TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f96f7b607a59754bc37a8b3f9c563620666db3e7 / . / library / rsa.c
blob: 17861496d8f836ab79890ceabf8594f336d05100 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27 *
28 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/rsa.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]37#include "polarssl/oid.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]38
39#if defined(POLARSSL_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]40#include "polarssl/md.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
43#include <stdlib.h>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44#include <stdio.h>
45
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#if defined(POLARSSL_PLATFORM_C)
47#include "polarssl/platform.h"
48#else
49#define polarssl_printf printf
50#endif
51
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52/*
53 * Initialize an RSA context
54 */
55void rsa_init( rsa_context *ctx,
56 int padding,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]57 int hash_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58{
59 memset( ctx, 0, sizeof( rsa_context ) );
60
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]61 rsa_set_padding( ctx, padding, hash_id );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]62
63#if defined(POLARSSL_THREADING_C)
64 polarssl_mutex_init( &ctx->mutex );
65#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66}
67
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]68/*
69 * Set padding for an existing RSA context
70 */
71void rsa_set_padding( rsa_context *ctx, int padding, int hash_id )
72{
73 ctx->padding = padding;
74 ctx->hash_id = hash_id;
75}
76
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]77#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78
79/*
80 * Generate an RSA keypair
81 */
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]82int rsa_gen_key( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]83 int (*f_rng)(void *, unsigned char *, size_t),
84 void *p_rng,
85 unsigned int nbits, int exponent )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86{
87 int ret;
88 mpi P1, Q1, H, G;
89
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]90 if( f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]91 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]92
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]93 mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94
95 /*
96 * find primes P and Q with Q < P so that:
97 * GCD( E, (P-1)*(Q-1) ) == 1
98 */
99 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
100
101 do
102 {
103 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]104 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105
106 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]107 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]108
109 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
110 mpi_swap( &ctx->P, &ctx->Q );
111
112 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
113 continue;
114
115 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
116 if( mpi_msb( &ctx->N ) != nbits )
117 continue;
118
119 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
120 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
121 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
122 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
123 }
124 while( mpi_cmp_int( &G, 1 ) != 0 );
125
126 /*
127 * D = E^-1 mod ((P-1)*(Q-1))
128 * DP = D mod (P - 1)
129 * DQ = D mod (Q - 1)
130 * QP = Q^-1 mod P
131 */
132 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
133 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
134 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
135 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
136
137 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
138
139cleanup:
140
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]141 mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142
143 if( ret != 0 )
144 {
145 rsa_free( ctx );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]146 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]147 }
148
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]149 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]150}
151
152#endif
153
154/*
155 * Check a public RSA key
156 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]157int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]158{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]159 if( !ctx->N.p || !ctx->E.p )
160 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
161
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]162 if( ( ctx->N.p[0] & 1 ) == 0 ||
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]163 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]164 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]165
166 if( mpi_msb( &ctx->N ) < 128 ||
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]167 mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]168 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169
170 if( mpi_msb( &ctx->E ) < 2 ||
Paul Bakker24f37cc2014-04-30 13:33:35 +0200[diff] [blame]171 mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]172 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]173
174 return( 0 );
175}
176
177/*
178 * Check a private RSA key
179 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]180int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181{
182 int ret;
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]183 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184
185 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
186 return( ret );
187
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]188 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
189 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
190
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]191 mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
192 mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]193 mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
194 mpi_init( &QP );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195
196 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
197 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
198 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
199 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
200 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]201 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
202
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]203 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]204 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]205 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
206
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]207 MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
208 MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
209 MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]210 /*
211 * Check for a valid PKCS1v2 private key
212 */
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]213 if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]214 mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
215 mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
216 mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]217 mpi_cmp_int( &L2, 0 ) != 0 ||
218 mpi_cmp_int( &I, 1 ) != 0 ||
219 mpi_cmp_int( &G, 1 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220 {
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]221 ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]222 }
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224cleanup:
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]225 mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
226 mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
Paul Bakker321df6f2012-09-27 13:21:34 +0000[diff] [blame]227 mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
228 mpi_free( &QP );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]229
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]230 if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
231 return( ret );
232
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]233 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]234 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]235
236 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]237}
238
239/*
240 * Do an RSA public key operation
241 */
242int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]243 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244 unsigned char *output )
245{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]246 int ret;
247 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248 mpi T;
249
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]250 mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]251
252 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
253
254 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
255 {
