TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / bfcd032f9d784394b74999a34f8d8c68d35c71e4 / . / library / rsa.c
blob: bf77cb5b982b8ed35efdad490589ac115c357d5a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]6 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
27 */
28
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]29#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]31#else
32#include POLARSSL_CONFIG_FILE
33#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]37#include "polarssl/rsa.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]38#include "polarssl/oid.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]39
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]40#include <string.h>
41
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]42#if defined(POLARSSL_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]43#include "polarssl/md.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]44#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]46#if defined(POLARSSL_PKCS1_V15) && !defined(__OpenBSD__)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <stdlib.h>
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdio.h>
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]54#define polarssl_printf printf
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]55#define polarssl_malloc malloc
56#define polarssl_free free
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]57#endif
58
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59/*
60 * Initialize an RSA context
61 */
62void rsa_init( rsa_context *ctx,
63 int padding,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]64 int hash_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{
66 memset( ctx, 0, sizeof( rsa_context ) );
67
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]68 rsa_set_padding( ctx, padding, hash_id );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]69
70#if defined(POLARSSL_THREADING_C)
71 polarssl_mutex_init( &ctx->mutex );
72#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]73}
74
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]75/*
76 * Set padding for an existing RSA context
77 */
78void rsa_set_padding( rsa_context *ctx, int padding, int hash_id )
79{
80 ctx->padding = padding;
81 ctx->hash_id = hash_id;
82}
83
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]84#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85
86/*
87 * Generate an RSA keypair
88 */
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]89int rsa_gen_key( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]90 int (*f_rng)(void *, unsigned char *, size_t),
91 void *p_rng,
92 unsigned int nbits, int exponent )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]93{
94 int ret;
95 mpi P1, Q1, H, G;
96
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]97 if( f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]98 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame^]100 if( nbits % 2 )
101 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
102
Janos Follathd61fc682016-02-23 14:42:48 +0000[diff] [blame]103 mpi_init( &P1 ); mpi_init( &Q1 );
104 mpi_init( &H ); mpi_init( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105
106 /*
107 * find primes P and Q with Q < P so that:
108 * GCD( E, (P-1)*(Q-1) ) == 1
109 */
110 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
111
112 do
113 {
Janos Follathd61fc682016-02-23 14:42:48 +0000[diff] [blame]114 MPI_CHK( mpi_gen_prime( &ctx->P, nbits >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]115 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]116
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame^]117 MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]118 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119
120 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
121 continue;
122
123 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
124 if( mpi_msb( &ctx->N ) != nbits )
125 continue;
126
Janos Follathbfcd0322016-09-21 13:18:12 +0100[diff] [blame^]127 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
128 mpi_swap( &ctx->P, &ctx->Q );
129
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]130 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
131 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
132 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
133 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
134 }
135 while( mpi_cmp_int( &G, 1 ) != 0 );
136
137 /*
138 * D = E^-1 mod ((P-1)*(Q-1))
139 * DP = D mod (P - 1)
140 * DQ = D mod (Q - 1)
141 * QP = Q^-1 mod P
142 */
143 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
144 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
145 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
146 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
147
148 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
149
150cleanup:
151
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]152 mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]153
154 if( ret != 0 )
155 {
156 rsa_free( ctx );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]157 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]158 }
159
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]160 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]161}
162
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]163#endif /* POLARSSL_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164
165/*
166 * Check a public RSA key
167 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]168int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]170 if( !ctx->N.p || !ctx->E.p )
171 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
172
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]173 if( ( ctx->N.p[0] & 1 ) == 0 ||
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]174 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]175 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]176
177 if( mpi_msb( &ctx->N ) < 128 ||
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]178 mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]179 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]180
181 if( mpi_msb( &ctx->E ) < 2 ||
Paul Bakker24f37cc2014-04-30 13:33:35 +0200[diff] [blame]182 mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]183 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184
185 return( 0 );
186}
187
188/*
189 * Check a private RSA key
190 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]191int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192{
193 int ret;
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]194 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195
196 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
197 return( ret );
198
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]199 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
200 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
201
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]202 mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
203 mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]204 mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
205 mpi_init( &QP );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206
207 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
208 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
209 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
210 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
211 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
213
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]214 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]215 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]216 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
217
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]218 MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
219 MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
220 MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]221 /*
222 * Check for a valid PKCS1v2 private key
223 */
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]224 if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]225 mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
226 mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
227 mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]228 mpi_cmp_int( &L2, 0 ) != 0 ||
229 mpi_cmp_int( &I, 1 ) != 0 ||
230 mpi_cmp_int( &G, 1 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231 {
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]232 ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233 }
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]234
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235cleanup:
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]236 mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
237 mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]238 mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
239 mpi_free( &QP );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]240
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]241 if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
242 return( ret );
243
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]244 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]245 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]246
247 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248}
249
250/*
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]251 * Check if contexts holding a public and private key match
252 */
253int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv )
254{
255 if( rsa_check_pubkey( pub ) != 0 ||
256 rsa_check_privkey( prv ) != 0 )
257 {
258 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
259 }
260
261 if( mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
262 mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
263 {
264 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
265 }
266
267 return( 0 );
268}
269
270/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]271 * Do an RSA public key operation
272 */
