TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 84f12b76fc6d5b9dc3ec4eff3dc0f1e6b03a259a / . / library / rsa.c
blob: 1b0a96b161a0fa520bf3bf7401b966dd63a2a11f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame^]4 * Copyright (C) 2006-2010, Brainspark B.V.
5 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]6 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
35#include <stdlib.h>
36#include <string.h>
37#include <stdio.h>
38
39/*
40 * Initialize an RSA context
41 */
42void rsa_init( rsa_context *ctx,
43 int padding,
44 int hash_id,
45 int (*f_rng)(void *),
46 void *p_rng )
47{
48 memset( ctx, 0, sizeof( rsa_context ) );
49
50 ctx->padding = padding;
51 ctx->hash_id = hash_id;
52
53 ctx->f_rng = f_rng;
54 ctx->p_rng = p_rng;
55}
56
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]57#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
59/*
60 * Generate an RSA keypair
61 */
62int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
63{
64 int ret;
65 mpi P1, Q1, H, G;
66
67 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]68 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69
70 mpi_init( &P1, &Q1, &H, &G, NULL );
71
72 /*
73 * find primes P and Q with Q < P so that:
74 * GCD( E, (P-1)*(Q-1) ) == 1
75 */
76 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
77
78 do
79 {
80 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
81 ctx->f_rng, ctx->p_rng ) );
82
83 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
84 ctx->f_rng, ctx->p_rng ) );
85
86 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
87 mpi_swap( &ctx->P, &ctx->Q );
88
89 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
90 continue;
91
92 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
93 if( mpi_msb( &ctx->N ) != nbits )
94 continue;
95
96 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
97 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
98 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
99 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
100 }
101 while( mpi_cmp_int( &G, 1 ) != 0 );
102
103 /*
104 * D = E^-1 mod ((P-1)*(Q-1))
105 * DP = D mod (P - 1)
106 * DQ = D mod (Q - 1)
107 * QP = Q^-1 mod P
108 */
109 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
110 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
111 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
112 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
113
114 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
115
116cleanup:
117
118 mpi_free( &G, &H, &Q1, &P1, NULL );
119
120 if( ret != 0 )
121 {
122 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]123 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124 }
125
126 return( 0 );
127}
128
129#endif
130
131/*
132 * Check a public RSA key
133 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]134int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]135{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]136 if( !ctx->N.p || !ctx->E.p )
137 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
138
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139 if( ( ctx->N.p[0] & 1 ) == 0 ||
140 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]141 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142
143 if( mpi_msb( &ctx->N ) < 128 ||
144 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]145 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]146
147 if( mpi_msb( &ctx->E ) < 2 ||
148 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]149 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]150
151 return( 0 );
152}
153
154/*
155 * Check a private RSA key
156 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]157int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]158{
159 int ret;
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]160 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]161
162 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
163 return( ret );
164
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]165 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
166 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
167
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]168 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, &G2, &L1, &L2, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169
170 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
171 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
172 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
173 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
174 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]175 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
176
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]177 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
178 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
179 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
180
181 /*
182 * Check for a valid PKCS1v2 private key
183 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]185 mpi_cmp_int( &L2, 0 ) == 0 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186 mpi_cmp_int( &I, 1 ) == 0 &&
187 mpi_cmp_int( &G, 1 ) == 0 )
188 {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]189 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190 return( 0 );
191 }
192
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]193
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194cleanup:
195
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]196 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]197 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198}
199
200/*
201 * Do an RSA public key operation
202 */
203int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]204 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205 unsigned char *output )
206{
207 int ret, olen;
208 mpi T;
209
210 mpi_init( &T, NULL );
211