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]256 mpi_free( &T );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]257 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]258 }
259
260 olen = ctx->len;
261 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
262 MPI_CHK( mpi_write_binary( &T, output, olen ) );
263
264cleanup:
265
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]266 mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]267
268 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]269 return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]270
271 return( 0 );
272}
273
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]274#if !defined(POLARSSL_RSA_NO_CRT)
275/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]276 * Generate or update blinding values, see section 10 of:
277 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
278 * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
279 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]280 */
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]281static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf,
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]282 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
283{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]284 int ret, count = 0;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]285
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]286#if defined(POLARSSL_THREADING_C)
287 polarssl_mutex_lock( &ctx->mutex );
288#endif
289
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]290 if( ctx->Vf.p != NULL )
291 {
292 /* We already have blinding values, just update them by squaring */
293 MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]294 MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]295 MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
Manuel Pégourié-Gonnard735b8fc2013-09-13 12:57:23 +0200[diff] [blame]296 MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]297
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]298 goto done;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]299 }
300
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]301 /* Unblinding value: Vf = random number, invertible mod N */
302 do {
303 if( count++ > 10 )
304 return( POLARSSL_ERR_RSA_RNG_FAILED );
305
306 MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
307 MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
308 } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]309
310 /* Blinding value: Vi = Vf^(-e) mod N */
311 MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
312 MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
313
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]314done:
315 if( Vi != &ctx->Vi )
316 {
317 MPI_CHK( mpi_copy( Vi, &ctx->Vi ) );
318 MPI_CHK( mpi_copy( Vf, &ctx->Vf ) );
319 }
320
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]321cleanup:
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]322#if defined(POLARSSL_THREADING_C)
323 polarssl_mutex_unlock( &ctx->mutex );
324#endif
325
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]326 return( ret );
327}
328#endif
329
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330/*
331 * Do an RSA private key operation
332 */
333int rsa_private( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]334 int (*f_rng)(void *, unsigned char *, size_t),
335 void *p_rng,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]336 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337 unsigned char *output )
338{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]339 int ret;
340 size_t olen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341 mpi T, T1, T2;
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]342#if !defined(POLARSSL_RSA_NO_CRT)
343 mpi *Vi, *Vf;
344
345 /*
346 * When using the Chinese Remainder Theorem, we use blinding values.
347 * Without threading, we just read them directly from the context,
348 * otherwise we make a local copy in order to reduce locking contention.
349 */
350#if defined(POLARSSL_THREADING_C)
351 mpi Vi_copy, Vf_copy;
352
353 mpi_init( &Vi_copy ); mpi_init( &Vf_copy );
354 Vi = &Vi_copy;
355 Vf = &Vf_copy;
356#else
357 Vi = &ctx->Vi;
358 Vf = &ctx->Vf;
359#endif
360#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]362 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
366 {
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]367 mpi_free( &T );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]368 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 }
370
Paul Bakker0216cc12011-03-26 13:40:23 +0000[diff] [blame]371#if defined(POLARSSL_RSA_NO_CRT)
Manuel Pégourié-Gonnard971f8b82013-10-04 14:10:43 +0200[diff] [blame]372 ((void) f_rng);
373 ((void) p_rng);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
375#else
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]376 if( f_rng != NULL )
377 {
378 /*
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]379 * Blinding
380 * T = T * Vi mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]381 */
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]382 MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) );
383 MPI_CHK( mpi_mul_mpi( &T, &T, Vi ) );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]384 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]385 }
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]386
387 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]388 * faster decryption using the CRT
389 *
390 * T1 = input ^ dP mod P
391 * T2 = input ^ dQ mod Q
392 */
393 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
394 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
395
396 /*
397 * T = (T1 - T2) * (Q^-1 mod P) mod P
398 */
399 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
400 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
401 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
402
403 /*
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]404 * T = T2 + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405 */
406 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]407 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]408
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]409 if( f_rng != NULL )
410 {
411 /*
412 * Unblind
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]413 * T = T * Vf mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]414 */
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]415 MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200[diff] [blame]416 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
417 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]418#endif
419
420 olen = ctx->len;
421 MPI_CHK( mpi_write_binary( &T, output, olen ) );
422
423cleanup:
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]424 mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]425#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
426 mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
427#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
429 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]430 return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 return( 0 );
433}
434
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]435#if defined(POLARSSL_PKCS1_V21)
436/**
437 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
438 *
Paul Bakkerb125ed82011-11-10 13:33:51 +0000[diff] [blame]439 * \param dst buffer to mask
440 * \param dlen length of destination buffer
441 * \param src source of the mask generation
442 * \param slen length of the source buffer
443 * \param md_ctx message digest context to use
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]444 */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]445static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
446 size_t slen, md_context_t *md_ctx )
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]447{
448 unsigned char mask[POLARSSL_MD_MAX_SIZE];
449 unsigned char counter[4];
450 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]451 unsigned int hlen;
452 size_t i, use_len;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]453
454 memset( mask, 0, POLARSSL_MD_MAX_SIZE );
455 memset( counter, 0, 4 );
456
457 hlen = md_ctx->md_info->size;
458
459 // Generate and apply dbMask
460 //
461 p = dst;
462
463 while( dlen > 0 )
464 {
465 use_len = hlen;
466 if( dlen < hlen )
467 use_len = dlen;
468
469 md_starts( md_ctx );
470 md_update( md_ctx, src, slen );
471 md_update( md_ctx, counter, 4 );
472 md_finish( md_ctx, mask );
473
474 for( i = 0; i < use_len; ++i )
475 *p++ ^= mask[i];
476
477 counter[3]++;
478
479 dlen -= use_len;
480 }
481}
482#endif
483
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]484#if defined(POLARSSL_PKCS1_V21)
485/*
486 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
487 */
488int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
489 int (*f_rng)(void *, unsigned char *, size_t),
