TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ff60ee6c2af5512ff67ad9f4f2dc193133a99016 / . / library / rsa.c
blob: 6fca27d59db11bb4e467222d1dc534620144eb11 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]7 * Joined copyright on original XySSL code with: Christophe Devine
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23/*
24 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
25 *
26 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
27 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
28 */
29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
36#include <stdlib.h>
37#include <string.h>
38#include <stdio.h>
39
40/*
41 * Initialize an RSA context
42 */
43void rsa_init( rsa_context *ctx,
44 int padding,
45 int hash_id,
46 int (*f_rng)(void *),
47 void *p_rng )
48{
49 memset( ctx, 0, sizeof( rsa_context ) );
50
51 ctx->padding = padding;
52 ctx->hash_id = hash_id;
53
54 ctx->f_rng = f_rng;
55 ctx->p_rng = p_rng;
56}
57
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]58#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59
60/*
61 * Generate an RSA keypair
62 */
63int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
64{
65 int ret;
66 mpi P1, Q1, H, G;
67
68 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]69 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70
71 mpi_init( &P1, &Q1, &H, &G, NULL );
72
73 /*
74 * find primes P and Q with Q < P so that:
75 * GCD( E, (P-1)*(Q-1) ) == 1
76 */
77 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
78
79 do
80 {
81 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
82 ctx->f_rng, ctx->p_rng ) );
83
84 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
85 ctx->f_rng, ctx->p_rng ) );
86
87 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
88 mpi_swap( &ctx->P, &ctx->Q );
89
90 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
91 continue;
92
93 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
94 if( mpi_msb( &ctx->N ) != nbits )
95 continue;
96
97 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
98 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
99 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
100 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
101 }
102 while( mpi_cmp_int( &G, 1 ) != 0 );
103
104 /*
105 * D = E^-1 mod ((P-1)*(Q-1))
106 * DP = D mod (P - 1)
107 * DQ = D mod (Q - 1)
108 * QP = Q^-1 mod P
109 */
110 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
111 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
112 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
113 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
114
115 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
116
117cleanup:
118
119 mpi_free( &G, &H, &Q1, &P1, NULL );
120
121 if( ret != 0 )
122 {
123 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]124 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]125 }
126
127 return( 0 );
128}
129
130#endif
131
132/*
133 * Check a public RSA key
134 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]135int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]136{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]137 if( !ctx->N.p || !ctx->E.p )
138 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
139
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]140 if( ( ctx->N.p[0] & 1 ) == 0 ||
141 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]142 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]143
144 if( mpi_msb( &ctx->N ) < 128 ||
145 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]146 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]147
148 if( mpi_msb( &ctx->E ) < 2 ||
149 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]150 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]151
152 return( 0 );
153}
154
155/*
156 * Check a private RSA key
157 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]158int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]159{
160 int ret;
161 mpi PQ, DE, P1, Q1, H, I, G;
162
163 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
164 return( ret );
165
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]166 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
167 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
168
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL );
170
171 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
172 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
173 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
174 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
175 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
176 MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) );
177 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
178
179 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
180 mpi_cmp_int( &I, 1 ) == 0 &&
181 mpi_cmp_int( &G, 1 ) == 0 )
182 {
183 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
184 return( 0 );
185 }
186
187cleanup:
188
189 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]190 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191}
192
193/*
194 * Do an RSA public key operation
195 */
196int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]197 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198 unsigned char *output )
199{
200 int ret, olen;
201 mpi T;
202
203 mpi_init( &T, NULL );
204
205 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
206
207 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
208 {