273int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]274 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]275 unsigned char *output )
276{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]277 int ret;
278 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]279 mpi T;
280
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]281 mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]282
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]283#if defined(POLARSSL_THREADING_C)
284 if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
285 return( ret );
286#endif
287
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]288 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
289
290 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
291 {
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]292 ret = POLARSSL_ERR_MPI_BAD_INPUT_DATA;
293 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]294 }
295
296 olen = ctx->len;
297 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
298 MPI_CHK( mpi_write_binary( &T, output, olen ) );
299
300cleanup:
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]301#if defined(POLARSSL_THREADING_C)
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]302 if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
303 return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]304#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]306 mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]307
308 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]309 return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]310
311 return( 0 );
312}
313
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]314/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]315 * Generate or update blinding values, see section 10 of:
316 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
317 * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
318 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]319 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]320static int rsa_prepare_blinding( rsa_context *ctx,
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]321 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
322{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]323 int ret, count = 0;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]324
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]325 if( ctx->Vf.p != NULL )
326 {
327 /* We already have blinding values, just update them by squaring */
328 MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]329 MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]330 MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]331 MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]332
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]333 goto cleanup;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]334 }
335
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]336 /* Unblinding value: Vf = random number, invertible mod N */
337 do {
338 if( count++ > 10 )
339 return( POLARSSL_ERR_RSA_RNG_FAILED );
340
341 MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
342 MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
343 } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]344
345 /* Blinding value: Vi = Vf^(-e) mod N */
346 MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
347 MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
348
349cleanup:
350 return( ret );
351}
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]352
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353/*
354 * Do an RSA private key operation
355 */
356int rsa_private( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]357 int (*f_rng)(void *, unsigned char *, size_t),
358 void *p_rng,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]359 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360 unsigned char *output )
361{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]362 int ret;
363 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364 mpi T, T1, T2;
365
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]366 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]368#if defined(POLARSSL_THREADING_C)
369 if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
370 return( ret );
371#endif
372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
375 {
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]376 ret = POLARSSL_ERR_MPI_BAD_INPUT_DATA;
377 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378 }
379
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]380 if( f_rng != NULL )
381 {
382 /*
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]383 * Blinding
384 * T = T * Vi mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]385 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]386 MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
387 MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]388 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]389 }
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]390
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]391#if defined(POLARSSL_RSA_NO_CRT)
392 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
393#else
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]394 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 * faster decryption using the CRT
396 *
397 * T1 = input ^ dP mod P
398 * T2 = input ^ dQ mod Q
399 */
400 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
401 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
402
403 /*
404 * T = (T1 - T2) * (Q^-1 mod P) mod P
405 */
406 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
407 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
408 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
409
410 /*
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]411 * T = T2 + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]412 */
413 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]414 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]415#endif /* POLARSSL_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]416
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]417 if( f_rng != NULL )
418 {
419 /*
420 * Unblind
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]421 * T = T * Vf mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]422 */
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]423 MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]424 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
425 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427 olen = ctx->len;
428 MPI_CHK( mpi_write_binary( &T, output, olen ) );
429
430cleanup:
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]431#if defined(POLARSSL_THREADING_C)
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]432 if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
433 return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]434#endif
Manuel Pégourié-Gonnard5efed092015-08-31 10:03:16 +0200[diff] [blame]435
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]436 mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]439 return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440
441 return( 0 );
442}
443
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]444#if defined(POLARSSL_PKCS1_V21)
445/**
446 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
447 *
Paul Bakkerb125ed82011-11-10 13:33:51 +0000[diff] [blame]448 * \param dst buffer to mask
449 * \param dlen length of destination buffer
450 * \param src source of the mask generation
451 * \param slen length of the source buffer
452 * \param md_ctx message digest context to use
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]453 */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]454static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
455 size_t slen, md_context_t *md_ctx )
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]456{
457 unsigned char mask[POLARSSL_MD_MAX_SIZE];
458 unsigned char counter[4];
459 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]460 unsigned int hlen;
461 size_t i, use_len;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]462
463 memset( mask, 0, POLARSSL_MD_MAX_SIZE );
464 memset( counter, 0, 4 );
465
466 hlen = md_ctx->md_info->size;
467
468 // Generate and apply dbMask
469 //
470 p = dst;
471
472 while( dlen > 0 )
473 {
474 use_len = hlen;
475 if( dlen < hlen )
476 use_len = dlen;
477
478 md_starts( md_ctx );
479 md_update( md_ctx, src, slen );
480 md_update( md_ctx, counter, 4 );
481 md_finish( md_ctx, mask );
482
483 for( i = 0; i < use_len; ++i )
484 *p++ ^= mask[i];
485
486 counter[3]++;
487
488 dlen -= use_len;
489 }
490}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]491#endif /* POLARSSL_PKCS1_V21 */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]492
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]493#if defined(POLARSSL_PKCS1_V21)
494/*
495 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
496 */
497int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
498 int (*f_rng)(void *, unsigned char *, size_t),
499 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]500 int mode,
501 const unsigned char *label, size_t label_len,
502 size_t ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]503 const unsigned char *input,
504 unsigned char *output )
505{
506 size_t olen;
507 int ret;
508 unsigned char *p = output;
509 unsigned int hlen;
510 const md_info_t *md_info;
511 md_context_t md_ctx;
512
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]513 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
514 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
515
516 if( f_rng == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]517 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
518
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]519 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]520 if( md_info == NULL )
521 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
522
523 olen = ctx->len;
524 hlen = md_get_size( md_info );
525
Janos Follath742783f2016-02-08 14:52:29 +0000[diff] [blame]526 // first comparison checks for overflow
