TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5d392579c216845c9489fd1760a5ace400f88ea2 / . / library / rsa.c
blob: 2cc1de1896c41c2f49ea9f8a3088402438f6be99 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]6 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]27 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
28 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
29 * Stefan Mangard
30 * https://arxiv.org/abs/1702.08719v2
31 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32 */
33
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]36#else
37#include POLARSSL_CONFIG_FILE
38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]40#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]42#include "polarssl/rsa.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]43#include "polarssl/oid.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]44
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]45#include <string.h>
46
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]47#if defined(POLARSSL_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]48#include "polarssl/md.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]49#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#if defined(POLARSSL_PKCS1_V15) && !defined(__OpenBSD__)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52#include <stdlib.h>
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]54
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55#if defined(POLARSSL_PLATFORM_C)
56#include "polarssl/platform.h"
57#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]58#include <stdio.h>
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]59#define polarssl_printf printf
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]60#define polarssl_malloc malloc
61#define polarssl_free free
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]62#endif
63
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]64/*
65 * Initialize an RSA context
66 */
67void rsa_init( rsa_context *ctx,
68 int padding,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]69 int hash_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{
71 memset( ctx, 0, sizeof( rsa_context ) );
72
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]73 rsa_set_padding( ctx, padding, hash_id );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]74
75#if defined(POLARSSL_THREADING_C)
76 polarssl_mutex_init( &ctx->mutex );
77#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78}
79
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]80/*
81 * Set padding for an existing RSA context
82 */
83void rsa_set_padding( rsa_context *ctx, int padding, int hash_id )
84{
85 ctx->padding = padding;
86 ctx->hash_id = hash_id;
87}
88
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]89#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90
91/*
92 * Generate an RSA keypair
93 */
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]94int rsa_gen_key( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]95 int (*f_rng)(void *, unsigned char *, size_t),
96 void *p_rng,
97 unsigned int nbits, int exponent )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]98{
99 int ret;
100 mpi P1, Q1, H, G;
101
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]102 if( f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]103 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]104
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame]105 if( nbits % 2 )
106 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
107
Janos Follathd61fc682016-02-23 14:42:48 +0000[diff] [blame]108 mpi_init( &P1 ); mpi_init( &Q1 );
109 mpi_init( &H ); mpi_init( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110
111 /*
112 * find primes P and Q with Q < P so that:
113 * GCD( E, (P-1)*(Q-1) ) == 1
114 */
115 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
116
117 do
118 {
Janos Follathd61fc682016-02-23 14:42:48 +0000[diff] [blame]119 MPI_CHK( mpi_gen_prime( &ctx->P, nbits >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]120 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame]122 MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]123 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124
125 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
126 continue;
127
128 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
129 if( mpi_msb( &ctx->N ) != nbits )
130 continue;
131
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame]132 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
133 mpi_swap( &ctx->P, &ctx->Q );
134
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]135 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
136 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
137 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
138 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
139 }
140 while( mpi_cmp_int( &G, 1 ) != 0 );
141
142 /*
143 * D = E^-1 mod ((P-1)*(Q-1))
144 * DP = D mod (P - 1)
145 * DQ = D mod (Q - 1)
146 * QP = Q^-1 mod P
147 */
148 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
149 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
150 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
151 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
152
153 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
154
155cleanup:
156
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]157 mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]158
159 if( ret != 0 )
160 {
161 rsa_free( ctx );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]162 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]163 }
164
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]165 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]166}
167
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]168#endif /* POLARSSL_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169
170/*
171 * Check a public RSA key
172 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]173int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]174{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]175 if( !ctx->N.p || !ctx->E.p )
176 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
177
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]178 if( ( ctx->N.p[0] & 1 ) == 0 ||
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]179 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]180 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181
182 if( mpi_msb( &ctx->N ) < 128 ||
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]183 mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]184 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]185
186 if( mpi_msb( &ctx->E ) < 2 ||
Paul Bakker24f37cc2014-04-30 13:33:35 +0200[diff] [blame]187 mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]188 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189
190 return( 0 );
191}
192
193/*
194 * Check a private RSA key
195 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]196int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]197{
198 int ret;
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]199 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200
201 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
202 return( ret );
203
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]204 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
205 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
206
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]207 mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
208 mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]209 mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
210 mpi_init( &QP );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211
212 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
213 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
214 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
215 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
216 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]217 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
218
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]219 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]220 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]221 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
222
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]223 MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
224 MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
225 MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]226 /*
227 * Check for a valid PKCS1v2 private key
228 */
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]229 if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]230 mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
231 mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
232 mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]233 mpi_cmp_int( &L2, 0 ) != 0 ||
234 mpi_cmp_int( &I, 1 ) != 0 ||
235 mpi_cmp_int( &G, 1 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236 {
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]237 ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238 }
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]239
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240cleanup:
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]241 mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
242 mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]243 mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
244 mpi_free( &QP );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]245
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]246 if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
247 return( ret );
248
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]249 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]250 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]251
252 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253}
254
255/*
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]256 * Check if contexts holding a public and private key match
257 */
258int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv )
259{
260 if( rsa_check_pubkey( pub ) != 0 ||
261 rsa_check_privkey( prv ) != 0 )
262 {
263 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
264 }
265
266 if( mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
267 mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
268 {
269 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
270 }
271
272 return( 0 );
273}
274
275/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]276 * Do an RSA public key operation
277 */
278int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]279 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280 unsigned char *output )
281{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]282 int ret;
283 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]284 mpi T;
285
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]286 mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]287
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]288#if defined(POLARSSL_THREADING_C)
289 if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
290 return( ret );
291#endif
292
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
294
295 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
296 {
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]297 ret = POLARSSL_ERR_MPI_BAD_INPUT_DATA;
298 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]299 }
300
301 olen = ctx->len;
302 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
303 MPI_CHK( mpi_write_binary( &T, output, olen ) );
304
305cleanup:
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]306#if defined(POLARSSL_THREADING_C)
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]307 if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
308 return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]309#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]310
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]311 mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312
313 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]314 return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315
316 return( 0 );
317}
318
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]319/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]320 * Generate or update blinding values, see section 10 of:
321 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
322 * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
323 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]324 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]325static int rsa_prepare_blinding( rsa_context *ctx,
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]326 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
327{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]328 int ret, count = 0;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]329
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]330 if( ctx->Vf.p != NULL )
331 {
332 /* We already have blinding values, just update them by squaring */
333 MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]334 MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]335 MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]336 MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]337
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]338 goto cleanup;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]339 }
340
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]341 /* Unblinding value: Vf = random number, invertible mod N */
342 do {
343 if( count++ > 10 )
344 return( POLARSSL_ERR_RSA_RNG_FAILED );
345
346 MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
347 MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
348 } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]349
350 /* Blinding value: Vi = Vf^(-e) mod N */
351 MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
352 MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
353
354cleanup:
355 return( ret );
356}
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358/*
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]359 * Exponent blinding supposed to prevent side-channel attacks using multiple
360 * traces of measurements to recover the RSA key. The more collisions are there,
361 * the more bits of the key can be recovered. See [3].