209 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]210 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211 }
212
213 olen = ctx->len;
214 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
215 MPI_CHK( mpi_write_binary( &T, output, olen ) );
216
217cleanup:
218
219 mpi_free( &T, NULL );
220
221 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]222 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223
224 return( 0 );
225}
226
227/*
228 * Do an RSA private key operation
229 */
230int rsa_private( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]231 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]232 unsigned char *output )
233{
234 int ret, olen;
235 mpi T, T1, T2;
236
237 mpi_init( &T, &T1, &T2, NULL );
238
239 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
240
241 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
242 {
243 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]244 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245 }
246
247#if 0
248 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
249#else
250 /*
251 * faster decryption using the CRT
252 *
253 * T1 = input ^ dP mod P
254 * T2 = input ^ dQ mod Q
255 */
256 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
257 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
258
259 /*
260 * T = (T1 - T2) * (Q^-1 mod P) mod P
261 */
262 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
263 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
264 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
265
266 /*
267 * output = T2 + T * Q
268 */
269 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
270 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
271#endif
272
273 olen = ctx->len;
274 MPI_CHK( mpi_write_binary( &T, output, olen ) );
275
276cleanup:
277
278 mpi_free( &T, &T1, &T2, NULL );
279
280 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]281 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]282
283 return( 0 );
284}
285
286/*
287 * Add the message padding, then do an RSA operation
288 */
289int rsa_pkcs1_encrypt( rsa_context *ctx,
290 int mode, int ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]291 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]292 unsigned char *output )
293{
294 int nb_pad, olen;
295 unsigned char *p = output;
296
297 olen = ctx->len;
298
299 switch( ctx->padding )
300 {
301 case RSA_PKCS_V15:
302
303 if( ilen < 0 || olen < ilen + 11 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]304 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305
306 nb_pad = olen - 3 - ilen;
307
308 *p++ = 0;
309 *p++ = RSA_CRYPT;
310
311 while( nb_pad-- > 0 )
312 {
313 do {
314 *p = (unsigned char) rand();
315 } while( *p == 0 );
316 p++;
317 }
318 *p++ = 0;
319 memcpy( p, input, ilen );
320 break;
321
322 default:
323
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]324 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325 }
326
327 return( ( mode == RSA_PUBLIC )
328 ? rsa_public( ctx, output, output )
329 : rsa_private( ctx, output, output ) );
330}
331
332/*
333 * Do an RSA operation, then remove the message padding
334 */
335int rsa_pkcs1_decrypt( rsa_context *ctx,
336 int mode, int *olen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]337 const unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]338 unsigned char *output,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]339 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340{
341 int ret, ilen;
342 unsigned char *p;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]343 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344
345 ilen = ctx->len;
346
347 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]348 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350 ret = ( mode == RSA_PUBLIC )
351 ? rsa_public( ctx, input, buf )
352 : rsa_private( ctx, input, buf );
353
354 if( ret != 0 )
355 return( ret );
356
357 p = buf;
358
359 switch( ctx->padding )
360 {
361 case RSA_PKCS_V15:
362
363 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]364 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365
366 while( *p != 0 )
367 {
368 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]369 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 p++;
371 }
372 p++;
373 break;
374
375 default:
376
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]377 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378 }
379
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]380 if (ilen - (int)(p - buf) > output_max_len)
Paul Bakker38e2b482009-07-19 20:41:06 +0000[diff] [blame]381 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]382
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383 *olen = ilen - (int)(p - buf);
384 memcpy( output, p, *olen );
385
386 return( 0 );
387}
388
389/*
390 * Do an RSA operation to sign the message digest
391 */
392int rsa_pkcs1_sign( rsa_context *ctx,
393 int mode,
394 int hash_id,
395 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]396 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397 unsigned char *sig )
398{
399 int nb_pad, olen;
400 unsigned char *p = sig;
401
402 olen = ctx->len;
403
404 switch( ctx->padding )
405 {
406 case RSA_PKCS_V15:
407
408 switch( hash_id )
409 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]410 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]411 nb_pad = olen - 3 - hashlen;
412 break;
413
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]414 case SIG_RSA_MD2:
415 case SIG_RSA_MD4:
416 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]417 nb_pad = olen - 3 - 34;