527 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]528 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
529
530 memset( output, 0, olen );
531
532 *p++ = 0;
533
534 // Generate a random octet string seed
535 //
536 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
537 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
538
539 p += hlen;
540
541 // Construct DB
542 //
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]543 md( md_info, label, label_len, p );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]544 p += hlen;
545 p += olen - 2 * hlen - 2 - ilen;
546 *p++ = 1;
547 memcpy( p, input, ilen );
548
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]549 md_init( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]550 md_init_ctx( &md_ctx, md_info );
551
552 // maskedDB: Apply dbMask to DB
553 //
554 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
555 &md_ctx );
556
557 // maskedSeed: Apply seedMask to seed
558 //
559 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
560 &md_ctx );
561
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]562 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]563
564 return( ( mode == RSA_PUBLIC )
565 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]566 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]567}
568#endif /* POLARSSL_PKCS1_V21 */
569
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]570#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]571/*
572 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
573 */
574int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
575 int (*f_rng)(void *, unsigned char *, size_t),
576 void *p_rng,
577 int mode, size_t ilen,
578 const unsigned char *input,
579 unsigned char *output )
580{
581 size_t nb_pad, olen;
582 int ret;
583 unsigned char *p = output;
584
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]585 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
586 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
587
Janos Follath7ddc2cd2016-03-18 11:45:44 +0000[diff] [blame]588 // We don't check p_rng because it won't be dereferenced here
589 if( f_rng == NULL || input == NULL || output == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]590 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
591
592 olen = ctx->len;
593
Janos Follath742783f2016-02-08 14:52:29 +0000[diff] [blame]594 // first comparison checks for overflow
595 if( ilen + 11 < ilen || olen < ilen + 11 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]596 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
597
598 nb_pad = olen - 3 - ilen;
599
600 *p++ = 0;
601 if( mode == RSA_PUBLIC )
602 {
603 *p++ = RSA_CRYPT;
604
605 while( nb_pad-- > 0 )
606 {
607 int rng_dl = 100;
608
609 do {
610 ret = f_rng( p_rng, p, 1 );
611 } while( *p == 0 && --rng_dl && ret == 0 );
612
613 // Check if RNG failed to generate data
614 //
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]615 if( rng_dl == 0 || ret != 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]616 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]617
618 p++;
619 }
620 }
621 else
622 {
623 *p++ = RSA_SIGN;
624
625 while( nb_pad-- > 0 )
626 *p++ = 0xFF;
627 }
628
629 *p++ = 0;
630 memcpy( p, input, ilen );
631
632 return( ( mode == RSA_PUBLIC )
633 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]634 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]635}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]636#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]637
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638/*
639 * Add the message padding, then do an RSA operation
640 */
641int rsa_pkcs1_encrypt( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]642 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]643 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]644 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]645 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646 unsigned char *output )
647{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648 switch( ctx->padding )
649 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]650#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 case RSA_PKCS_V15:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]652 return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
653 input, output );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]654#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]656#if defined(POLARSSL_PKCS1_V21)
657 case RSA_PKCS_V21:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]658 return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
659 ilen, input, output );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]660#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661
662 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]663 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665}
666
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]667#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]669 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]671int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]672 int (*f_rng)(void *, unsigned char *, size_t),
673 void *p_rng,
674 int mode,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]675 const unsigned char *label, size_t label_len,
676 size_t *olen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]677 const unsigned char *input,
678 unsigned char *output,
679 size_t output_max_len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]681 int ret;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]682 size_t ilen, i, pad_len;
683 unsigned char *p, bad, pad_done;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]684 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]685 unsigned char lhash[POLARSSL_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]686 unsigned int hlen;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]687 const md_info_t *md_info;
688 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]689
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]690 /*
691 * Parameters sanity checks
692 */
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]693 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]694 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
696 ilen = ctx->len;
697
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]698 if( ilen < 16 || ilen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]699 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]700
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]701 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]702 if( md_info == NULL )
703 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
704
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]705 hlen = md_get_size( md_info );
Janos Follath092f2c42016-02-11 11:08:18 +0000[diff] [blame]706
707 // checking for integer underflow
708 if( 2 * hlen + 2 > ilen )
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]709 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Janos Follath092f2c42016-02-11 11:08:18 +0000[diff] [blame]710
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]711 /*
712 * RSA operation
713 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714 ret = ( mode == RSA_PUBLIC )
715 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]716 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717
718 if( ret != 0 )
719 return( ret );
720
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]721 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]722 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]723 */
724 hlen = md_get_size( md_info );
725
Janos Follath3bed13d2016-02-09 14:51:35 +0000[diff] [blame]726 // checking for integer underflow
727 if( 2 * hlen + 2 > ilen )
728 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
729
Simon Butcherd3253b02016-03-17 00:57:18 +0000[diff] [blame]730 md_init( &md_ctx );
731 md_init_ctx( &md_ctx, md_info );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]732
733 /* Generate lHash */
734 md( md_info, label, label_len, lhash );
735
736 /* seed: Apply seedMask to maskedSeed */
737 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
738 &md_ctx );
739
740 /* DB: Apply dbMask to maskedDB */
741 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
742 &md_ctx );
743
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]744 md_free( &md_ctx );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]745
746 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]747 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]748 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749 p = buf;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]750 bad = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]752 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]753
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]754 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]755
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]756 /* Check lHash */
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]757 for( i = 0; i < hlen; i++ )
758 bad |= lhash[i] ^ *p++;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]759
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]760 /* Get zero-padding len, but always read till end of buffer
761 * (minus one, for the 01 byte) */
762 pad_len = 0;
763 pad_done = 0;
764 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
765 {
766 pad_done |= p[i];
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]767 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]768 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]769
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]770 p += pad_len;
771 bad |= *p++ ^ 0x01;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]772
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]773 /*
774 * The only information "leaked" is whether the padding was correct or not
775 * (eg, no data is copied if it was not correct). This meets the
776 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
777 * the different error conditions.