362 *
363 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
364 * observations on avarage.
365 *
366 * For example with 28 byte blinding to achieve 2 collisions the adversary has
367 * to make 2^112 observations on avarage.
368 *
369 * (With the currently (as of 2017 April) known best algorithms breaking 2048
370 * bit RSA requires approximately as much time as trying out 2^112 random keys.
371 * Thus in this sense with 28 byte blinding the security is not reduced by
372 * side-channel attacks like the one in [3])
373 *
374 * This countermeasure does not help if the key recovery is possible with a
375 * single trace.
376 */
377#define RSA_EXPONENT_BLINDING 28
378
379/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]380 * Do an RSA private key operation
381 */
382int rsa_private( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]383 int (*f_rng)(void *, unsigned char *, size_t),
384 void *p_rng,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]385 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386 unsigned char *output )
387{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]388 int ret;
389 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 mpi T, T1, T2;
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]391#if defined(POLARSSL_RSA_NO_CRT)
392 mpi P1, Q1;
393 mpi D_blind, R;
394 mpi *D = &ctx->D;
395#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]397 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]399 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
400#if defined(POLARSSL_RSA_NO_CRT)
401 mpi_init( &P1 ); mpi_init( &Q1 );
402 mpi_init( &R ); mpi_init( &D_blind );
403#endif
404
405
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]406#if defined(POLARSSL_THREADING_C)
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]407 if( ( ret = mutex_lock( &ctx->mutex ) ) != 0 )
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]408 return( ret );
409#endif
410
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]411 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]412 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
413 {
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]414 ret = POLARSSL_ERR_MPI_BAD_INPUT_DATA;
415 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416 }
417
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]418 if( f_rng != NULL )
419 {
420 /*
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]421 * Blinding
422 * T = T * Vi mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]423 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]424 MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
425 MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]426 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]427
428#if defined(POLARSSL_RSA_NO_CRT)
429 /*
430 * Exponent blinding
431 */
432 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
433 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
434
435 /*
436 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
437 */
438 MPI_CHK( mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
439 f_rng, p_rng ) );
440 MPI_CHK( mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
441 MPI_CHK( mpi_mul_mpi( &D_blind, &D_blind, &R ) );
442 MPI_CHK( mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
443
444 D = &D_blind;
445#endif /* POLARSSL_RSA_NO_CRT */
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]446 }
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]447
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]448#if defined(POLARSSL_RSA_NO_CRT)
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]449 MPI_CHK( mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]450#else
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]451 /*
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]452 * Faster decryption using the CRT
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 *
454 * T1 = input ^ dP mod P
455 * T2 = input ^ dQ mod Q
456 */
457 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
458 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
459
460 /*
461 * T = (T1 - T2) * (Q^-1 mod P) mod P
462 */
463 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
464 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
465 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
466
467 /*
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]468 * T = T2 + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469 */
470 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]471 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]472#endif /* POLARSSL_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]473
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]474 if( f_rng != NULL )
475 {
476 /*
477 * Unblind
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]478 * T = T * Vf mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]479 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]480 MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]481 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
482 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483
484 olen = ctx->len;
485 MPI_CHK( mpi_write_binary( &T, output, olen ) );
486
487cleanup:
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]488#if defined(POLARSSL_THREADING_C)
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]489 if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
490 return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]491#endif
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]492
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]493 mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
Janos Follath5d392572017-03-22 13:38:28 +0000[diff] [blame^]494#if defined(POLARSSL_RSA_NO_CRT)
495 mpi_free( &P1 ); mpi_free( &Q1 );
496 mpi_free( &R ); mpi_free( &D_blind );
497#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]498
499 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]500 return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
502 return( 0 );
503}
504
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]505#if defined(POLARSSL_PKCS1_V21)
506/**
507 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
508 *
Paul Bakkerb125ed82011-11-10 13:33:51 +0000[diff] [blame]509 * \param dst buffer to mask
510 * \param dlen length of destination buffer
511 * \param src source of the mask generation
512 * \param slen length of the source buffer
513 * \param md_ctx message digest context to use
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]514 */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]515static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
516 size_t slen, md_context_t *md_ctx )
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]517{
518 unsigned char mask[POLARSSL_MD_MAX_SIZE];
519 unsigned char counter[4];
520 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]521 unsigned int hlen;
522 size_t i, use_len;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]523
524 memset( mask, 0, POLARSSL_MD_MAX_SIZE );
525 memset( counter, 0, 4 );
526
527 hlen = md_ctx->md_info->size;
528
529 // Generate and apply dbMask
530 //
531 p = dst;
532
533 while( dlen > 0 )
534 {
535 use_len = hlen;
536 if( dlen < hlen )
537 use_len = dlen;
538
539 md_starts( md_ctx );
540 md_update( md_ctx, src, slen );
541 md_update( md_ctx, counter, 4 );
542 md_finish( md_ctx, mask );
543
544 for( i = 0; i < use_len; ++i )
545 *p++ ^= mask[i];
546
547 counter[3]++;
548
549 dlen -= use_len;
550 }
551}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]552#endif /* POLARSSL_PKCS1_V21 */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]553
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]554#if defined(POLARSSL_PKCS1_V21)
555/*
556 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
557 */
558int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
559 int (*f_rng)(void *, unsigned char *, size_t),
560 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]561 int mode,
562 const unsigned char *label, size_t label_len,
563 size_t ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]564 const unsigned char *input,