418 break;
419
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]420 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 nb_pad = olen - 3 - 35;
422 break;
423
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]424 case SIG_RSA_SHA224:
425 nb_pad = olen - 3 - 47;
426 break;
427
428 case SIG_RSA_SHA256:
429 nb_pad = olen - 3 - 51;
430 break;
431
432 case SIG_RSA_SHA384:
433 nb_pad = olen - 3 - 67;
434 break;
435
436 case SIG_RSA_SHA512:
437 nb_pad = olen - 3 - 83;
438 break;
439
440
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]442 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 }
444
445 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447
448 *p++ = 0;
449 *p++ = RSA_SIGN;
450 memset( p, 0xFF, nb_pad );
451 p += nb_pad;
452 *p++ = 0;
453 break;
454
455 default:
456
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]457 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458 }
459
460 switch( hash_id )
461 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]462 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 memcpy( p, hash, hashlen );
464 break;
465
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]466 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]467 memcpy( p, ASN1_HASH_MDX, 18 );
468 memcpy( p + 18, hash, 16 );
469 p[13] = 2; break;
470
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]471 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 memcpy( p, ASN1_HASH_MDX, 18 );
473 memcpy( p + 18, hash, 16 );
474 p[13] = 4; break;
475
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]476 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 memcpy( p, ASN1_HASH_MDX, 18 );
478 memcpy( p + 18, hash, 16 );
479 p[13] = 5; break;
480
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]481 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 memcpy( p, ASN1_HASH_SHA1, 15 );
483 memcpy( p + 15, hash, 20 );
484 break;
485
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]486 case SIG_RSA_SHA224:
487 memcpy( p, ASN1_HASH_SHA2X, 19 );
488 memcpy( p + 19, hash, 28 );
489 p[1] += 28; p[14] = 4; p[18] += 28; break;
490
491 case SIG_RSA_SHA256:
492 memcpy( p, ASN1_HASH_SHA2X, 19 );
493 memcpy( p + 19, hash, 32 );
494 p[1] += 32; p[14] = 1; p[18] += 32; break;
495
496 case SIG_RSA_SHA384:
497 memcpy( p, ASN1_HASH_SHA2X, 19 );
498 memcpy( p + 19, hash, 48 );
499 p[1] += 48; p[14] = 2; p[18] += 48; break;
500
501 case SIG_RSA_SHA512:
502 memcpy( p, ASN1_HASH_SHA2X, 19 );
503 memcpy( p + 19, hash, 64 );
504 p[1] += 64; p[14] = 3; p[18] += 64; break;
505
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]507 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509
510 return( ( mode == RSA_PUBLIC )
511 ? rsa_public( ctx, sig, sig )
512 : rsa_private( ctx, sig, sig ) );
513}
514
515/*
516 * Do an RSA operation and check the message digest
517 */
518int rsa_pkcs1_verify( rsa_context *ctx,
519 int mode,
520 int hash_id,
521 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]522 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 unsigned char *sig )
524{
525 int ret, len, siglen;
526 unsigned char *p, c;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]527 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]528
529 siglen = ctx->len;
530
531 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]532 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
534 ret = ( mode == RSA_PUBLIC )
535 ? rsa_public( ctx, sig, buf )
536 : rsa_private( ctx, sig, buf );
537
538 if( ret != 0 )
539 return( ret );
540
541 p = buf;
542
543 switch( ctx->padding )
544 {
545 case RSA_PKCS_V15:
546
547 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]548 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549
550 while( *p != 0 )
551 {
552 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]553 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 p++;
555 }
556 p++;
557 break;
558
559 default:
560
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]561 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 }
563
564 len = siglen - (int)( p - buf );
565
566 if( len == 34 )
567 {
568 c = p[13];
569 p[13] = 0;
570
571 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]572 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]574 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
575 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
576 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577 {
578 if( memcmp( p + 18, hash, 16 ) == 0 )
579 return( 0 );
580 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]581 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 }
583 }
584
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]585 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586 {
587 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
588 memcmp( p + 15, hash, 20 ) == 0 )
589 return( 0 );
590 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]591 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]593 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
594 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
595 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
596 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
597 {
598 c = p[1] - 17;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]599 p[1] = 17;
600 p[14] = 0;
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]601
602 if( p[18] == c &&
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]603 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