490 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]491 int mode,
492 const unsigned char *label, size_t label_len,
493 size_t ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]494 const unsigned char *input,
495 unsigned char *output )
496{
497 size_t olen;
498 int ret;
499 unsigned char *p = output;
500 unsigned int hlen;
501 const md_info_t *md_info;
502 md_context_t md_ctx;
503
504 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
505 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
506
507 md_info = md_info_from_type( ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]508 if( md_info == NULL )
509 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
510
511 olen = ctx->len;
512 hlen = md_get_size( md_info );
513
514 if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
515 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
516
517 memset( output, 0, olen );
518
519 *p++ = 0;
520
521 // Generate a random octet string seed
522 //
523 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
524 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
525
526 p += hlen;
527
528 // Construct DB
529 //
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]530 md( md_info, label, label_len, p );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]531 p += hlen;
532 p += olen - 2 * hlen - 2 - ilen;
533 *p++ = 1;
534 memcpy( p, input, ilen );
535
536 md_init_ctx( &md_ctx, md_info );
537
538 // maskedDB: Apply dbMask to DB
539 //
540 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
541 &md_ctx );
542
543 // maskedSeed: Apply seedMask to seed
544 //
545 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
546 &md_ctx );
547
548 md_free_ctx( &md_ctx );
549
550 return( ( mode == RSA_PUBLIC )
551 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]552 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]553}
554#endif /* POLARSSL_PKCS1_V21 */
555
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]556#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]557/*
558 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
559 */
560int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
561 int (*f_rng)(void *, unsigned char *, size_t),
562 void *p_rng,
563 int mode, size_t ilen,
564 const unsigned char *input,
565 unsigned char *output )
566{
567 size_t nb_pad, olen;
568 int ret;
569 unsigned char *p = output;
570
571 if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
572 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
573
574 olen = ctx->len;
575
576 if( olen < ilen + 11 )
577 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
578
579 nb_pad = olen - 3 - ilen;
580
581 *p++ = 0;
582 if( mode == RSA_PUBLIC )
583 {
584 *p++ = RSA_CRYPT;
585
586 while( nb_pad-- > 0 )
587 {
588 int rng_dl = 100;
589
590 do {
591 ret = f_rng( p_rng, p, 1 );
592 } while( *p == 0 && --rng_dl && ret == 0 );
593
594 // Check if RNG failed to generate data
595 //
596 if( rng_dl == 0 || ret != 0)
597 return POLARSSL_ERR_RSA_RNG_FAILED + ret;
598
599 p++;
600 }
601 }
602 else
603 {
604 *p++ = RSA_SIGN;
605
606 while( nb_pad-- > 0 )
607 *p++ = 0xFF;
608 }
609
610 *p++ = 0;
611 memcpy( p, input, ilen );
612
613 return( ( mode == RSA_PUBLIC )
614 ? rsa_public( ctx, output, output )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]615 : rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]616}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]617#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]618
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619/*
620 * Add the message padding, then do an RSA operation
621 */
622int rsa_pkcs1_encrypt( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]623 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]624 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]625 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]626 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627 unsigned char *output )
628{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 switch( ctx->padding )
630 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]631#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632 case RSA_PKCS_V15:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]633 return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
634 input, output );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]635#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]637#if defined(POLARSSL_PKCS1_V21)
638 case RSA_PKCS_V21:
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]639 return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
640 ilen, input, output );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]641#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
643 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]644 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646}
647
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]648#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]650 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]652int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]653 int (*f_rng)(void *, unsigned char *, size_t),
654 void *p_rng,
655 int mode,
Paul Bakkera43231c2013-02-28 17:33:49 +0100[diff] [blame]656 const unsigned char *label, size_t label_len,
657 size_t *olen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]658 const unsigned char *input,
659 unsigned char *output,
660 size_t output_max_len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]662 int ret;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]663 size_t ilen, i, pad_len;
664 unsigned char *p, bad, pad_done;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]665 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]666 unsigned char lhash[POLARSSL_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]667 unsigned int hlen;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]668 const md_info_t *md_info;
669 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]670
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]671 /*
672 * Parameters sanity checks
673 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]674 if( ctx->padding != RSA_PKCS_V21 )
675 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676
677 ilen = ctx->len;
678
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]679 if( ilen < 16 || ilen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]680 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]682 md_info = md_info_from_type( ctx->hash_id );
683 if( md_info == NULL )
684 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
685
686 /*
687 * RSA operation
688 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689 ret = ( mode == RSA_PUBLIC )
690 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]691 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693 if( ret != 0 )
694 return( ret );
695
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]696 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]697 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]698 */
699 hlen = md_get_size( md_info );
700
701 md_init_ctx( &md_ctx, md_info );
702
703 /* Generate lHash */
704 md( md_info, label, label_len, lhash );
705
706 /* seed: Apply seedMask to maskedSeed */
707 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
708 &md_ctx );
709
710 /* DB: Apply dbMask to maskedDB */
711 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
712 &md_ctx );
713
714 md_free_ctx( &md_ctx );
715
716 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]717 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]718 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719 p = buf;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]720 bad = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]722 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]723
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]724 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]725
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]726 /* Check lHash */
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]727 for( i = 0; i < hlen; i++ )
728 bad |= lhash[i] ^ *p++;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]729
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]730 /* Get zero-padding len, but always read till end of buffer
731 * (minus one, for the 01 byte) */
732 pad_len = 0;
733 pad_done = 0;
734 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
735 {
736 pad_done |= p[i];
737 pad_len += ( pad_done == 0 );
738 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]739
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]740 p += pad_len;
741 bad |= *p++ ^ 0x01;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]742
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]743 /*
744 * The only information "leaked" is whether the padding was correct or not
745 * (eg, no data is copied if it was not correct). This meets the
746 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
747 * the different error conditions.