565 unsigned char *output )
566{
567 size_t olen;
568 int ret;
569 unsigned char *p = output;
570 unsigned int hlen;
571 const md_info_t *md_info;
572 md_context_t md_ctx;
573
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]574 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
575 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
576
577 if( f_rng == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]578 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
579
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]580 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]581 if( md_info == NULL )
582 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
583
584 olen = ctx->len;
585 hlen = md_get_size( md_info );
586
Janos Follath742783f2016-02-08 14:52:29 +0000[diff] [blame]587 // first comparison checks for overflow
588 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]589 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
590
591 memset( output, 0, olen );
592
593 *p++ = 0;
594
595 // Generate a random octet string seed
596 //
597 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
598 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
599
600 p += hlen;
601
602 // Construct DB
603 //
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]604 md( md_info, label, label_len, p );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]605 p += hlen;
606 p += olen - 2 * hlen - 2 - ilen;
607 *p++ = 1;
608 memcpy( p, input, ilen );
609
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]610 md_init( &md_ctx );
Brian J Murray4556d202016-06-23 12:57:03 -0700[diff] [blame]611 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
612 {
613 md_free( &md_ctx );
614 return( ret );
615 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]616
617 // maskedDB: Apply dbMask to DB
618 //
619 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
620 &md_ctx );
621
622 // maskedSeed: Apply seedMask to seed
623 //
624 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
625 &md_ctx );
626
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]627 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]628
629 return( ( mode == RSA_PUBLIC )
630 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]631 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]632}
633#endif /* POLARSSL_PKCS1_V21 */
634
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]635#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]636/*
637 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
638 */
639int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
640 int (*f_rng)(void *, unsigned char *, size_t),
641 void *p_rng,
642 int mode, size_t ilen,
643 const unsigned char *input,
644 unsigned char *output )
645{
646 size_t nb_pad, olen;
647 int ret;
648 unsigned char *p = output;
649
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]650 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
651 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
652
Janos Follath7ddc2cd2016-03-18 11:45:44 +0000[diff] [blame]653 // We don't check p_rng because it won't be dereferenced here
654 if( f_rng == NULL || input == NULL || output == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]655 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
656
657 olen = ctx->len;
658
Janos Follath742783f2016-02-08 14:52:29 +0000[diff] [blame]659 // first comparison checks for overflow
660 if( ilen + 11 < ilen || olen < ilen + 11 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]661 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
662
663 nb_pad = olen - 3 - ilen;
664
665 *p++ = 0;
666 if( mode == RSA_PUBLIC )
667 {
668 *p++ = RSA_CRYPT;
669
670 while( nb_pad-- > 0 )
671 {
672 int rng_dl = 100;
673
674 do {
675 ret = f_rng( p_rng, p, 1 );
676 } while( *p == 0 && --rng_dl && ret == 0 );
677
678 // Check if RNG failed to generate data
679 //
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]680 if( rng_dl == 0 || ret != 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]681 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]682
683 p++;
684 }
685 }
686 else
687 {
688 *p++ = RSA_SIGN;
689
690 while( nb_pad-- > 0 )
691 *p++ = 0xFF;
692 }
693
694 *p++ = 0;
695 memcpy( p, input, ilen );
696
697 return( ( mode == RSA_PUBLIC )
698 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]699 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]700}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]701#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]702
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703/*
704 * Add the message padding, then do an RSA operation
705 */
706int rsa_pkcs1_encrypt( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]707 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]708 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]709 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]710 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 unsigned char *output )
712{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713 switch( ctx->padding )
714 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]715#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716 case RSA_PKCS_V15:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]717 return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
718 input, output );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]719#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]721#if defined(POLARSSL_PKCS1_V21)
722 case RSA_PKCS_V21:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]723 return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
724 ilen, input, output );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]725#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726
727 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]728 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730}
731
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]732#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]734 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]736int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]737 int (*f_rng)(void *, unsigned char *, size_t),
738 void *p_rng,
739 int mode,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]740 const unsigned char *label, size_t label_len,
741 size_t *olen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]742 const unsigned char *input,
743 unsigned char *output,
744 size_t output_max_len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]746 int ret;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]747 size_t ilen, i, pad_len;
748 unsigned char *p, bad, pad_done;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]749 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]750 unsigned char lhash[POLARSSL_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]751 unsigned int hlen;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]752 const md_info_t *md_info;
753 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]754
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]755 /*
756 * Parameters sanity checks
757 */
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]758 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]759 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760
761 ilen = ctx->len;
762
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]763 if( ilen < 16 || ilen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]764 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]766 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]767 if( md_info == NULL )
768 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
769
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]770 hlen = md_get_size( md_info );
Janos Follath092f2c42016-02-11 11:08:18 +0000[diff] [blame]771
772 // checking for integer underflow
773 if( 2 * hlen + 2 > ilen )
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]774 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Janos Follath092f2c42016-02-11 11:08:18 +0000[diff] [blame]775
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]776 /*
