbose != 0 )
769 printf( "failed\n" );
770
771 return( 1 );
772 }
773
774 if( verbose != 0 )
775 printf( "passed\n PKCS#1 sig. verify: " );
776
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]777 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 sha1sum, rsa_ciphertext ) != 0 )
779 {
780 if( verbose != 0 )
781 printf( "failed\n" );
782
783 return( 1 );
784 }
785
786 if( verbose != 0 )
787 printf( "passed\n\n" );
788
789 rsa_free( &rsa );
790
791 return( 0 );
792}
793
794#endif
795
796#endif