212 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
213
214 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
215 {
216 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]217 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218 }
219
220 olen = ctx->len;
221 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
222 MPI_CHK( mpi_write_binary( &T, output, olen ) );
223
224cleanup:
225
226 mpi_free( &T, NULL );
227
228 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]229 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230
231 return( 0 );
232}
233
234/*
235 * Do an RSA private key operation
236 */
237int rsa_private( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]238 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239 unsigned char *output )
240{
241 int ret, olen;
242 mpi T, T1, T2;
243
244 mpi_init( &T, &T1, &T2, NULL );
245
246 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
247
248 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
249 {
250 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]251 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]252 }
253
254#if 0
255 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
256#else
257 /*
258 * faster decryption using the CRT
259 *
260 * T1 = input ^ dP mod P
261 * T2 = input ^ dQ mod Q
262 */
263 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
264 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
265
266 /*
267 * T = (T1 - T2) * (Q^-1 mod P) mod P
268 */
269 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
270 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
271 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
272
273 /*
274 * output = T2 + T * Q
275 */
276 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
277 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
278#endif
279
280 olen = ctx->len;
281 MPI_CHK( mpi_write_binary( &T, output, olen ) );
282
283cleanup:
284
285 mpi_free( &T, &T1, &T2, NULL );
286
287 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]288 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]289
290 return( 0 );
291}
292
293/*
294 * Add the message padding, then do an RSA operation
295 */
296int rsa_pkcs1_encrypt( rsa_context *ctx,
297 int mode, int ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]298 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]299 unsigned char *output )
300{
301 int nb_pad, olen;
302 unsigned char *p = output;
303
304 olen = ctx->len;
305
306 switch( ctx->padding )
307 {
308 case RSA_PKCS_V15:
309
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]310 if( ilen < 0 || olen < ilen + 11 || ctx->f_rng == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]311 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312
313 nb_pad = olen - 3 - ilen;
314
315 *p++ = 0;
316 *p++ = RSA_CRYPT;
317
318 while( nb_pad-- > 0 )
319 {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]320 int rng_dl = 100;
321
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322 do {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]323 *p = (unsigned char) ctx->f_rng( ctx->p_rng );
324 } while( *p == 0 && --rng_dl );
325
326 // Check if RNG failed to generate data
327 //
328 if( rng_dl == 0 )
329 return POLARSSL_ERR_RSA_RNG_FAILED;
330
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331 p++;
332 }
333 *p++ = 0;
334 memcpy( p, input, ilen );
335 break;
336
337 default:
338
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]339 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340 }
341
342 return( ( mode == RSA_PUBLIC )
343 ? rsa_public( ctx, output, output )
344 : rsa_private( ctx, output, output ) );
345}
346
347/*
348 * Do an RSA operation, then remove the message padding
349 */
350int rsa_pkcs1_decrypt( rsa_context *ctx,
351 int mode, int *olen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]352 const unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]353 unsigned char *output,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]354 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 int ret, ilen;
357 unsigned char *p;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]358 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
360 ilen = ctx->len;
361
362 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]363 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365 ret = ( mode == RSA_PUBLIC )
366 ? rsa_public( ctx, input, buf )
367 : rsa_private( ctx, input, buf );
368
369 if( ret != 0 )
370 return( ret );
371
372 p = buf;
373
374 switch( ctx->padding )
375 {
376 case RSA_PKCS_V15:
377
378 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]379 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]380
381 while( *p != 0 )
382 {
383 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]384 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385 p++;
386 }
387 p++;
388 break;
389
390 default:
391
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]392 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]393 }
394
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]395 if (ilen - (int)(p - buf) > output_max_len)
Paul Bakker38e2b482009-07-19 20:41:06 +0000[diff] [blame]396 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]397
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398 *olen = ilen - (int)(p - buf);
399 memcpy( output, p, *olen );
400
401 return( 0 );
402}
403
404/*
405 * Do an RSA operation to sign the message digest
406 */
407int rsa_pkcs1_sign( rsa_context *ctx,
408 int mode,
409 int hash_id,
410 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]411 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]412 unsigned char *sig )
413{
414 int nb_pad, olen;
415 unsigned char *p = sig;
416
417 olen = ctx->len;
418
419 switch( ctx->padding )
420 {
421 case RSA_PKCS_V15:
422
423 switch( hash_id )