778 */
779 if( bad != 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]780 return( POLARSSL_ERR_RSA_INVALID_PADDING );
781
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]782 if( ilen - ( p - buf ) > output_max_len )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]783 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
784
785 *olen = ilen - (p - buf);
786 memcpy( output, p, *olen );
787
788 return( 0 );
789}
790#endif /* POLARSSL_PKCS1_V21 */
791
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]792#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]793/*
794 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
795 */
796int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]797 int (*f_rng)(void *, unsigned char *, size_t),
798 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]799 int mode, size_t *olen,
800 const unsigned char *input,
801 unsigned char *output,
802 size_t output_max_len)
803{
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]804 int ret;
805 size_t ilen, pad_count = 0, i;
806 unsigned char *p, bad, pad_done = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]807 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
808
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]809 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]810 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
811
812 ilen = ctx->len;
813
814 if( ilen < 16 || ilen > sizeof( buf ) )
815 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
816
817 ret = ( mode == RSA_PUBLIC )
818 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]819 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]820
821 if( ret != 0 )
822 return( ret );
823
824 p = buf;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]825 bad = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]826
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]827 /*
828 * Check and get padding len in "constant-time"
829 */
830 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]831
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]832 /* This test does not depend on secret data */
833 if( mode == RSA_PRIVATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]835 bad |= *p++ ^ RSA_CRYPT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]837 /* Get padding len, but always read till end of buffer
838 * (minus one, for the 00 byte) */
839 for( i = 0; i < ilen - 3; i++ )
840 {
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]841 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
842 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]843 }
Paul Bakkere6ee41f2012-05-19 08:43:48 +0000[diff] [blame]844
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]845 p += pad_count;
846 bad |= *p++; /* Must be zero */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]847 }
848 else
849 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]850 bad |= *p++ ^ RSA_SIGN;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]851
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]852 /* Get padding len, but always read till end of buffer
853 * (minus one, for the 00 byte) */
854 for( i = 0; i < ilen - 3; i++ )
855 {
Manuel Pégourié-Gonnardfbf09152014-02-03 11:58:55 +0100[diff] [blame]856 pad_done |= ( p[i] != 0xFF );
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]857 pad_count += ( pad_done == 0 );
858 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]859
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]860 p += pad_count;
861 bad |= *p++; /* Must be zero */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862 }
863
Janos Follathf18263d2016-02-12 13:30:09 +0000[diff] [blame]864 bad |= ( pad_count < 8 );
Janos Follathf570f7f2016-02-08 13:59:25 +0000[diff] [blame]865
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]866 if( bad )
Paul Bakker8804f692013-02-28 18:06:26 +0100[diff] [blame]867 return( POLARSSL_ERR_RSA_INVALID_PADDING );
868
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]869 if( ilen - ( p - buf ) > output_max_len )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]870 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]871
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]872 *olen = ilen - (p - buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 memcpy( output, p, *olen );
874
875 return( 0 );
876}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]877#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]878
879/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]880 * Do an RSA operation, then remove the message padding
881 */
882int rsa_pkcs1_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]883 int (*f_rng)(void *, unsigned char *, size_t),
884 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]885 int mode, size_t *olen,
886 const unsigned char *input,
887 unsigned char *output,
888 size_t output_max_len)
889{
890 switch( ctx->padding )
891 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]892#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]893 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]894 return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
895 input, output, output_max_len );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]896#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]897
898#if defined(POLARSSL_PKCS1_V21)
899 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]900 return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
901 olen, input, output,
902 output_max_len );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]903#endif
904
905 default:
906 return( POLARSSL_ERR_RSA_INVALID_PADDING );
907 }
908}
909
910#if defined(POLARSSL_PKCS1_V21)
911/*
912 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
913 */
914int rsa_rsassa_pss_sign( rsa_context *ctx,
915 int (*f_rng)(void *, unsigned char *, size_t),
916 void *p_rng,
917 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]918 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]919 unsigned int hashlen,
920 const unsigned char *hash,
921 unsigned char *sig )
922{
923 size_t olen;
924 unsigned char *p = sig;
925 unsigned char salt[POLARSSL_MD_MAX_SIZE];
926 unsigned int slen, hlen, offset = 0;
927 int ret;
928 size_t msb;
929 const md_info_t *md_info;
930 md_context_t md_ctx;
931
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]932 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
933 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