748 */
749 if( bad != 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]750 return( POLARSSL_ERR_RSA_INVALID_PADDING );
751
752 if (ilen - (p - buf) > output_max_len)
753 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
754
755 *olen = ilen - (p - buf);
756 memcpy( output, p, *olen );
757
758 return( 0 );
759}
760#endif /* POLARSSL_PKCS1_V21 */
761
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]762#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]763/*
764 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
765 */
766int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]767 int (*f_rng)(void *, unsigned char *, size_t),
768 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]769 int mode, size_t *olen,
770 const unsigned char *input,
771 unsigned char *output,
772 size_t output_max_len)
773{
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]774 int ret;
775 size_t ilen, pad_count = 0, i;
776 unsigned char *p, bad, pad_done = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]777 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
778
779 if( ctx->padding != RSA_PKCS_V15 )
780 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
781
782 ilen = ctx->len;
783
784 if( ilen < 16 || ilen > sizeof( buf ) )
785 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
786
787 ret = ( mode == RSA_PUBLIC )
788 ? rsa_public( ctx, input, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]789 : rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]790
791 if( ret != 0 )
792 return( ret );
793
794 p = buf;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]795 bad = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]796
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]797 /*
798 * Check and get padding len in "constant-time"
799 */
800 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]801
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]802 /* This test does not depend on secret data */
803 if( mode == RSA_PRIVATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]805 bad |= *p++ ^ RSA_CRYPT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]807 /* Get padding len, but always read till end of buffer
808 * (minus one, for the 00 byte) */
809 for( i = 0; i < ilen - 3; i++ )
810 {
811 pad_done |= ( p[i] == 0 );
812 pad_count += ( pad_done == 0 );
813 }
Paul Bakkere6ee41f2012-05-19 08:43:48 +0000[diff] [blame]814
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]815 p += pad_count;
816 bad |= *p++; /* Must be zero */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]817 }
818 else
819 {
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]820 bad |= *p++ ^ RSA_SIGN;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]821
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]822 /* Get padding len, but always read till end of buffer
823 * (minus one, for the 00 byte) */
824 for( i = 0; i < ilen - 3; i++ )
825 {
Manuel Pégourié-Gonnardfbf09152014-02-03 11:58:55 +0100[diff] [blame]826 pad_done |= ( p[i] != 0xFF );
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]827 pad_count += ( pad_done == 0 );
828 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]829
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]830 p += pad_count;
831 bad |= *p++; /* Must be zero */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832 }
833
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +0100[diff] [blame]834 if( bad )
Paul Bakker8804f692013-02-28 18:06:26 +0100[diff] [blame]835 return( POLARSSL_ERR_RSA_INVALID_PADDING );
836
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]837 if (ilen - (p - buf) > output_max_len)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]838 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]839
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]840 *olen = ilen - (p - buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841 memcpy( output, p, *olen );
842
843 return( 0 );
844}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]845#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846
847/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]848 * Do an RSA operation, then remove the message padding
849 */
850int rsa_pkcs1_decrypt( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]851 int (*f_rng)(void *, unsigned char *, size_t),
852 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]853 int mode, size_t *olen,
854 const unsigned char *input,
855 unsigned char *output,
856 size_t output_max_len)
857{
858 switch( ctx->padding )
859 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]860#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]861 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]862 return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
863 input, output, output_max_len );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]864#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]865
866#if defined(POLARSSL_PKCS1_V21)
867 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]868 return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
869 olen, input, output,
870 output_max_len );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]871#endif
872
873 default:
874 return( POLARSSL_ERR_RSA_INVALID_PADDING );
875 }
876}
877
878#if defined(POLARSSL_PKCS1_V21)
879/*
880 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
881 */
882int rsa_rsassa_pss_sign( rsa_context *ctx,
883 int (*f_rng)(void *, unsigned char *, size_t),
884 void *p_rng,
885 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]886 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]887 unsigned int hashlen,
888 const unsigned char *hash,
889 unsigned char *sig )
890{
891 size_t olen;
892 unsigned char *p = sig;
893 unsigned char salt[POLARSSL_MD_MAX_SIZE];
894 unsigned int slen, hlen, offset = 0;
895 int ret;
896 size_t msb;
897 const md_info_t *md_info;
898 md_context_t md_ctx;
899
900 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
901 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
902
903 olen = ctx->len;
904
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]905 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]906 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]907 // Gather length of hash to sign
908 //
909 md_info = md_info_from_type( md_alg );
910 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]911 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]912
913 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]914 }
915
916 md_info = md_info_from_type( ctx->hash_id );
917 if( md_info == NULL )
918 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
919
920 hlen = md_get_size( md_info );
921 slen = hlen;
922
923 if( olen < hlen + slen + 2 )
924 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
925
926 memset( sig, 0, olen );
927
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]928 // Generate salt of length slen
929 //
930 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