777 * RSA operation
778 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 ret = ( mode == RSA_PUBLIC )
780 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]781 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]782
783 if( ret != 0 )
784 return( ret );
785
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]786 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]787 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]788 */
789 hlen = md_get_size( md_info );
790
Janos Follath3bed13d2016-02-09 14:51:35 +0000[diff] [blame]791 // checking for integer underflow
792 if( 2 * hlen + 2 > ilen )
793 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
794
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]795 md_init( &md_ctx );
Brian J Murray4556d202016-06-23 12:57:03 -0700[diff] [blame]796 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
797 {
798 md_free( &md_ctx );
799 return( ret );
800 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]801
802 /* Generate lHash */
803 md( md_info, label, label_len, lhash );
804
805 /* seed: Apply seedMask to maskedSeed */
806 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
807 &md_ctx );
808
809 /* DB: Apply dbMask to maskedDB */
810 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
811 &md_ctx );
812
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]813 md_free( &md_ctx );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]814
815 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]816 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]817 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818 p = buf;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]819 bad = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]820
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]821 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]822
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]823 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]824
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]825 /* Check lHash */
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]826 for( i = 0; i < hlen; i++ )
827 bad |= lhash[i] ^ *p++;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]828
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]829 /* Get zero-padding len, but always read till end of buffer
830 * (minus one, for the 01 byte) */
831 pad_len = 0;
832 pad_done = 0;
833 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
834 {
835 pad_done |= p[i];
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]836 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]837 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]838
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]839 p += pad_len;
840 bad |= *p++ ^ 0x01;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]841
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]842 /*
843 * The only information "leaked" is whether the padding was correct or not
844 * (eg, no data is copied if it was not correct). This meets the
845 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
846 * the different error conditions.
847 */
848 if( bad != 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]849 return( POLARSSL_ERR_RSA_INVALID_PADDING );
850
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]851 if( ilen - ( p - buf ) > output_max_len )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]852 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
853
854 *olen = ilen - (p - buf);
855 memcpy( output, p, *olen );
856
857 return( 0 );
858}
859#endif /* POLARSSL_PKCS1_V21 */
860
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]861#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]862/*
863 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
864 */
865int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]866 int (*f_rng)(void *, unsigned char *, size_t),
867 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]868 int mode, size_t *olen,
869 const unsigned char *input,
870 unsigned char *output,
871 size_t output_max_len)
872{
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]873 int ret;
874 size_t ilen, pad_count = 0, i;
875 unsigned char *p, bad, pad_done = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]876 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
877
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]878 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]879 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
880
881 ilen = ctx->len;
882
883 if( ilen < 16 || ilen > sizeof( buf ) )
884 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
885
886 ret = ( mode == RSA_PUBLIC )
887 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]888 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]889
890 if( ret != 0 )
891 return( ret );
892
893 p = buf;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]894 bad = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]895
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]896 /*
897 * Check and get padding len in "constant-time"
898 */
899 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]900
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]901 /* This test does not depend on secret data */
902 if( mode == RSA_PRIVATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]903 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]904 bad |= *p++ ^ RSA_CRYPT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]905
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]906 /* Get padding len, but always read till end of buffer
907 * (minus one, for the 00 byte) */
908 for( i = 0; i < ilen - 3; i++ )
909 {
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]910 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
911 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]912 }
Paul Bakkere6ee41f2012-05-19 08:43:48 +0000[diff] [blame]913
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]914 p += pad_count;
915 bad |= *p++; /* Must be zero */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]916 }
917 else
918 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]919 bad |= *p++ ^ RSA_SIGN;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]920
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]921 /* Get padding len, but always read till end of buffer
922 * (minus one, for the 00 byte) */
923 for( i = 0; i < ilen - 3; i++ )
924 {
Manuel Pégourié-Gonnardfbf09152014-02-03 11:58:55 +0100[diff] [blame]925 pad_done |= ( p[i] != 0xFF );
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]926 pad_count += ( pad_done == 0 );
927 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]928
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]929 p += pad_count;
930 bad |= *p++; /* Must be zero */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]931 }
932
Janos Follathf18263d2016-02-12 13:30:09 +0000[diff] [blame]933 bad |= ( pad_count < 8 );
Janos Follathf570f7f2016-02-08 13:59:25 +0000[diff] [blame]934
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]935 if( bad )
Paul Bakker8804f692013-02-28 18:06:26 +0100[diff] [blame]936 return( POLARSSL_ERR_RSA_INVALID_PADDING );
937
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]938 if( ilen - ( p - buf ) > output_max_len )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]939 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]940
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]941 *olen = ilen - (p - buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]942 memcpy( output, p, *olen );
943
944 return( 0 );
945}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]946#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947
948/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]949 * Do an RSA operation, then remove the message padding
950 */
951int rsa_pkcs1_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]952 int (*f_rng)(void *, unsigned char *, size_t),
953 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]954 int mode, size_t *olen,
955 const unsigned char *input,
956 unsigned char *output,
957 size_t output_max_len)
958{
959 switch( ctx->padding )