934
935 if( f_rng == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]936 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
937
938 olen = ctx->len;
939
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]940 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]941 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]942 // Gather length of hash to sign
943 //
944 md_info = md_info_from_type( md_alg );
945 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]946 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]947
948 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]949 }
950
Manuel Pégourié-Gonnarda2733712015-02-10 17:32:14 +0100[diff] [blame]951 md_info = md_info_from_type( (md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]952 if( md_info == NULL )
953 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
954
955 hlen = md_get_size( md_info );
956 slen = hlen;
957
958 if( olen < hlen + slen + 2 )
959 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
960
961 memset( sig, 0, olen );
962
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]963 // Generate salt of length slen
964 //
965 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
966 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
967
968 // Note: EMSA-PSS encoding is over the length of N - 1 bits
969 //
970 msb = mpi_msb( &ctx->N ) - 1;
971 p += olen - hlen * 2 - 2;
972 *p++ = 0x01;
973 memcpy( p, salt, slen );
974 p += slen;
975
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]976 md_init( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]977 md_init_ctx( &md_ctx, md_info );
978
979 // Generate H = Hash( M' )
980 //
981 md_starts( &md_ctx );
982 md_update( &md_ctx, p, 8 );
983 md_update( &md_ctx, hash, hashlen );
984 md_update( &md_ctx, salt, slen );
985 md_finish( &md_ctx, p );
986
987 // Compensate for boundary condition when applying mask
988 //
989 if( msb % 8 == 0 )
990 offset = 1;
991
992 // maskedDB: Apply dbMask to DB
993 //
994 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
995
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]996 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]997
998 msb = mpi_msb( &ctx->N ) - 1;
999 sig[0] &= 0xFF >> ( olen * 8 - msb );
1000
1001 p += hlen;
1002 *p++ = 0xBC;
1003
1004 return( ( mode == RSA_PUBLIC )
1005 ? rsa_public( ctx, sig, sig )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1006 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1007}
1008#endif /* POLARSSL_PKCS1_V21 */
1009
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1010#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1011/*
1012 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1013 */
1014/*
1015 * Do an RSA operation to sign the message digest
1016 */
1017int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1018 int (*f_rng)(void *, unsigned char *, size_t),
1019 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1020 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1021 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1022 unsigned int hashlen,
1023 const unsigned char *hash,
1024 unsigned char *sig )
1025{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1026 size_t nb_pad, olen, oid_size = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1027 unsigned char *p = sig;
Paul Bakker21e081b2014-07-24 10:38:01 +0200[diff] [blame]1028 const char *oid = NULL;
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1029 unsigned char *sig_try = NULL, *verif = NULL;
1030 size_t i;
1031 unsigned char diff;
1032 volatile unsigned char diff_no_optimize;
1033 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1034
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1035 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1036 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1037
1038 olen = ctx->len;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1039 nb_pad = olen - 3;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1040
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1041 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1042 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1043 const md_info_t *md_info = md_info_from_type( md_alg );
1044 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1045 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1046
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]1047 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1048 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1049
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1050 nb_pad -= 10 + oid_size;
1051
1052 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1053 }
1054
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1055 nb_pad -= hashlen;
1056
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1057 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1058 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1059
1060 *p++ = 0;
1061 *p++ = RSA_SIGN;
1062 memset( p, 0xFF, nb_pad );
1063 p += nb_pad;
1064 *p++ = 0;
1065
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1066 if( md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1067 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1068 memcpy( p, hash, hashlen );
1069 }
1070 else
1071 {
1072 /*
1073 * DigestInfo ::= SEQUENCE {
1074 * digestAlgorithm DigestAlgorithmIdentifier,
1075 * digest Digest }
1076 *
1077 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1078 *
1079 * Digest ::= OCTET STRING
1080 */
1081 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1082 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1083 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1084 *p++ = (unsigned char) ( 0x04 + oid_size );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1085 *p++ = ASN1_OID;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1086 *p++ = oid_size & 0xFF;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1087 memcpy( p, oid, oid_size );
1088 p += oid_size;
1089 *p++ = ASN1_NULL;
1090 *p++ = 0x00;
1091 *p++ = ASN1_OCTET_STRING;
1092 *p++ = hashlen;
1093 memcpy( p, hash, hashlen );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1094 }
1095
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1096 if( mode == RSA_PUBLIC )
1097 return( rsa_public( ctx, sig, sig ) );
1098
1099 /*
1100 * In order to prevent Lenstra's attack, make the signature in a
1101 * temporary buffer and check it before returning it.