931 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
932
933 // Note: EMSA-PSS encoding is over the length of N - 1 bits
934 //
935 msb = mpi_msb( &ctx->N ) - 1;
936 p += olen - hlen * 2 - 2;
937 *p++ = 0x01;
938 memcpy( p, salt, slen );
939 p += slen;
940
941 md_init_ctx( &md_ctx, md_info );
942
943 // Generate H = Hash( M' )
944 //
945 md_starts( &md_ctx );
946 md_update( &md_ctx, p, 8 );
947 md_update( &md_ctx, hash, hashlen );
948 md_update( &md_ctx, salt, slen );
949 md_finish( &md_ctx, p );
950
951 // Compensate for boundary condition when applying mask
952 //
953 if( msb % 8 == 0 )
954 offset = 1;
955
956 // maskedDB: Apply dbMask to DB
957 //
958 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
959
960 md_free_ctx( &md_ctx );
961
962 msb = mpi_msb( &ctx->N ) - 1;
963 sig[0] &= 0xFF >> ( olen * 8 - msb );
964
965 p += hlen;
966 *p++ = 0xBC;
967
968 return( ( mode == RSA_PUBLIC )
969 ? rsa_public( ctx, sig, sig )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]970 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]971}
972#endif /* POLARSSL_PKCS1_V21 */
973
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]974#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]975/*
976 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
977 */
978/*
979 * Do an RSA operation to sign the message digest
980 */
981int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]982 int (*f_rng)(void *, unsigned char *, size_t),
983 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]984 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]985 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]986 unsigned int hashlen,
987 const unsigned char *hash,
988 unsigned char *sig )
989{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]990 size_t nb_pad, olen, oid_size = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]991 unsigned char *p = sig;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]992 const char *oid;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]993
994 if( ctx->padding != RSA_PKCS_V15 )
995 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
996
997 olen = ctx->len;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]998 nb_pad = olen - 3;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]999
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1000 if( md_alg != POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1001 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1002 const md_info_t *md_info = md_info_from_type( md_alg );
1003 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1004 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1005
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]1006 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1007 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1008
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1009 nb_pad -= 10 + oid_size;
1010
1011 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1012 }
1013
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1014 nb_pad -= hashlen;
1015
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1016 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1017 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1018
1019 *p++ = 0;
1020 *p++ = RSA_SIGN;
1021 memset( p, 0xFF, nb_pad );
1022 p += nb_pad;
1023 *p++ = 0;
1024
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1025 if( md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1026 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1027 memcpy( p, hash, hashlen );
1028 }
1029 else
1030 {
1031 /*
1032 * DigestInfo ::= SEQUENCE {
1033 * digestAlgorithm DigestAlgorithmIdentifier,
1034 * digest Digest }
1035 *
1036 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1037 *
1038 * Digest ::= OCTET STRING
1039 */
1040 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1041 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1042 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1043 *p++ = (unsigned char) ( 0x04 + oid_size );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1044 *p++ = ASN1_OID;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]1045 *p++ = oid_size & 0xFF;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1046 memcpy( p, oid, oid_size );
1047 p += oid_size;
1048 *p++ = ASN1_NULL;
1049 *p++ = 0x00;
1050 *p++ = ASN1_OCTET_STRING;
1051 *p++ = hashlen;
1052 memcpy( p, hash, hashlen );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1053 }
1054
1055 return( ( mode == RSA_PUBLIC )
1056 ? rsa_public( ctx, sig, sig )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1057 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1058}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1059#endif /* POLARSSL_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1060
1061/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062 * Do an RSA operation to sign the message digest
1063 */
1064int rsa_pkcs1_sign( rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1065 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1066 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1068 md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1069 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1070 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071 unsigned char *sig )
1072{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 switch( ctx->padding )
1074 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1075#if defined(POLARSSL_PKCS1_V15)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1077 return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1078 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1079#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1081#if defined(POLARSSL_PKCS1_V21)
1082 case RSA_PKCS_V21:
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1083 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1084 hashlen, hash, sig );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1085#endif
1086
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1088 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090}
1091
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1092#if defined(POLARSSL_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1094 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1096int rsa_rsassa_pss_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1097 int (*f_rng)(void *, unsigned char *, size_t),
1098 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1099 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1100 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1101 unsigned int hashlen,
1102 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1103 const unsigned char *sig )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1105 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1106 size_t siglen;
1107 unsigned char *p;