604 memcmp( p + 19, hash, c ) == 0 )
605 return( 0 );
606 else
607 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]608 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]610 if( len == hashlen && hash_id == SIG_RSA_RAW )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611 {
612 if( memcmp( p, hash, hashlen ) == 0 )
613 return( 0 );
614 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]615 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616 }
617
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]618 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619}
620
621/*
622 * Free the components of an RSA key
623 */
624void rsa_free( rsa_context *ctx )
625{
626 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
627 &ctx->QP, &ctx->DQ, &ctx->DP,
628 &ctx->Q, &ctx->P, &ctx->D,
629 &ctx->E, &ctx->N, NULL );
630}
631
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]632#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]634#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635
636/*
637 * Example RSA-1024 keypair, for test purposes
638 */
639#define KEY_LEN 128
640
641#define RSA_N "9292758453063D803DD603D5E777D788" \
642 "8ED1D5BF35786190FA2F23EBC0848AEA" \
643 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
644 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
645 "93A89813FBF3C4F8066D2D800F7C38A8" \
646 "1AE31942917403FF4946B0A83D3D3E05" \
647 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
648 "5E94BB77B07507233A0BC7BAC8F90F79"
649
650#define RSA_E "10001"
651
652#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
653 "66CA472BC44D253102F8B4A9D3BFA750" \
654 "91386C0077937FE33FA3252D28855837" \
655 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
656 "DF79C5CE07EE72C7F123142198164234" \
657 "CABB724CF78B8173B9F880FC86322407" \
658 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
659 "071513A1E85B5DFA031F21ECAE91A34D"
660
661#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
662 "2C01CAD19EA484A87EA4377637E75500" \
663 "FCB2005C5C7DD6EC4AC023CDA285D796" \
664 "C3D9E75E1EFC42488BB4F1D13AC30A57"
665
666#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
667 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
668 "910E4168387E3C30AA1E00C339A79508" \
669 "8452DD96A9A5EA5D9DCA68DA636032AF"
670
671#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
672 "3C94D22288ACD763FD8E5600ED4A702D" \
673 "F84198A5F06C2E72236AE490C93F07F8" \
674 "3CC559CD27BC2D1CA488811730BB5725"
675
676#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
677 "D8AAEA56749EA28623272E4F7D0592AF" \
678 "7C1F1313CAC9471B5C523BFE592F517B" \
679 "407A1BD76C164B93DA2D32A383E58357"
680
681#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
682 "F38D18D2B2F0E2DD275AA977E2BF4411" \
683 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
684 "A74206CEC169D74BF5A8C50D6F48EA08"
685
686#define PT_LEN 24
687#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
688 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
689
690/*
691 * Checkup routine
692 */
693int rsa_self_test( int verbose )
694{
695 int len;
696 rsa_context rsa;
697 unsigned char sha1sum[20];
698 unsigned char rsa_plaintext[PT_LEN];
699 unsigned char rsa_decrypted[PT_LEN];
700 unsigned char rsa_ciphertext[KEY_LEN];
701
702 memset( &rsa, 0, sizeof( rsa_context ) );
703
704 rsa.len = KEY_LEN;
705 mpi_read_string( &rsa.N , 16, RSA_N );
706 mpi_read_string( &rsa.E , 16, RSA_E );
707 mpi_read_string( &rsa.D , 16, RSA_D );
708 mpi_read_string( &rsa.P , 16, RSA_P );
709 mpi_read_string( &rsa.Q , 16, RSA_Q );
710 mpi_read_string( &rsa.DP, 16, RSA_DP );
711 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
712 mpi_read_string( &rsa.QP, 16, RSA_QP );
713
714 if( verbose != 0 )
715 printf( " RSA key validation: " );
716
717 if( rsa_check_pubkey( &rsa ) != 0 ||
718 rsa_check_privkey( &rsa ) != 0 )
719 {
720 if( verbose != 0 )
721 printf( "failed\n" );
722
723 return( 1 );
724 }
725
726 if( verbose != 0 )
727 printf( "passed\n PKCS#1 encryption : " );
728
729 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
730
731 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
732 rsa_plaintext, rsa_ciphertext ) != 0 )
733 {
734 if( verbose != 0 )
735 printf( "failed\n" );
736
737 return( 1 );
738 }
739
740 if( verbose != 0 )
741 printf( "passed\n PKCS#1 decryption : " );
742
743 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]744 rsa_ciphertext, rsa_decrypted,
745 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746 {
747 if( verbose != 0 )
748 printf( "failed\n" );
749
750 return( 1 );
751 }
752
753 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
754 {
755 if( verbose != 0 )
756 printf( "failed\n" );
757
758 return( 1 );
759 }
760
761 if( verbose != 0 )
762 printf( "passed\n PKCS#1 data sign : " );
763
764 sha1( rsa_plaintext, PT_LEN, sha1sum );
765
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]766 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767 sha1sum, rsa_ciphertext ) != 0 )
768 {
769 if( verbose != 0 )
770 printf( "failed\n" );
771
772 return( 1 );
773 }
774
775 if( verbose != 0 )
776 printf( "passed\n PKCS#1 sig. verify: " );
777
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]778 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 sha1sum, rsa_ciphertext ) != 0 )
780 {
781 if( verbose != 0 )
782 printf( "failed\n" );
783
784 return( 1 );
785 }
786
787 if( verbose != 0 )
788 printf( "passed\n\n" );
789
790 rsa_free( &rsa );
791
792 return( 0 );
793}
794
795#endif
796
797#endif