1102 */
1103 sig_try = polarssl_malloc( ctx->len );
Simon Butcher7d3f3a82016-01-02 00:03:39 +0000[diff] [blame]1104 if( sig_try == NULL )
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1105 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
1106
Simon Butcher7d3f3a82016-01-02 00:03:39 +0000[diff] [blame]1107 verif = polarssl_malloc( ctx->len );
1108 if( verif == NULL )
1109 {
1110 polarssl_free( sig_try );
1111 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
1112 }
1113
Manuel Pégourié-Gonnarda1cdcd22015-09-03 20:03:15 +0200[diff] [blame]1114 MPI_CHK( rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1115 MPI_CHK( rsa_public( ctx, sig_try, verif ) );
1116
1117 /* Compare in constant time just in case */
1118 for( diff = 0, i = 0; i < ctx->len; i++ )
1119 diff |= verif[i] ^ sig[i];
1120 diff_no_optimize = diff;
1121
1122 if( diff_no_optimize != 0 )
1123 {
1124 ret = POLARSSL_ERR_RSA_PRIVATE_FAILED;
1125 goto cleanup;
1126 }
1127
1128 memcpy( sig, sig_try, ctx->len );
1129
1130cleanup:
1131 polarssl_free( sig_try );
1132 polarssl_free( verif );
1133
1134 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1135}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1136#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1137
1138/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 * Do an RSA operation to sign the message digest
1140 */
1141int rsa_pkcs1_sign( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1142 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1143 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1145 md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1146 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1147 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148 unsigned char *sig )
1149{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1150 switch( ctx->padding )
1151 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1152#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1153 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1154 return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1155 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1156#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1158#if defined(POLARSSL_PKCS1_V21)
1159 case RSA_PKCS_V21:
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1160 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1161 hashlen, hash, sig );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1162#endif
1163
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1164 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1165 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1166 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167}
1168
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1169#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1170/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1171 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1172 */
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1173int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
1174 int (*f_rng)(void *, unsigned char *, size_t),
1175 void *p_rng,
1176 int mode,
1177 md_type_t md_alg,
1178 unsigned int hashlen,
1179 const unsigned char *hash,
1180 md_type_t mgf1_hash_id,
1181 int expected_salt_len,
1182 const unsigned char *sig )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1183{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1184 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1185 size_t siglen;
1186 unsigned char *p;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]1187 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker1fe7d9b2011-11-15 15:26:03 +0000[diff] [blame]1188 unsigned char result[POLARSSL_MD_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1189 unsigned char zeros[8];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1190 unsigned int hlen;
1191 size_t slen, msb;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1192 const md_info_t *md_info;
1193 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1194
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1195 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1196 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1197
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198 siglen = ctx->len;
1199
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1200 if( siglen < 16 || siglen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1201 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1202
1203 ret = ( mode == RSA_PUBLIC )
1204 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1205 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1206
1207 if( ret != 0 )
1208 return( ret );
1209
1210 p = buf;
1211
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1212 if( buf[siglen - 1] != 0xBC )
1213 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1214
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1215 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1216 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1217 // Gather length of hash to sign
1218 //
1219 md_info = md_info_from_type( md_alg );
1220 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1221 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1222
1223 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1224 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1225
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1226 md_info = md_info_from_type( mgf1_hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1227 if( md_info == NULL )
1228 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1229
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1230 hlen = md_get_size( md_info );
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1231 slen = siglen - hlen - 1; /* Currently length of salt + padding */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1232
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1233 memset( zeros, 0, 8 );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1234
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1235 // Note: EMSA-PSS verification is over the length of N - 1 bits
1236 //
1237 msb = mpi_msb( &ctx->N ) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1238
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1239 // Compensate for boundary condition when applying mask
1240 //
1241 if( msb % 8 == 0 )
1242 {
1243 p++;
1244 siglen -= 1;
1245 }
1246 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1247 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1248
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1249 md_init( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1250 md_init_ctx( &md_ctx, md_info );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1251
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1252 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
Paul Bakker02303e82013-01-03 11:08:31 +0100[diff] [blame]1253
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1254 buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1255
Paul Bakker4de44aa2013-12-31 11:43:01 +0100[diff] [blame]1256 while( p < buf + siglen && *p == 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1257 p++;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1258
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1259 if( p == buf + siglen ||
1260 *p++ != 0x01 )
1261 {
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1262 md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1263 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1264 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1265
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1266 /* Actual salt len */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1267 slen -= p - buf;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1268
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1269 if( expected_salt_len != RSA_SALT_LEN_ANY &&
1270 slen != (size_t) expected_salt_len )
1271 {
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1272 md_free( &md_ctx );
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1273 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1274 }
1275
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1276 // Generate H = Hash( M' )
1277 //
1278 md_starts( &md_ctx );
1279 md_update( &md_ctx, zeros, 8 );
1280 md_update( &md_ctx, hash, hashlen );
1281 md_update( &md_ctx, p, slen );
1282 md_finish( &md_ctx, result );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1283