960 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]961#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]962 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]963 return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
964 input, output, output_max_len );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]965#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]966
967#if defined(POLARSSL_PKCS1_V21)
968 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]969 return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
970 olen, input, output,
971 output_max_len );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]972#endif
973
974 default:
975 return( POLARSSL_ERR_RSA_INVALID_PADDING );
976 }
977}
978
979#if defined(POLARSSL_PKCS1_V21)
980/*
981 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
982 */
983int rsa_rsassa_pss_sign( rsa_context *ctx,
984 int (*f_rng)(void *, unsigned char *, size_t),
985 void *p_rng,
986 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]987 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]988 unsigned int hashlen,
989 const unsigned char *hash,
990 unsigned char *sig )
991{
992 size_t olen;
993 unsigned char *p = sig;
994 unsigned char salt[POLARSSL_MD_MAX_SIZE];
995 unsigned int slen, hlen, offset = 0;
996 int ret;
997 size_t msb;
998 const md_info_t *md_info;
999 md_context_t md_ctx;
1000
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1001 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
1002 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1003
1004 if( f_rng == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1005 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1006
1007 olen = ctx->len;
1008
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1009 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1010 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1011 // Gather length of hash to sign
1012 //
1013 md_info = md_info_from_type( md_alg );
1014 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1015 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1016
1017 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1018 }
1019
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]1020 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1021 if( md_info == NULL )
1022 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1023
1024 hlen = md_get_size( md_info );
1025 slen = hlen;
1026
1027 if( olen < hlen + slen + 2 )
1028 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1029
1030 memset( sig, 0, olen );
1031
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1032 // Generate salt of length slen
1033 //
1034 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1035 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
1036
1037 // Note: EMSA-PSS encoding is over the length of N - 1 bits
1038 //
1039 msb = mpi_msb( &ctx->N ) - 1;
1040 p += olen - hlen * 2 - 2;
1041 *p++ = 0x01;
1042 memcpy( p, salt, slen );
1043 p += slen;
1044
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1045 md_init( &md_ctx );
Brian J Murray4556d202016-06-23 12:57:03 -0700[diff] [blame]1046 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
1047 {
1048 md_free( &md_ctx );
1049 return( ret );
1050 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1051
1052 // Generate H = Hash( M' )
1053 //
1054 md_starts( &md_ctx );
1055 md_update( &md_ctx, p, 8 );
1056 md_update( &md_ctx, hash, hashlen );
1057 md_update( &md_ctx, salt, slen );
1058 md_finish( &md_ctx, p );
1059
1060 // Compensate for boundary condition when applying mask
1061 //
1062 if( msb % 8 == 0 )
1063 offset = 1;
1064
1065 // maskedDB: Apply dbMask to DB
1066 //
1067 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
1068
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1069 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1070
1071 msb = mpi_msb( &ctx->N ) - 1;
1072 sig[0] &= 0xFF >> ( olen * 8 - msb );
1073
1074 p += hlen;
1075 *p++ = 0xBC;
1076
1077 return( ( mode == RSA_PUBLIC )
1078 ? rsa_public( ctx, sig, sig )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1079 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1080}
1081#endif /* POLARSSL_PKCS1_V21 */
1082
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1083#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1084/*
1085 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1086 */
1087/*
1088 * Do an RSA operation to sign the message digest
1089 */
1090int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1091 int (*f_rng)(void *, unsigned char *, size_t),
1092 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1093 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1094 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1095 unsigned int hashlen,
1096 const unsigned char *hash,
1097 unsigned char *sig )
1098{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1099 size_t nb_pad, olen, oid_size = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1100 unsigned char *p = sig;
Paul Bakker21e081b2014-07-24 10:38:01 +0200[diff] [blame]1101 const char *oid = NULL;
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1102 unsigned char *sig_try = NULL, *verif = NULL;
1103 size_t i;
1104 unsigned char diff;
1105 volatile unsigned char diff_no_optimize;
1106 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1107
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1108 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1109 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1110
1111 olen = ctx->len;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1112 nb_pad = olen - 3;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1113
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1114 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1115 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1116 const md_info_t *md_info = md_info_from_type( md_alg );
1117 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1118 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1119
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]1120 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1121 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1122
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1123 nb_pad -= 10 + oid_size;
1124
1125 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1126 }
1127
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1128 nb_pad -= hashlen;
1129
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1130 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1131 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1132
1133 *p++ = 0;
1134 *p++ = RSA_SIGN;
1135 memset( p, 0xFF, nb_pad );
1136 p += nb_pad;
1137 *p++ = 0;
1138
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1139 if( md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1140 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1141 memcpy( p, hash, hashlen );
1142 }
1143 else
1144 {
1145 /*
1146 * DigestInfo ::= SEQUENCE {
1147 * digestAlgorithm DigestAlgorithmIdentifier,
1148 * digest Digest }
1149 *
1150 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1151 *
1152 * Digest ::= OCTET STRING
1153 */
1154 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1155 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1156 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1157 *p++ = (unsigned char) ( 0x04 + oid_size );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1158 *p++ = ASN1_OID;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1159 *p++ = oid_size & 0xFF;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1160 memcpy( p, oid, oid_size );
1161 p += oid_size;
1162 *p++ = ASN1_NULL;
1163 *p++ = 0x00;
1164 *p++ = ASN1_OCTET_STRING;
1165 *p++ = hashlen;
1166 memcpy( p, hash, hashlen );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1167 }
1168
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1169 if( mode == RSA_PUBLIC )
1170 return( rsa_public( ctx, sig, sig ) );
1171
1172 /*
1173 * In order to prevent Lenstra's attack, make the signature in a
1174 * temporary buffer and check it before returning it.