424 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]425 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 nb_pad = olen - 3 - hashlen;
427 break;
428
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]429 case SIG_RSA_MD2:
430 case SIG_RSA_MD4:
431 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432 nb_pad = olen - 3 - 34;
433 break;
434
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]435 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 nb_pad = olen - 3 - 35;
437 break;
438
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]439 case SIG_RSA_SHA224:
440 nb_pad = olen - 3 - 47;
441 break;
442
443 case SIG_RSA_SHA256:
444 nb_pad = olen - 3 - 51;
445 break;
446
447 case SIG_RSA_SHA384:
448 nb_pad = olen - 3 - 67;
449 break;
450
451 case SIG_RSA_SHA512:
452 nb_pad = olen - 3 - 83;
453 break;
454
455
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]456 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]457 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458 }
459
460 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]461 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
463 *p++ = 0;
464 *p++ = RSA_SIGN;
465 memset( p, 0xFF, nb_pad );
466 p += nb_pad;
467 *p++ = 0;
468 break;
469
470 default:
471
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]472 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]473 }
474
475 switch( hash_id )
476 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]477 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 memcpy( p, hash, hashlen );
479 break;
480
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]481 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 memcpy( p, ASN1_HASH_MDX, 18 );
483 memcpy( p + 18, hash, 16 );
484 p[13] = 2; break;
485
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]486 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487 memcpy( p, ASN1_HASH_MDX, 18 );
488 memcpy( p + 18, hash, 16 );
489 p[13] = 4; break;
490
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]491 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]492 memcpy( p, ASN1_HASH_MDX, 18 );
493 memcpy( p + 18, hash, 16 );
494 p[13] = 5; break;
495
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]496 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]497 memcpy( p, ASN1_HASH_SHA1, 15 );
498 memcpy( p + 15, hash, 20 );
499 break;
500
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]501 case SIG_RSA_SHA224:
502 memcpy( p, ASN1_HASH_SHA2X, 19 );
503 memcpy( p + 19, hash, 28 );
504 p[1] += 28; p[14] = 4; p[18] += 28; break;
505
506 case SIG_RSA_SHA256:
507 memcpy( p, ASN1_HASH_SHA2X, 19 );
508 memcpy( p + 19, hash, 32 );
509 p[1] += 32; p[14] = 1; p[18] += 32; break;
510
511 case SIG_RSA_SHA384:
512 memcpy( p, ASN1_HASH_SHA2X, 19 );
513 memcpy( p + 19, hash, 48 );
514 p[1] += 48; p[14] = 2; p[18] += 48; break;
515
516 case SIG_RSA_SHA512:
517 memcpy( p, ASN1_HASH_SHA2X, 19 );
518 memcpy( p + 19, hash, 64 );
519 p[1] += 64; p[14] = 3; p[18] += 64; break;
520
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]522 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 }
524
525 return( ( mode == RSA_PUBLIC )
526 ? rsa_public( ctx, sig, sig )
527 : rsa_private( ctx, sig, sig ) );
528}
529
530/*
531 * Do an RSA operation and check the message digest
532 */
533int rsa_pkcs1_verify( rsa_context *ctx,
534 int mode,
535 int hash_id,
536 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]537 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538 unsigned char *sig )
539{
540 int ret, len, siglen;
541 unsigned char *p, c;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]542 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543
544 siglen = ctx->len;
545
546 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]547 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548
549 ret = ( mode == RSA_PUBLIC )
550 ? rsa_public( ctx, sig, buf )
551 : rsa_private( ctx, sig, buf );
552
553 if( ret != 0 )
554 return( ret );
555
556 p = buf;
557
558 switch( ctx->padding )
559 {
560 case RSA_PKCS_V15:
561
562 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]563 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
565 while( *p != 0 )
566 {
567 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]568 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]569 p++;
570 }
571 p++;
572 break;
573
574 default:
575
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]576 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577 }
578
579 len = siglen - (int)( p - buf );
580
581 if( len == 34 )
582 {
583 c = p[13];
584 p[13] = 0;
585
586 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]587 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]589 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
590 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
591 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
593 if( memcmp( p + 18, hash, 16 ) == 0 )
594 return( 0 );
595 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]596 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 }
598 }
599
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]600 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601 {
602 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
603 memcmp( p + 15, hash, 20 ) == 0 )
604 return( 0 );
605 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]606 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]608 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
609 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
610 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
611 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
612 {
613 c = p[1] - 17;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]614 p[1] = 17;
615 p[14] = 0;
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]616
617 if( p[18] == c &&
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]618 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