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]1284 md_free( &md_ctx );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1285
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1286 if( memcmp( p + slen, result, hlen ) == 0 )
1287 return( 0 );
1288 else
1289 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1290}
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1291
1292/*
1293 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1294 */
1295int rsa_rsassa_pss_verify( rsa_context *ctx,
1296 int (*f_rng)(void *, unsigned char *, size_t),
1297 void *p_rng,
1298 int mode,
1299 md_type_t md_alg,
1300 unsigned int hashlen,
1301 const unsigned char *hash,
1302 const unsigned char *sig )
1303{
1304 md_type_t mgf1_hash_id = ( ctx->hash_id != POLARSSL_MD_NONE )
Manuel Pégourié-Gonnard0eaa8be2014-06-05 18:07:20 +0200[diff] [blame]1305 ? (md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]1306 : md_alg;
1307
1308 return( rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
1309 md_alg, hashlen, hash,
1310 mgf1_hash_id, RSA_SALT_LEN_ANY,
1311 sig ) );
1312
1313}
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1314#endif /* POLARSSL_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +0100[diff] [blame]1315
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1316#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1317/*
1318 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1319 */
1320int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1321 int (*f_rng)(void *, unsigned char *, size_t),
1322 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1323 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1324 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1325 unsigned int hashlen,
1326 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1327 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1328{
1329 int ret;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1330 size_t len, siglen, asn1_len;
1331 unsigned char *p, *end;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1332 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1333 md_type_t msg_md_alg;
1334 const md_info_t *md_info;
1335 asn1_buf oid;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1336
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200[diff] [blame]1337 if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1338 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1339
1340 siglen = ctx->len;
1341
1342 if( siglen < 16 || siglen > sizeof( buf ) )
1343 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1344
1345 ret = ( mode == RSA_PUBLIC )
1346 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1347 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1348
1349 if( ret != 0 )
1350 return( ret );
1351
1352 p = buf;
1353
1354 if( *p++ != 0 || *p++ != RSA_SIGN )
1355 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1356
1357 while( *p != 0 )
1358 {
1359 if( p >= buf + siglen - 1 || *p != 0xFF )
1360 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1361 p++;
1362 }
1363 p++;
1364
1365 len = siglen - ( p - buf );
1366
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1367 if( len == hashlen && md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1368 {
1369 if( memcmp( p, hash, hashlen ) == 0 )
1370 return( 0 );
1371 else
1372 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 }
1374
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1375 md_info = md_info_from_type( md_alg );
1376 if( md_info == NULL )
1377 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1378 hashlen = md_get_size( md_info );
1379
1380 end = p + len;
1381
1382 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1383 //
1384 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1385 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1386 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1387
1388 if( asn1_len + 2 != len )
1389 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1390
1391 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1392 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1393 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1394
1395 if( asn1_len + 6 + hashlen != len )
1396 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1397
1398 if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
1399 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1400
1401 oid.p = p;
1402 p += oid.len;
1403
1404 if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1405 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1406
1407 if( md_alg != msg_md_alg )
1408 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1409
1410 /*
1411 * assume the algorithm parameters must be NULL
1412 */
1413 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
1414 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1415
1416 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
1417 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1418
1419 if( asn1_len != hashlen )
1420 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1421
1422 if( memcmp( p, hash, hashlen ) != 0 )
1423 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1424
1425 p += hashlen;
1426
1427 if( p != end )
1428 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1429
1430 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1431}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1432#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433
1434/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1435 * Do an RSA operation and check the message digest
1436 */
1437int rsa_pkcs1_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1438 int (*f_rng)(void *, unsigned char *, size_t),
1439 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1440 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1441 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1442 unsigned int hashlen,
1443 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1444 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1445{
1446 switch( ctx->padding )
1447 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1448#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1449 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1450 return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1451 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1452#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1453
1454#if defined(POLARSSL_PKCS1_V21)
1455 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1456 return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1457 hashlen, hash, sig );
1458#endif
1459
1460 default:
1461 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1462 }
1463}
1464
1465/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1466 * Copy the components of an RSA key
1467 */
1468int rsa_copy( rsa_context *dst, const rsa_context *src )
1469{
1470 int ret;
1471
1472 dst->ver = src->ver;
1473 dst->len = src->len;
1474
1475 MPI_CHK( mpi_copy( &dst->N, &src->N ) );
1476 MPI_CHK( mpi_copy( &dst->E, &src->E ) );
1477
1478 MPI_CHK( mpi_copy( &dst->D, &src->D ) );
1479 MPI_CHK( mpi_copy( &dst->P, &src->P ) );
1480 MPI_CHK( mpi_copy( &dst->Q, &src->Q ) );
1481 MPI_CHK( mpi_copy( &dst->DP, &src->DP ) );
1482 MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) );
1483 MPI_CHK( mpi_copy( &dst->QP, &src->QP ) );
1484
1485 MPI_CHK( mpi_copy( &dst->RN, &src->RN ) );
1486 MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
1487 MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
1488
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1489 MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
1490 MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
1491
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1492 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +0100[diff] [blame]1493 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1494
1495cleanup:
1496 if( ret != 0 )
1497 rsa_free( dst );
1498
1499 return( ret );
1500}
1501
1502/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503 * Free the components of an RSA key
1504 */
1505void rsa_free( rsa_context *ctx )
1506{
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1507 mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1508 mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1509 mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1510 mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1511 mpi_free( &ctx->E ); mpi_free( &ctx->N );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]1512
1513#if defined(POLARSSL_THREADING_C)
1514 polarssl_mutex_free( &ctx->mutex );