1175 */
1176 sig_try = polarssl_malloc( ctx->len );
Simon Butcher7d3f3a82016-01-02 00:03:39 +0000[diff] [blame]1177 if( sig_try == NULL )
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1178 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
1179
Simon Butcher7d3f3a82016-01-02 00:03:39 +0000[diff] [blame]1180 verif = polarssl_malloc( ctx->len );
1181 if( verif == NULL )
1182 {
1183 polarssl_free( sig_try );
1184 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
1185 }
1186
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1187 MPI_CHK( rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1188 MPI_CHK( rsa_public( ctx, sig_try, verif ) );
1189
1190 /* Compare in constant time just in case */
1191 for( diff = 0, i = 0; i < ctx->len; i++ )
1192 diff |= verif[i] ^ sig[i];
1193 diff_no_optimize = diff;
1194
1195 if( diff_no_optimize != 0 )
1196 {
1197 ret = POLARSSL_ERR_RSA_PRIVATE_FAILED;
1198 goto cleanup;
1199 }
1200
1201 memcpy( sig, sig_try, ctx->len );
1202
1203cleanup:
1204 polarssl_free( sig_try );
1205 polarssl_free( verif );
1206
1207 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1208}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1209#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1210
1211/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1212 * Do an RSA operation to sign the message digest
1213 */
1214int rsa_pkcs1_sign( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1215 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1216 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1217 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1218 md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1219 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1220 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1221 unsigned char *sig )
1222{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1223 switch( ctx->padding )
1224 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1225#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1227 return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1228 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1229#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1231#if defined(POLARSSL_PKCS1_V21)
1232 case RSA_PKCS_V21:
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1233 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1234 hashlen, hash, sig );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1235#endif
1236
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1237 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1238 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1240}
1241
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1242#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1243/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1244 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245 */
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1246int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
1247 int (*f_rng)(void *, unsigned char *, size_t),
1248 void *p_rng,
1249 int mode,
1250 md_type_t md_alg,
1251 unsigned int hashlen,
1252 const unsigned char *hash,
1253 md_type_t mgf1_hash_id,
1254 int expected_salt_len,
1255 const unsigned char *sig )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1256{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1257 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1258 size_t siglen;
1259 unsigned char *p;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]1260 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker1fe7d9b2011-11-15 15:26:03 +0000[diff] [blame]1261 unsigned char result[POLARSSL_MD_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1262 unsigned char zeros[8];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1263 unsigned int hlen;
1264 size_t slen, msb;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1265 const md_info_t *md_info;
1266 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1267
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1268 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1269 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1270
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271 siglen = ctx->len;
1272
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1273 if( siglen < 16 || siglen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1274 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275
1276 ret = ( mode == RSA_PUBLIC )
1277 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1278 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1279
1280 if( ret != 0 )
1281 return( ret );
1282
1283 p = buf;
1284
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1285 if( buf[siglen - 1] != 0xBC )
1286 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1287
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1288 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1290 // Gather length of hash to sign
1291 //
1292 md_info = md_info_from_type( md_alg );
1293 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1294 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1295
1296 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1297 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1298
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1299 md_info = md_info_from_type( mgf1_hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1300 if( md_info == NULL )
1301 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1302
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1303 hlen = md_get_size( md_info );
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1304 slen = siglen - hlen - 1; /* Currently length of salt + padding */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1305
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1306 memset( zeros, 0, 8 );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1307
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1308 // Note: EMSA-PSS verification is over the length of N - 1 bits
1309 //
1310 msb = mpi_msb( &ctx->N ) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1311
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1312 // Compensate for boundary condition when applying mask
1313 //
1314 if( msb % 8 == 0 )
1315 {
1316 p++;
1317 siglen -= 1;
1318 }
1319 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1320 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1321
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1322 md_init( &md_ctx );
Brian J Murray4556d202016-06-23 12:57:03 -0700[diff] [blame]1323 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
1324 {
1325 md_free( &md_ctx );
1326 return( ret );
1327 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1328
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1329 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
Paul Bakker02303e82013-01-03 11:08:31 +0100[diff] [blame]1330
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1331 buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1332
Paul Bakker4de44aa2013-12-31 11:43:01 +0100[diff] [blame]1333 while( p < buf + siglen && *p == 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1334 p++;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1335
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1336 if( p == buf + siglen ||
1337 *p++ != 0x01 )
1338 {
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1339 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1340 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1341 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1342
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1343 /* Actual salt len */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1344 slen -= p - buf;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1345
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1346 if( expected_salt_len != RSA_SALT_LEN_ANY &&
1347 slen != (size_t) expected_salt_len )
1348 {
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1349 md_free( &md_ctx );
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1350 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1351 }
1352
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1353 // Generate H = Hash( M' )
1354 //
1355 md_starts( &md_ctx );
1356 md_update( &md_ctx, zeros, 8 );
1357 md_update( &md_ctx, hash, hashlen );
1358 md_update( &md_ctx, p, slen );
1359 md_finish( &md_ctx, result );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1360