619 memcmp( p + 19, hash, c ) == 0 )
620 return( 0 );
621 else
622 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]623 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]625 if( len == hashlen && hash_id == SIG_RSA_RAW )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626 {
627 if( memcmp( p, hash, hashlen ) == 0 )
628 return( 0 );
629 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]630 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]631 }
632
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]633 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634}
635
636/*
637 * Free the components of an RSA key
638 */
639void rsa_free( rsa_context *ctx )
640{
641 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
642 &ctx->QP, &ctx->DQ, &ctx->DP,
643 &ctx->Q, &ctx->P, &ctx->D,
644 &ctx->E, &ctx->N, NULL );
645}
646
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]647#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]649#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]650
651/*
652 * Example RSA-1024 keypair, for test purposes
653 */
654#define KEY_LEN 128
655
656#define RSA_N "9292758453063D803DD603D5E777D788" \
657 "8ED1D5BF35786190FA2F23EBC0848AEA" \
658 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
659 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
660 "93A89813FBF3C4F8066D2D800F7C38A8" \
661 "1AE31942917403FF4946B0A83D3D3E05" \
662 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
663 "5E94BB77B07507233A0BC7BAC8F90F79"
664
665#define RSA_E "10001"
666
667#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
668 "66CA472BC44D253102F8B4A9D3BFA750" \
669 "91386C0077937FE33FA3252D28855837" \
670 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
671 "DF79C5CE07EE72C7F123142198164234" \
672 "CABB724CF78B8173B9F880FC86322407" \
673 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
674 "071513A1E85B5DFA031F21ECAE91A34D"
675
676#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
677 "2C01CAD19EA484A87EA4377637E75500" \
678 "FCB2005C5C7DD6EC4AC023CDA285D796" \
679 "C3D9E75E1EFC42488BB4F1D13AC30A57"
680
681#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
682 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
683 "910E4168387E3C30AA1E00C339A79508" \
684 "8452DD96A9A5EA5D9DCA68DA636032AF"
685
686#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
687 "3C94D22288ACD763FD8E5600ED4A702D" \
688 "F84198A5F06C2E72236AE490C93F07F8" \
689 "3CC559CD27BC2D1CA488811730BB5725"
690
691#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
692 "D8AAEA56749EA28623272E4F7D0592AF" \
693 "7C1F1313CAC9471B5C523BFE592F517B" \
694 "407A1BD76C164B93DA2D32A383E58357"
695
696#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
697 "F38D18D2B2F0E2DD275AA977E2BF4411" \
698 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
699 "A74206CEC169D74BF5A8C50D6F48EA08"
700
701#define PT_LEN 24
702#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
703 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
704
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]705static int myrand( void *rng_state )
706{
707 if( rng_state != NULL )
708 rng_state = NULL;
709
710 return( rand() );
711}
712
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713/*
714 * Checkup routine
715 */
716int rsa_self_test( int verbose )
717{
718 int len;
719 rsa_context rsa;
720 unsigned char sha1sum[20];
721 unsigned char rsa_plaintext[PT_LEN];
722 unsigned char rsa_decrypted[PT_LEN];
723 unsigned char rsa_ciphertext[KEY_LEN];
724
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]725 rsa_init( &rsa, RSA_PKCS_V15, 0, &myrand, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726
727 rsa.len = KEY_LEN;
728 mpi_read_string( &rsa.N , 16, RSA_N );
729 mpi_read_string( &rsa.E , 16, RSA_E );
730 mpi_read_string( &rsa.D , 16, RSA_D );
731 mpi_read_string( &rsa.P , 16, RSA_P );
732 mpi_read_string( &rsa.Q , 16, RSA_Q );
733 mpi_read_string( &rsa.DP, 16, RSA_DP );
734 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
735 mpi_read_string( &rsa.QP, 16, RSA_QP );
736
737 if( verbose != 0 )
738 printf( " RSA key validation: " );
739
740 if( rsa_check_pubkey( &rsa ) != 0 ||
741 rsa_check_privkey( &rsa ) != 0 )
742 {
743 if( verbose != 0 )
744 printf( "failed\n" );
745
746 return( 1 );
747 }
748
749 if( verbose != 0 )
750 printf( "passed\n PKCS#1 encryption : " );
751
752 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
753
754 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
755 rsa_plaintext, rsa_ciphertext ) != 0 )
756 {
757 if( verbose != 0 )
758 printf( "failed\n" );
759
760 return( 1 );
761 }
762
763 if( verbose != 0 )
764 printf( "passed\n PKCS#1 decryption : " );
765
766 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]767 rsa_ciphertext, rsa_decrypted,
768 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769 {
770 if( verbose != 0 )
771 printf( "failed\n" );
772
773 return( 1 );
774 }
775
776 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
777 {
778 if( verbose != 0 )
779 printf( "failed\n" );
780
781 return( 1 );
782 }
783
784 if( verbose != 0 )
785 printf( "passed\n PKCS#1 data sign : " );
786
787 sha1( rsa_plaintext, PT_LEN, sha1sum );
788
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]789 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]790 sha1sum, rsa_ciphertext ) != 0 )
791 {
792 if( verbose != 0 )
793 printf( "failed\n" );
794
795 return( 1 );
796 }
797
798 if( verbose != 0 )
799 printf( "passed\n PKCS#1 sig. verify: " );
800
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]801 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802 sha1sum, rsa_ciphertext ) != 0 )
803 {
804 if( verbose != 0 )
805 printf( "failed\n" );
806
807 return( 1 );
808 }
809
810 if( verbose != 0 )
811 printf( "passed\n\n" );
812
813 rsa_free( &rsa );
814
815 return( 0 );
816}
817
818#endif
819
820#endif