Paul Bakker0be82f22012-10-03 20:36:33 +0000[diff] [blame]1108 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakker1fe7d9b2011-11-15 15:26:03 +0000[diff] [blame]1109 unsigned char result[POLARSSL_MD_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1110 unsigned char zeros[8];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1111 unsigned int hlen;
1112 size_t slen, msb;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1113 const md_info_t *md_info;
1114 md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1115
1116 if( ctx->padding != RSA_PKCS_V21 )
1117 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1118
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 siglen = ctx->len;
1120
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1121 if( siglen < 16 || siglen > sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1122 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123
1124 ret = ( mode == RSA_PUBLIC )
1125 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1126 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127
1128 if( ret != 0 )
1129 return( ret );
1130
1131 p = buf;
1132
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1133 if( buf[siglen - 1] != 0xBC )
1134 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1135
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1136 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1137 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1138 // Gather length of hash to sign
1139 //
1140 md_info = md_info_from_type( md_alg );
1141 if( md_info == NULL )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1142 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1143
1144 hashlen = md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1145 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1146
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1147 md_info = md_info_from_type( ctx->hash_id );
1148 if( md_info == NULL )
1149 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1150
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1151 hlen = md_get_size( md_info );
1152 slen = siglen - hlen - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1153
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1154 memset( zeros, 0, 8 );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1155
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1156 // Note: EMSA-PSS verification is over the length of N - 1 bits
1157 //
1158 msb = mpi_msb( &ctx->N ) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1159
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1160 // Compensate for boundary condition when applying mask
1161 //
1162 if( msb % 8 == 0 )
1163 {
1164 p++;
1165 siglen -= 1;
1166 }
1167 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1168 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1169
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1170 md_init_ctx( &md_ctx, md_info );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1171
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1172 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
Paul Bakker02303e82013-01-03 11:08:31 +0100[diff] [blame]1173
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1174 buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1175
Paul Bakker4de44aa2013-12-31 11:43:01 +0100[diff] [blame]1176 while( p < buf + siglen && *p == 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1177 p++;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1178
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1179 if( p == buf + siglen ||
1180 *p++ != 0x01 )
1181 {
1182 md_free_ctx( &md_ctx );
1183 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1184 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1185
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1186 slen -= p - buf;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1187
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1188 // Generate H = Hash( M' )
1189 //
1190 md_starts( &md_ctx );
1191 md_update( &md_ctx, zeros, 8 );
1192 md_update( &md_ctx, hash, hashlen );
1193 md_update( &md_ctx, p, slen );
1194 md_finish( &md_ctx, result );
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]1195
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1196 md_free_ctx( &md_ctx );
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1197
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1198 if( memcmp( p + slen, result, hlen ) == 0 )
1199 return( 0 );
1200 else
1201 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1202}
1203#endif /* POLARSSL_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +0100[diff] [blame]1204
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1205#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1206/*
1207 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1208 */
1209int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1210 int (*f_rng)(void *, unsigned char *, size_t),
1211 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1212 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1213 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1214 unsigned int hashlen,
1215 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1216 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1217{
1218 int ret;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1219 size_t len, siglen, asn1_len;
1220 unsigned char *p, *end;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1221 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1222 md_type_t msg_md_alg;
1223 const md_info_t *md_info;
1224 asn1_buf oid;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1225
1226 if( ctx->padding != RSA_PKCS_V15 )
1227 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1228
1229 siglen = ctx->len;
1230
1231 if( siglen < 16 || siglen > sizeof( buf ) )
1232 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1233
1234 ret = ( mode == RSA_PUBLIC )
1235 ? rsa_public( ctx, sig, buf )
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1236 : rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1237
1238 if( ret != 0 )
1239 return( ret );
1240
1241 p = buf;
1242
1243 if( *p++ != 0 || *p++ != RSA_SIGN )
1244 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1245
1246 while( *p != 0 )
1247 {
1248 if( p >= buf + siglen - 1 || *p != 0xFF )
1249 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1250 p++;
1251 }
1252 p++;
1253
1254 len = siglen - ( p - buf );
1255
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1256 if( len == hashlen && md_alg == POLARSSL_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1257 {
1258 if( memcmp( p, hash, hashlen ) == 0 )
1259 return( 0 );
1260 else
1261 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262 }
1263
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1264 md_info = md_info_from_type( md_alg );
1265 if( md_info == NULL )
1266 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
1267 hashlen = md_get_size( md_info );
1268