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1361 md_free( &md_ctx );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1362
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1363 if( memcmp( p + slen, result, hlen ) == 0 )
1364 return( 0 );
1365 else
1366 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1367}
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1368
1369/*
1370 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1371 */
1372int rsa_rsassa_pss_verify( rsa_context *ctx,
1373 int (*f_rng)(void *, unsigned char *, size_t),
1374 void *p_rng,
1375 int mode,
1376 md_type_t md_alg,
1377 unsigned int hashlen,
1378 const unsigned char *hash,
1379 const unsigned char *sig )
1380{
1381 md_type_t mgf1_hash_id = ( ctx->hash_id != POLARSSL_MD_NONE )
Manuel Pégourié-Gonnard0eaa8be2014-06-05 18:07:20 +0200[diff] [blame]1382 ? (md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1383 : md_alg;
1384
1385 return( rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
1386 md_alg, hashlen, hash,
1387 mgf1_hash_id, RSA_SALT_LEN_ANY,
1388 sig ) );
1389
1390}
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1391#endif /* POLARSSL_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +0100[diff] [blame]1392
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1393#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1394/*
1395 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1396 */
1397int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1398 int (*f_rng)(void *, unsigned char *, size_t),
1399 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1400 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1401 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1402 unsigned int hashlen,
1403 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1404 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1405{
1406 int ret;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1407 size_t len, siglen, asn1_len;
1408 unsigned char *p, *end;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1409 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1410 md_type_t msg_md_alg;
1411 const md_info_t *md_info;
1412 asn1_buf oid;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1413
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1414 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1415 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1416
1417 siglen = ctx->len;
1418
1419 if( siglen < 16 || siglen > sizeof( buf ) )
1420 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1421
1422 ret = ( mode == RSA_PUBLIC )
1423 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1424 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1425
1426 if( ret != 0 )
1427 return( ret );
1428
1429 p = buf;
1430
1431 if( *p++ != 0 || *p++ != RSA_SIGN )
1432 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1433
1434 while( *p != 0 )
1435 {
1436 if( p >= buf + siglen - 1 || *p != 0xFF )
1437 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1438 p++;
1439 }
1440 p++;
1441
1442 len = siglen - ( p - buf );
1443
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1444 if( len == hashlen && md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1445 {
1446 if( memcmp( p, hash, hashlen ) == 0 )
1447 return( 0 );
1448 else
1449 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450 }
1451
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1452 md_info = md_info_from_type( md_alg );
1453 if( md_info == NULL )
1454 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1455 hashlen = md_get_size( md_info );
1456
1457 end = p + len;
1458
1459 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1460 //
1461 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1462 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1463 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1464
1465 if( asn1_len + 2 != len )
1466 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1467
1468 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1469 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1470 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1471
1472 if( asn1_len + 6 + hashlen != len )
1473 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1474
1475 if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
1476 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1477
1478 oid.p = p;
1479 p += oid.len;
1480
1481 if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1482 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1483
1484 if( md_alg != msg_md_alg )
1485 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1486
1487 /*
1488 * assume the algorithm parameters must be NULL
1489 */
1490 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
1491 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1492
1493 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
1494 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1495
1496 if( asn1_len != hashlen )
1497 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1498
1499 if( memcmp( p, hash, hashlen ) != 0 )
1500 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1501
1502 p += hashlen;
1503
1504 if( p != end )
1505 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1506
1507 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1509#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510
1511/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1512 * Do an RSA operation and check the message digest
1513 */
1514int rsa_pkcs1_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1515 int (*f_rng)(void *, unsigned char *, size_t),
1516 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1517 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1518 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1519 unsigned int hashlen,
1520 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1521 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1522{
1523 switch( ctx->padding )
1524 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1525#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1526 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1527 return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1528 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1529#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1530
1531#if defined(POLARSSL_PKCS1_V21)
1532 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1533 return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1534 hashlen, hash, sig );
1535#endif
1536
1537 default:
1538 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1539 }
1540}
1541
1542/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1543 * Copy the components of an RSA key
1544 */
1545int rsa_copy( rsa_context *dst, const rsa_context *src )
1546{
1547 int ret;
1548
1549 dst->ver = src->ver;
1550 dst->len = src->len;
1551
1552 MPI_CHK( mpi_copy( &dst->N, &src->N ) );
1553 MPI_CHK( mpi_copy( &dst->E, &src->E ) );
1554
1555 MPI_CHK( mpi_copy( &dst->D, &src->D ) );
1556 MPI_CHK( mpi_copy( &dst->P, &src->P ) );
1557 MPI_CHK( mpi_copy( &dst->Q, &src->Q ) );
1558 MPI_CHK( mpi_copy( &dst->DP, &src->DP ) );
1559 MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) );
1560 MPI_CHK( mpi_copy( &dst->QP, &src->QP ) );
1561
1562 MPI_CHK( mpi_copy( &dst->RN, &src->RN ) );
1563 MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
1564 MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
1565
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1566 MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
1567 MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
1568
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1569 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +0100[diff] [blame]1570 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1571
1572cleanup:
1573 if( ret != 0 )
1574 rsa_free( dst );
1575
1576 return( ret );
1577}
1578
1579/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1580 * Free the components of an RSA key
1581 */
1582void rsa_free( rsa_context *ctx )
1583{
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1584 mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1585 mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1586 mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1587 mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1588 mpi_free( &ctx->E ); mpi_free( &ctx->N );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]1589
1590#if defined(POLARSSL_THREADING_C)