1515#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516}
1517
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1518#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1519
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1520#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1521
1522/*
1523 * Example RSA-1024 keypair, for test purposes
1524 */
1525#define KEY_LEN 128
1526
1527#define RSA_N "9292758453063D803DD603D5E777D788" \
1528 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1529 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1530 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1531 "93A89813FBF3C4F8066D2D800F7C38A8" \
1532 "1AE31942917403FF4946B0A83D3D3E05" \
1533 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1534 "5E94BB77B07507233A0BC7BAC8F90F79"
1535
1536#define RSA_E "10001"
1537
1538#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1539 "66CA472BC44D253102F8B4A9D3BFA750" \
1540 "91386C0077937FE33FA3252D28855837" \
1541 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1542 "DF79C5CE07EE72C7F123142198164234" \
1543 "CABB724CF78B8173B9F880FC86322407" \
1544 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1545 "071513A1E85B5DFA031F21ECAE91A34D"
1546
1547#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1548 "2C01CAD19EA484A87EA4377637E75500" \
1549 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1550 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1551
1552#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1553 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1554 "910E4168387E3C30AA1E00C339A79508" \
1555 "8452DD96A9A5EA5D9DCA68DA636032AF"
1556
1557#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1558 "3C94D22288ACD763FD8E5600ED4A702D" \
1559 "F84198A5F06C2E72236AE490C93F07F8" \
1560 "3CC559CD27BC2D1CA488811730BB5725"
1561
1562#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1563 "D8AAEA56749EA28623272E4F7D0592AF" \
1564 "7C1F1313CAC9471B5C523BFE592F517B" \
1565 "407A1BD76C164B93DA2D32A383E58357"
1566
1567#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1568 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1569 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1570 "A74206CEC169D74BF5A8C50D6F48EA08"
1571
1572#define PT_LEN 24
1573#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1574 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1575
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1576#if defined(POLARSSL_PKCS1_V15)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1577static int myrand( void *rng_state, unsigned char *output, size_t len )
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1578{
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]1579#if !defined(__OpenBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1580 size_t i;
1581
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1582 if( rng_state != NULL )
1583 rng_state = NULL;
1584
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1585 for( i = 0; i < len; ++i )
1586 output[i] = rand();
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]1587#else
1588 if( rng_state != NULL )
1589 rng_state = NULL;
1590
1591 arc4random_buf( output, len );
1592#endif /* !OpenBSD */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1593
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1594 return( 0 );
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1595}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1596#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1597
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598/*
1599 * Checkup routine
1600 */
1601int rsa_self_test( int verbose )
1602{
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1603 int ret = 0;
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1604#if defined(POLARSSL_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1605 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1606 rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1607 unsigned char rsa_plaintext[PT_LEN];
1608 unsigned char rsa_decrypted[PT_LEN];
1609 unsigned char rsa_ciphertext[KEY_LEN];
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1610#if defined(POLARSSL_SHA1_C)
1611 unsigned char sha1sum[20];
1612#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1613
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]1614 rsa_init( &rsa, RSA_PKCS_V15, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1615
1616 rsa.len = KEY_LEN;
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1617 MPI_CHK( mpi_read_string( &rsa.N , 16, RSA_N ) );
1618 MPI_CHK( mpi_read_string( &rsa.E , 16, RSA_E ) );
1619 MPI_CHK( mpi_read_string( &rsa.D , 16, RSA_D ) );
1620 MPI_CHK( mpi_read_string( &rsa.P , 16, RSA_P ) );
1621 MPI_CHK( mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1622 MPI_CHK( mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1623 MPI_CHK( mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1624 MPI_CHK( mpi_read_string( &rsa.QP, 16, RSA_QP ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625
1626 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1627 polarssl_printf( " RSA key validation: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1628
1629 if( rsa_check_pubkey( &rsa ) != 0 ||
1630 rsa_check_privkey( &rsa ) != 0 )
1631 {
1632 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1633 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1634
1635 return( 1 );
1636 }
1637
1638 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1639 polarssl_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640
1641 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1642
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1643 if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1644 rsa_plaintext, rsa_ciphertext ) != 0 )
1645 {
1646 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1647 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1648
1649 return( 1 );
1650 }
1651
1652 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1653 polarssl_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1654
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1655 if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]1656 rsa_ciphertext, rsa_decrypted,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1657 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658 {
1659 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1660 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661
1662 return( 1 );
1663 }
1664
1665 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1666 {
1667 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1668 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669
1670 return( 1 );
1671 }
1672
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1673#if defined(POLARSSL_SHA1_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1675 polarssl_printf( "passed\n PKCS#1 data sign : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1676
1677 sha1( rsa_plaintext, PT_LEN, sha1sum );
1678
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]1679 if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680 sha1sum, rsa_ciphertext ) != 0 )
1681 {
1682 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1683 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684
1685 return( 1 );
1686 }
1687
1688 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1689 polarssl_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1691 if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692 sha1sum, rsa_ciphertext ) != 0 )
1693 {
1694 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1695 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696
1697 return( 1 );
1698 }
1699
1700 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1701 polarssl_printf( "passed\n\n" );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1702#endif /* POLARSSL_SHA1_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1704cleanup:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1705 rsa_free( &rsa );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1706#else /* POLARSSL_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +0200[diff] [blame]1707 ((void) verbose);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1708#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1709 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1710}
1711
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1712#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1713
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1714#endif /* POLARSSL_RSA_C */