1269 end = p + len;
1270
1271 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1272 //
1273 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1274 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1275 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1276
1277 if( asn1_len + 2 != len )
1278 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1279
1280 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1281 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1282 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1283
1284 if( asn1_len + 6 + hashlen != len )
1285 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1286
1287 if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
1288 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1289
1290 oid.p = p;
1291 p += oid.len;
1292
1293 if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1294 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1295
1296 if( md_alg != msg_md_alg )
1297 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1298
1299 /*
1300 * assume the algorithm parameters must be NULL
1301 */
1302 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
1303 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1304
1305 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
1306 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1307
1308 if( asn1_len != hashlen )
1309 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1310
1311 if( memcmp( p, hash, hashlen ) != 0 )
1312 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1313
1314 p += hashlen;
1315
1316 if( p != end )
1317 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
1318
1319 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1321#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322
1323/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1324 * Do an RSA operation and check the message digest
1325 */
1326int rsa_pkcs1_verify( rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1327 int (*f_rng)(void *, unsigned char *, size_t),
1328 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1329 int mode,
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1330 md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1331 unsigned int hashlen,
1332 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200[diff] [blame]1333 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1334{
1335 switch( ctx->padding )
1336 {
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1337#if defined(POLARSSL_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1338 case RSA_PKCS_V15:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1339 return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1340 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1341#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1342
1343#if defined(POLARSSL_PKCS1_V21)
1344 case RSA_PKCS_V21:
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1345 return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1346 hashlen, hash, sig );
1347#endif
1348
1349 default:
1350 return( POLARSSL_ERR_RSA_INVALID_PADDING );
1351 }
1352}
1353
1354/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1355 * Copy the components of an RSA key
1356 */
1357int rsa_copy( rsa_context *dst, const rsa_context *src )
1358{
1359 int ret;
1360
1361 dst->ver = src->ver;
1362 dst->len = src->len;
1363
1364 MPI_CHK( mpi_copy( &dst->N, &src->N ) );
1365 MPI_CHK( mpi_copy( &dst->E, &src->E ) );
1366
1367 MPI_CHK( mpi_copy( &dst->D, &src->D ) );
1368 MPI_CHK( mpi_copy( &dst->P, &src->P ) );
1369 MPI_CHK( mpi_copy( &dst->Q, &src->Q ) );
1370 MPI_CHK( mpi_copy( &dst->DP, &src->DP ) );
1371 MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) );
1372 MPI_CHK( mpi_copy( &dst->QP, &src->QP ) );
1373
1374 MPI_CHK( mpi_copy( &dst->RN, &src->RN ) );
1375 MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
1376 MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
1377
Manuel Pégourié-Gonnard971f8b82013-10-04 14:10:43 +0200[diff] [blame]1378#if !defined(POLARSSL_RSA_NO_CRT)
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1379 MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
1380 MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
Manuel Pégourié-Gonnard971f8b82013-10-04 14:10:43 +0200[diff] [blame]1381#endif
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1382
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1383 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +0100[diff] [blame]1384 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]1385
1386cleanup:
1387 if( ret != 0 )
1388 rsa_free( dst );
1389
1390 return( ret );
1391}
1392
1393/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1394 * Free the components of an RSA key
1395 */
1396void rsa_free( rsa_context *ctx )
1397{
Manuel Pégourié-Gonnard971f8b82013-10-04 14:10:43 +0200[diff] [blame]1398#if !defined(POLARSSL_RSA_NO_CRT)
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]1399 mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
Manuel Pégourié-Gonnard971f8b82013-10-04 14:10:43 +0200[diff] [blame]1400#endif
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1401 mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1402 mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1403 mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1404 mpi_free( &ctx->E ); mpi_free( &ctx->N );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]1405
1406#if defined(POLARSSL_THREADING_C)
1407 polarssl_mutex_free( &ctx->mutex );
1408#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409}
1410
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1411#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1413#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1414
1415/*
1416 * Example RSA-1024 keypair, for test purposes
1417 */
1418#define KEY_LEN 128
1419
1420#define RSA_N "9292758453063D803DD603D5E777D788" \
1421 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1422 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1423 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1424 "93A89813FBF3C4F8066D2D800F7C38A8" \
1425 "1AE31942917403FF4946B0A83D3D3E05" \
1426 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1427 "5E94BB77B07507233A0BC7BAC8F90F79"
1428
1429#define RSA_E "10001"
1430
1431#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1432 "66CA472BC44D253102F8B4A9D3BFA750" \
1433 "91386C0077937FE33FA3252D28855837" \
1434 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1435 "DF79C5CE07EE72C7F123142198164234" \
1436 "CABB724CF78B8173B9F880FC86322407" \
1437 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1438 "071513A1E85B5DFA031F21ECAE91A34D"
1439
1440#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1441 "2C01CAD19EA484A87EA4377637E75500" \
1442 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1443 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1444