1591 polarssl_mutex_free( &ctx->mutex );
1592#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1593}
1594
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1595#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1596
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1597#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598
1599/*
1600 * Example RSA-1024 keypair, for test purposes
1601 */
1602#define KEY_LEN 128
1603
1604#define RSA_N "9292758453063D803DD603D5E777D788" \
1605 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1606 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1607 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1608 "93A89813FBF3C4F8066D2D800F7C38A8" \
1609 "1AE31942917403FF4946B0A83D3D3E05" \
1610 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1611 "5E94BB77B07507233A0BC7BAC8F90F79"
1612
1613#define RSA_E "10001"
1614
1615#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1616 "66CA472BC44D253102F8B4A9D3BFA750" \
1617 "91386C0077937FE33FA3252D28855837" \
1618 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1619 "DF79C5CE07EE72C7F123142198164234" \
1620 "CABB724CF78B8173B9F880FC86322407" \
1621 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1622 "071513A1E85B5DFA031F21ECAE91A34D"
1623
1624#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1625 "2C01CAD19EA484A87EA4377637E75500" \
1626 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1627 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1628
1629#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1630 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1631 "910E4168387E3C30AA1E00C339A79508" \
1632 "8452DD96A9A5EA5D9DCA68DA636032AF"
1633
1634#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1635 "3C94D22288ACD763FD8E5600ED4A702D" \
1636 "F84198A5F06C2E72236AE490C93F07F8" \
1637 "3CC559CD27BC2D1CA488811730BB5725"
1638
1639#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1640 "D8AAEA56749EA28623272E4F7D0592AF" \
1641 "7C1F1313CAC9471B5C523BFE592F517B" \
1642 "407A1BD76C164B93DA2D32A383E58357"
1643
1644#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1645 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1646 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1647 "A74206CEC169D74BF5A8C50D6F48EA08"
1648
1649#define PT_LEN 24
1650#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1651 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1652
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1653#if defined(POLARSSL_PKCS1_V15)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1654static int myrand( void *rng_state, unsigned char *output, size_t len )
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1655{
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]1656#if !defined(__OpenBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1657 size_t i;
1658
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1659 if( rng_state != NULL )
1660 rng_state = NULL;
1661
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1662 for( i = 0; i < len; ++i )
1663 output[i] = rand();
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]1664#else
1665 if( rng_state != NULL )
1666 rng_state = NULL;
1667
1668 arc4random_buf( output, len );
1669#endif /* !OpenBSD */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1670
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1671 return( 0 );
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1672}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1673#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1674
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675/*
1676 * Checkup routine
1677 */
1678int rsa_self_test( int verbose )
1679{
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1680 int ret = 0;
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1681#if defined(POLARSSL_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1682 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683 rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684 unsigned char rsa_plaintext[PT_LEN];
1685 unsigned char rsa_decrypted[PT_LEN];
1686 unsigned char rsa_ciphertext[KEY_LEN];
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1687#if defined(POLARSSL_SHA1_C)
1688 unsigned char sha1sum[20];
1689#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]1691 rsa_init( &rsa, RSA_PKCS_V15, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692
1693 rsa.len = KEY_LEN;
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1694 MPI_CHK( mpi_read_string( &rsa.N , 16, RSA_N ) );
1695 MPI_CHK( mpi_read_string( &rsa.E , 16, RSA_E ) );
1696 MPI_CHK( mpi_read_string( &rsa.D , 16, RSA_D ) );
1697 MPI_CHK( mpi_read_string( &rsa.P , 16, RSA_P ) );
1698 MPI_CHK( mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1699 MPI_CHK( mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1700 MPI_CHK( mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1701 MPI_CHK( mpi_read_string( &rsa.QP, 16, RSA_QP ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1702
1703 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1704 polarssl_printf( " RSA key validation: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1705
1706 if( rsa_check_pubkey( &rsa ) != 0 ||
1707 rsa_check_privkey( &rsa ) != 0 )
1708 {
1709 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1710 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1711
1712 return( 1 );
1713 }
1714
1715 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1716 polarssl_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717
1718 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1719
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1720 if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721 rsa_plaintext, rsa_ciphertext ) != 0 )
1722 {
1723 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1724 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1725
1726 return( 1 );
1727 }
1728
1729 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1730 polarssl_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1731
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1732 if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]1733 rsa_ciphertext, rsa_decrypted,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1734 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1735 {
1736 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1737 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738
1739 return( 1 );
1740 }
1741
1742 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1743 {
1744 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1745 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746
1747 return( 1 );
1748 }
1749
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1750#if defined(POLARSSL_SHA1_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1752 polarssl_printf( "passed\n PKCS#1 data sign : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753
1754 sha1( rsa_plaintext, PT_LEN, sha1sum );
1755
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]1756 if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1757 sha1sum, rsa_ciphertext ) != 0 )
1758 {
1759 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1760 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761
1762 return( 1 );
1763 }
1764
1765 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1766 polarssl_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1768 if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769 sha1sum, rsa_ciphertext ) != 0 )
1770 {
1771 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1772 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773
1774 return( 1 );
1775 }
1776
1777 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1778 polarssl_printf( "passed\n\n" );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1779#endif /* POLARSSL_SHA1_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1781cleanup:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782 rsa_free( &rsa );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1783#else /* POLARSSL_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +0200[diff] [blame]1784 ((void) verbose);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1785#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1786 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787}
1788
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1789#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1791#endif /* POLARSSL_RSA_C */