1445#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1446 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1447 "910E4168387E3C30AA1E00C339A79508" \
1448 "8452DD96A9A5EA5D9DCA68DA636032AF"
1449
1450#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1451 "3C94D22288ACD763FD8E5600ED4A702D" \
1452 "F84198A5F06C2E72236AE490C93F07F8" \
1453 "3CC559CD27BC2D1CA488811730BB5725"
1454
1455#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1456 "D8AAEA56749EA28623272E4F7D0592AF" \
1457 "7C1F1313CAC9471B5C523BFE592F517B" \
1458 "407A1BD76C164B93DA2D32A383E58357"
1459
1460#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1461 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1462 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1463 "A74206CEC169D74BF5A8C50D6F48EA08"
1464
1465#define PT_LEN 24
1466#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1467 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1468
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1469#if defined(POLARSSL_PKCS1_V15)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1470static int myrand( void *rng_state, unsigned char *output, size_t len )
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1471{
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame^]1472#if !defined(__OpenBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1473 size_t i;
1474
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1475 if( rng_state != NULL )
1476 rng_state = NULL;
1477
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1478 for( i = 0; i < len; ++i )
1479 output[i] = rand();
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame^]1480#else
1481 if( rng_state != NULL )
1482 rng_state = NULL;
1483
1484 arc4random_buf( output, len );
1485#endif /* !OpenBSD */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1486
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1487 return( 0 );
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1488}
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1489#endif
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]1490
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491/*
1492 * Checkup routine
1493 */
1494int rsa_self_test( int verbose )
1495{
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1496 int ret = 0;
Paul Bakkerfef3c5a2013-12-11 13:36:30 +0100[diff] [blame]1497#if defined(POLARSSL_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1498 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1499 rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500 unsigned char rsa_plaintext[PT_LEN];
1501 unsigned char rsa_decrypted[PT_LEN];
1502 unsigned char rsa_ciphertext[KEY_LEN];
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1503#if defined(POLARSSL_SHA1_C)
1504 unsigned char sha1sum[20];
1505#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]1507 rsa_init( &rsa, RSA_PKCS_V15, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508
1509 rsa.len = KEY_LEN;
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1510 MPI_CHK( mpi_read_string( &rsa.N , 16, RSA_N ) );
1511 MPI_CHK( mpi_read_string( &rsa.E , 16, RSA_E ) );
1512 MPI_CHK( mpi_read_string( &rsa.D , 16, RSA_D ) );
1513 MPI_CHK( mpi_read_string( &rsa.P , 16, RSA_P ) );
1514 MPI_CHK( mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1515 MPI_CHK( mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1516 MPI_CHK( mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1517 MPI_CHK( mpi_read_string( &rsa.QP, 16, RSA_QP ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518
1519 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1520 polarssl_printf( " RSA key validation: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1521
1522 if( rsa_check_pubkey( &rsa ) != 0 ||
1523 rsa_check_privkey( &rsa ) != 0 )
1524 {
1525 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1526 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527
1528 return( 1 );
1529 }
1530
1531 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1532 polarssl_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
1534 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1535
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1536 if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1537 rsa_plaintext, rsa_ciphertext ) != 0 )
1538 {
1539 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1540 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541
1542 return( 1 );
1543 }
1544
1545 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1546 polarssl_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1548 if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]1549 rsa_ciphertext, rsa_decrypted,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1550 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551 {
1552 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1553 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1554
1555 return( 1 );
1556 }
1557
1558 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1559 {
1560 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1561 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1562
1563 return( 1 );
1564 }
1565
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1566#if defined(POLARSSL_SHA1_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1568 polarssl_printf( "passed\n PKCS#1 data sign : " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1569
1570 sha1( rsa_plaintext, PT_LEN, sha1sum );
1571
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]1572 if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1573 sha1sum, rsa_ciphertext ) != 0 )
1574 {
1575 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1576 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577
1578 return( 1 );
1579 }
1580
1581 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1582 polarssl_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583
Paul Bakker548957d2013-08-30 10:30:02 +0200[diff] [blame]1584 if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585 sha1sum, rsa_ciphertext ) != 0 )
1586 {
1587 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1588 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1589
1590 return( 1 );
1591 }
1592
1593 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1594 polarssl_printf( "passed\n\n" );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1595#endif /* POLARSSL_SHA1_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1596
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1597cleanup:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598 rsa_free( &rsa );
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1599#else /* POLARSSL_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +0200[diff] [blame]1600 ((void) verbose);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1601#endif /* POLARSSL_PKCS1_V15 */
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]1602 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1603}
1604
1605#endif
1606
1607#endif